VSACIT
asked on
S - Windows XP SP 3 802.1x failure
We are testing Windows Xp Sp3 on our network. We have 802.1x enabled on our switchports for machine authentication, the switch being a Cisco 4500 Series switch. The switchport keeps going from authenticated, to connecting, to unauthorized, to connecting, to authenticated.
Any ideas ? Perhaps my timeout is too low ? Any assistance would be greatly appreciated.
VSACIT
Any ideas ? Perhaps my timeout is too low ? Any assistance would be greatly appreciated.
VSACIT
ASKER
Yup, the service is started and set to automatic.
SP3 adds a new service called 'Wired Autoconfig' which needs to be started for 802.1X. It's off by default.
ASKER
yup, I noticed that, and that service is started and set to automatic as well. I restarted it just for run, but it still says it is in a failed state.
VSACIT
VSACIT
Make sure that you are using the manufacturers NIC driver and not the "Microsoft compatible" driver.
What reports "failed state"? The service? If so, you may need to reinstall SP3. Also note that non-Intel systems are having known issues with SP3
What reports "failed state"? The service? If so, you may need to reinstall SP3. Also note that non-Intel systems are having known issues with SP3
ASKER
yup, it is provided by Broadcom. I just installed their latest driver from 2007. It is not the Microsoft Compatible one. The Nic, in Windows XP, says "Authentication failed" when I look at the Local Area Connection status.
... check your cable. :) On your router, do you have the port blocked?
We had problems with Broadcom drivers and 802.1X on C3550s.
What is the authentication server (Radius?) reporting?
What is the authentication server (Radius?) reporting?
ASKER
Cable is plugged in. If I plug this laptop into a non-802.1x port, it attaches to the network and accesses the internet just fine. On the switch, the port is working fine.
We are using Cisco ACS for the authentication. The weird thing, is that it is now showing up in the failed attempts list.
What is the validity behind this hyperlink ? It talks about the settings for 802.1x no longer being in the registry but an XML file. When I check the xml file, it does not have an auth mode entry :
http://support.microsoft.com/kb/929847/
VSACIT
We are using Cisco ACS for the authentication. The weird thing, is that it is now showing up in the failed attempts list.
What is the validity behind this hyperlink ? It talks about the settings for 802.1x no longer being in the registry but an XML file. When I check the xml file, it does not have an auth mode entry :
http://support.microsoft.com/kb/929847/
VSACIT
Have you contacted TAC regarding ACS and SP3?
ASKER
Not yet, I was hoping for a quick fix if one existed.
If these services are started:
WIRED AUTOCONFIG
WIRELESS ZERO CONFIGURATION
:Then Right-Click My Network Places > Properties > Right-click your LAN connection > Properties > Authentication > Verify your 802.1X settings here. Like this:
untitled.bmp
WIRED AUTOCONFIG
WIRELESS ZERO CONFIGURATION
:Then Right-Click My Network Places > Properties > Right-click your LAN connection > Properties > Authentication > Verify your 802.1X settings here. Like this:
untitled.bmp
ASKER
I have those settings, except I am set to "Smart card or other certificate".
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you think I have to reenroll ? This laptop was fine when it was at SP2.
I used to run into this 802.1x issue literally everyday when I worked in Baghdad. But for some strange reason, I can't remember if I had the auto-enroll on or off. I'm pretty sure it's supposed to be OFF. Turn it off, release the ip. (Start > Run > cmd > OK > ipconfig /release > enter - then renew it... ipconfig /renew > enter). Let's see what happens.
Right-Click My Network Places > Properties > Right-click your LAN connection > Properties > Authentication > Chose "Smart Card..." from the drop down > Settings > UNCHECK Validate server certificate
Like this:
untitled.bmp
Like this:
untitled.bmp
ASKER
the ip release and renew gets me on the network for a minute, yes, very weird, because one you authenticate to 802.1x, you are supposed to stay authenticated unless the Nic resets itself or someone shuts down the port and then turns it back on; I have even done a shut and no shut on the port but that does not help.
the validate server cert was not checked to begin with.
the validate server cert was not checked to begin with.
Turn off your port security long enough for your computer to authenticate and then turn it back on.
ASKER
After multiple reboots on a non-802.1x port, (in which it connected to the domain without issue) I put it back on a 802.1x port and authentication fails again. Should I try to disjoin the domain, and add the machine back on a non-802.1x port ? Granted this is only for a test machine, but I would hate to have to do that for all 400 of my production machines.
VSACIT
VSACIT
Alright, let's do this then. It's pretty obvious that your certficates are not adhering to your machine from your server. So let's do this with port security turned OFF.
