G
Guillaume Tamboise
Hello,
I am trying to set up 802.1X for wired access.
I have two kinds of clients, running Windows 2000 and Windows XP, but
all the following tests are carried out on Windows XP SP2.
IAS is running on a Windows 2000 server (SP4), that is also an AD domain
controller.
The router is a Cisco 2950 running 12.1(20)EA2.
I am planning on
- using PEAP,
- set SupplicantMode at 3 (Transmit EAPOL-Start per 802.1x standard),
- set AuthMode at 1 (computer authentication with re-authentication),
- Interface: "Show icon in task bar when connected"
- "Authenticate as computer when computer information is available",
- "Validate server certificate" against my Microsoft CA certificate,
- "Automatically use my Windows logon name and password (and domain if
any)".
During the boot-up process, I can see that the machine authenticates
successfully. I enter my domain username and password, the login process
starts, but when the user authentication is supposed to kick in,
authentication fails twice and works only the third time.
I do not see the failure in the IAS logs. I see it
- on the client computer ("Windows could not log you on the network" or
something similar in a bubble, in the bottom right corner of the screen)
- in the eap exchange, as I am getting an EAP frame code 4 (failure) for
each failure.
Basically, here is the full boot-up process:
- Client machine powers up
- Windows supplicant says "EAPOL Start"
- Switch requests identity
- Windows supplicant provides "host/computer_name"
- TLS session established, then 8 TLS frames are exchanged
- Switch sends EAP code 3 (success)
Then the user attempts to log in:
- Windows supplicant says "EAPOL Start"
- Switch requests identity
- Windows supplicant provides "domain\account"
- TLS session established, then 6 TLS frames are exchanged
- 30 seconds later, switch gets tired and requests identity
During those 30 seconds, Windows XP complains with a "clear here to
process your logon information for the network". It then shows the icon
with an unavailable network connection.
- Windows supplicant provides "domain\account"
- TLS session established, then 8 TLS frames are exchanged
- Switch sends EAP code 3 (success).
If at any time I unplug my computer and plug it to an 802.1X port, it
manages to authenticate just fine.
The only problem is really the boot-up process, with these two symptoms
to get rid of:
- Total of 141 seconds between the "user" EAPOL Start and the EAP
Success. At least 30 seconds result from a timeout, either from the
supplicant or from IAS (see values later).
- Error messages coming from the supplicant that are going to confuse
users regarding the state of their network logon.
The router has a pretty standard configuration:
interface FastEthernet0/1
description whatever
switchport access vlan 123
switchport mode access
speed 100
duplex full
dot1x port-control auto
dot1x timeout reauth-period 7200
dot1x reauthentication
spanning-tree portfast
end
with a
$ show dot1x interface fastEthernet 0/1
Supplicant MAC 0000.1234.1234
AuthSM State = AUTHENTICATED
BendSM State = IDLE
PortStatus = AUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 7200 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Anyone having already faced this issue, and with a fix available?
Thanks
Guillaume Tamboise
I am trying to set up 802.1X for wired access.
I have two kinds of clients, running Windows 2000 and Windows XP, but
all the following tests are carried out on Windows XP SP2.
IAS is running on a Windows 2000 server (SP4), that is also an AD domain
controller.
The router is a Cisco 2950 running 12.1(20)EA2.
I am planning on
- using PEAP,
- set SupplicantMode at 3 (Transmit EAPOL-Start per 802.1x standard),
- set AuthMode at 1 (computer authentication with re-authentication),
- Interface: "Show icon in task bar when connected"
- "Authenticate as computer when computer information is available",
- "Validate server certificate" against my Microsoft CA certificate,
- "Automatically use my Windows logon name and password (and domain if
any)".
During the boot-up process, I can see that the machine authenticates
successfully. I enter my domain username and password, the login process
starts, but when the user authentication is supposed to kick in,
authentication fails twice and works only the third time.
I do not see the failure in the IAS logs. I see it
- on the client computer ("Windows could not log you on the network" or
something similar in a bubble, in the bottom right corner of the screen)
- in the eap exchange, as I am getting an EAP frame code 4 (failure) for
each failure.
Basically, here is the full boot-up process:
- Client machine powers up
- Windows supplicant says "EAPOL Start"
- Switch requests identity
- Windows supplicant provides "host/computer_name"
- TLS session established, then 8 TLS frames are exchanged
- Switch sends EAP code 3 (success)
Then the user attempts to log in:
- Windows supplicant says "EAPOL Start"
- Switch requests identity
- Windows supplicant provides "domain\account"
- TLS session established, then 6 TLS frames are exchanged
- 30 seconds later, switch gets tired and requests identity
During those 30 seconds, Windows XP complains with a "clear here to
process your logon information for the network". It then shows the icon
with an unavailable network connection.
- Windows supplicant provides "domain\account"
- TLS session established, then 8 TLS frames are exchanged
- Switch sends EAP code 3 (success).
If at any time I unplug my computer and plug it to an 802.1X port, it
manages to authenticate just fine.
The only problem is really the boot-up process, with these two symptoms
to get rid of:
- Total of 141 seconds between the "user" EAPOL Start and the EAP
Success. At least 30 seconds result from a timeout, either from the
supplicant or from IAS (see values later).
- Error messages coming from the supplicant that are going to confuse
users regarding the state of their network logon.
The router has a pretty standard configuration:
interface FastEthernet0/1
description whatever
switchport access vlan 123
switchport mode access
speed 100
duplex full
dot1x port-control auto
dot1x timeout reauth-period 7200
dot1x reauthentication
spanning-tree portfast
end
with a
$ show dot1x interface fastEthernet 0/1
Supplicant MAC 0000.1234.1234
AuthSM State = AUTHENTICATED
BendSM State = IDLE
PortStatus = AUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 7200 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Anyone having already faced this issue, and with a fix available?
Thanks
Guillaume Tamboise