802.1X Machine Authentication Failure on Windows XP SP2

802.1X Machine Authentication Failure on Windows XP SP2

Post by rarmknech » Fri, 13 May 2005 03:17:48


ere's our setup:
- Cat 6500 Switches
- Cisco ACS 3.3 on Windows 2003 Server
- Certificate Authority on Windows 2003 Enterprise Server
- Windows XP Professional w/ SP2 on client machines
- Certificate is installed and selected
- PEAP and MS-MD5-CHAP v2 are selected
- Authenticate as computer... checkbox checked
- Active Directory is also on a 2003 Server box

Here's the problem as we see it:

Machine authentication is failing during the boot process of the client
PC. This prevents it from grabbing updated GPOs as well as preventing
users of the domain with non-cached passwords from logging onto the
client machine. In addition, the machine will not recieve an IP
address until a user logs on and its successfully authenticated. User
Authentication works no problem.

The errors that we see:

Date 05/09/2005
Time 10:11:52
Message-Type Authen failed
User-Name host/mypc.company.com
Group-Name ..
Caller-ID 00-AA-BB-CC-DD-EE
Authen-Failure-Code External DB account restriction
Author-Failure-Code ..
Author-Data ..
NAS-Port 120
NAS-IP-Address 172.19.133.254

the following:

2005 May 09 10:11:39 CDT -05:00 %ETHC-5-PORTTOSTP:Port 1/20 joined
bridge port 1/20
2005 May 09 10:11:39 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is ABORT
2005 May 09 10:11:39 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is FINISHED
2005 May 09 10:11:39 CDT -05:00
%SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
port 1/20 is CONNECTING
2005 May 09 10:11:44 CDT -05:00
%SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
port 1/20 is AUTHENTICATING
2005 May 09 10:11:44 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:45 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:45 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:45 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:46 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:46 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:46 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:47 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:47 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:48 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:48 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is REQUEST
2005 May 09 10:11:50 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
backend state for port 1/20 is RESPONSE
2005 May 09 10:11:50 CDT -05:00 %SECURITY-7-DOT
 
 
 

802.1X Machine Authentication Failure on Windows XP SP2

Post by Mark Gamac » Sat, 11 Jun 2005 06:23:03

f I'm understanding your question... You need to add the computer accounts
in AD to whatever group you are using that allows the users access. You can
just add domain computers to the group.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"rarmknecht" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...



 
 
 

802.1X Machine Authentication Failure on Windows XP SP2

Post by Thomas » Sat, 11 Jun 2005 14:33:38

id you enable "allow machine authentication" in ACS?
What kind of DB connector are you using in ACS "LDAP" or "Windows domain"?
On XP, are you using EAP-MD5 or P-EAP-MSCHAPV2?

"rarmknecht" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...