Start > Run > MMC > File > Add Snap-In > Add > Certificates > Add > Computer (radio button) > Next > Finish (verify it's local). --- Certficates > Personal > Right-Click > All Tasks > Request new certficate > Advanced > Locate the approriate server > OK
Start > Run > gpedit.msc > OK > Computer Configuration > Window Settings > Security > Local Policies > Auto enrollment > DO NOT auto enroll > OK
Start > Run > gpupdate /force > OK and then reboot.
Note: To get to the "advanced" option above, go back up and review my post about UNCHECKING the validate server certificate box. You've already done that.
Start > Run > MMC > File > Add Snap-In > Add > Certificates > Add > Computer (radio button) > Next > Finish (verify it's local). --- Certficates > Personal > Right-Click > All Tasks > Request new certficate > Advanced > Locate the approriate server > OK
Start > Run > gpedit.msc > OK > Computer Configuration > Window Settings > Security > Local Policies > Auto enrollment > DO NOT auto enroll > OK
Start > Run > gpupdate /force > OK and then reboot.
Note: To get to the "advanced" option above, go back up and review my post about UNCHECKING the validate server certificate box. You've already done that.
And one final thing.
Right-click My Network Places > Properties > Right-click the in-use NIC > Properties > Configure > Power Management > UNCHECK "Allow this computer to turn off this device to save power" > OK
Right-click My Network Places > Properties > Right-click the in-use NIC > Properties > Configure > Power Management > UNCHECK "Allow this computer to turn off this device to save power" > OK
ASKER
I decided to take it a step further. I deleted all the certs under "Personal --> Certificates", and still no good "Authenitcation failed", although the cert showed back up after a reboot.
The power option was set, and I unset it.
Any other ideas ?
VSACIT
The power option was set, and I unset it.
Any other ideas ?
VSACIT
Dude - I got nothin... I'll do some research for you tonight when I get home then report back in the morning at the office. And this is the only machine you're having trouble with and coincidentally it has SP3, correct??
ASKER
I know, not to toot my own horn, but I know my way around Cisco ACS, 802.1x, Windows, etc., and this one is being a major pain. Usually bringing something up in EE gets me a solution, so don't feel bad. THis is a tough one. We have two laptops upgraded to SP 3, and neither of them work.
VSACIT
VSACIT
I know the feeling!! Let's uninstall SP3 and revert to SP2 + all other updates. Obviously Cisco isn't ready for SP3 yet.
ASKER
Even crazier, I just got notification that by using the wireless card, users can use 802.1x authentication to get on my private wireless network. So it seems that 802.1x works somewhat. Does that make any sense at all ?
That actually helps! We can fine tune it now that we know it's not on the router/firewall side for sure. Let's go back and look at the configuration for your NIC. Our problem lies there.
ASKER
do you have any suggestions on what specifically I should look at ?
VSACIT
VSACIT
ASKER
finally called Microsoft and Cisco. Cisco made me run a wireshark sniff. Turns out that the switchport sends a EAP request to the laptop, but the laptop never sends anything back. They said it is a microsoft issue. I called Microsoft, they are having me uninstall SP3, download SP3, reboot in safe mode, and install it that way, because no third-party apps or services would be running. Uninstall completed, downloading now, I will send an update when I get one.
VSACIT
VSACIT
OK cool thanks. With all the troubleshooting we did, it had to be an SP3 issue. Notes PROUDLY taken!!
ASKER
I uninstalled SP3, reinstalled SP3 in safe mode, and still the same issue. I will contact Microsoft again this morning.
ASKER
All done ! It turns out that I needed to edit an XML file that controls the profile for the Local area connection. Basically:
netsh lan export profile folder=c:\
then add <authMode>machine</authMod e> to the XML file that was generated from the previous command.
(I deviated from the Microsoft document in that I also had to remove the <cacheUserdata> field. Hopefully that does not come back to bite me although I am assuming that that is related to caching User authentication data, which we do not do).
Once my XML file was done, I did :
netsh add lan profile filename="Local Area Connection.xml"
Bingo, works beautifully.
VSACIT
netsh lan export profile folder=c:\
then add <authMode>machine</authMod
(I deviated from the Microsoft document in that I also had to remove the <cacheUserdata> field. Hopefully that does not come back to bite me although I am assuming that that is related to caching User authentication data, which we do not do).
Once my XML file was done, I did :
netsh add lan profile filename="Local Area Connection.xml"
Bingo, works beautifully.
VSACIT
Start > Run > Services.msc > OK > Wireless Zero Configuration > Start > Apply > OK
untitled.bmp