1. Home
  2. Cisco Systems
  3. 802.1x Authentication

802.1x Authentication

Hi,

I'm trying to set-up an 802.1x authentication with a XP-SP1 client, a cisco catalyst 2950-14 and a MS IAS (radius) 2k3.

I''ve achieved of making MD5-Challenge to work.

No i want to test EAP-TLS. PKI was configured correctly, and certs are all installed correctly as stated in this doc:

formatting link
When i try to put the client port on state AUTO with "dot1x port-control auto", all that i can obtain is this debug information. No request is send to the IAS.

5d21h: dot1x-authsm(Fa0/7): first connection attempt 5d21h: dot1x-reauthsm(Fa0/7): state INITIALIZE, event INPUT, arg 0x80C2983C 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event INPUT, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event ENTRY, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): connection retry 1 of 2 5d21h: dot1x-reauthsm(Fa0/7): state INITIALIZE, event INPUT, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event INPUT, arg 0x80C2983C 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event ENTRY, arg 0x80C2983C 5d21h: dot1x-authsm(Fa0/7): connection retry 2 of 2 5d21h: dot1x-reauthsm(Fa0/7): state INITIALIZE, event INPUT, arg 0x80C2983C 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event INPUT, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event ENTRY, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): exceeded maximum connection attempts 5d21h: dot1x-authsm(Fa0/7): state DISCONNECTED, event ENTRY, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event ENTRY, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): first connection attempt 5d21h: dot1x-reauthsm(Fa0/7): state INITIALIZE, event INPUT, arg 0x80C29AE0 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event INPUT, arg 0x80C2983C 5d21h: dot1x-authsm(Fa0/7): state CONNECTING, event ENTRY, arg 0x80C2983C 5d21h: dot1x-authsm(Fa0/7): connection retry 1 of 2 5d21h: dot1x-reauthsm(Fa0/7): state INITIALIZE, event INPUT, arg 0x80C2983C

Can you give me some hints ?

Reply to
dodger_web
Loading thread data ...

The debug clearly shows that the client are not respondinf to the request at all, so after 3 attempts it gives up and as normal operation assumes the client are non-dot1x compliant. you need to re initiate the process by disconnecting the UTP so that links goes down and you can try again.

Since its SP2, have you tried looking at MS site for issues ?

HTH Martin

Reply to
Martin Bilgrav

Hi,

Here is the deal with XP. If your computer have only computer certificate and no user cert. it will try to authenticate using that certificate if NO USER is currently logged on to the XP. If a user is logged on, XP will NEVER try to authenticate using computer certificate but user cert. only, and if you don't have any at that moment installed, XP will not try at all ( no request to IAS ).

Solution:

  1. Issue certificate for all USERS using particular XP box
  2. If you have autoenrollment of computer certificates for example and for some reason can't enroll user certificates read following Microsoft document:

formatting link
especially the last part " Using Computer-only Authentication" there are some registry settings you should change in order to make 802.1x with EAP-TLS work flawless. If you have a significant number of workstations than you can use a script for example and apply those registry settings to all of them.

I strongly sugest that you read following document before deployment of

802.1x on windows clients

Cheers...

Reply to
bane

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.