CCSNV
asked on
Wired 802.1x Information Event Id:1
I am in the testing phase of deploying 802.1x for wired lan and have come to this event:
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 2/22/2011
Time: 3:36:51 PM
User: N/A
Computer: IAS-SERVER
Description:
User user1111@DOMAIN.local was granted access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 10.137.36.18
NAS-Identifier = <not present>
Client-Friendly-Name = SWITCH-01
Client-IP-Address = 10.137.36.18
Calling-Station-Identifier = <not present>
NAS-Port-Type = Ethernet
NAS-Port = 46
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = <none>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
It says that the user was granted access but the user wasn't.
I have searched everywhere but have not found it. Has anyone seen this before and if so have any solutions?
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 2/22/2011
Time: 3:36:51 PM
User: N/A
Computer: IAS-SERVER
Description:
User user1111@DOMAIN.local was granted access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 10.137.36.18
NAS-Identifier = <not present>
Client-Friendly-Name = SWITCH-01
Client-IP-Address = 10.137.36.18
Calling-Station-Identifier
NAS-Port-Type = Ethernet
NAS-Port = 46
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = <none>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
It says that the user was granted access but the user wasn't.
I have searched everywhere but have not found it. Has anyone seen this before and if so have any solutions?
What OS is the client computer running? Are you attempting to connect to an existing domain controller? If yes, what OS is the Domain controller running that you are trying to attach to?
ASKER
The IAS is running on the DC which is Windows Server 2K3 Ent, and the client machines are running WINXP SP3. I am using EAP-TLS. All the certificates are good both on client machine and server.
Are the client computers using DHCP assigned addresses or Static IP's? If they are using DHCP....for testing purposes I would assign a static IP, along with a static DNS server outside your network. For testing purposes you can use 4.2.2.2 as your DNS server.
Secondly....and only briefly for testing purposes have you tried to remove the EAP-TLS certificate security and see if you can authenticate? A few times in the past I have had certs that appear to be fine and once I removed them it worked fine.
I am not sure but I am just throwing you a few ideas I would use to try and pinpoint the culprit.
Secondly....and only briefly for testing purposes have you tried to remove the EAP-TLS certificate security and see if you can authenticate? A few times in the past I have had certs that appear to be fine and once I removed them it worked fine.
I am not sure but I am just throwing you a few ideas I would use to try and pinpoint the culprit.
ASKER
Hi Patmac,
So I tried to remove all certificates and try authenticating, this = not authenticated. And then I tried removing all the certs and then re-installing via auto enrollment and this = not authenticated.
I have checked all my settings and and switch settings but still not working. Any other ideas?
So I tried to remove all certificates and try authenticating, this = not authenticated. And then I tried removing all the certs and then re-installing via auto enrollment and this = not authenticated.
I have checked all my settings and and switch settings but still not working. Any other ideas?
ASKER
Oh yeah sorry forgot to add that I did try static Ip Address and DHCP with both internal and external DNS.
I have few questions. If I understand it right you try to authenticate user with certificate (EAP-TLS) which is stored locally???
ASKER
That is correct. Each user has their own certificate and so does each workstation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Kend I have the auth setting set to: "machineoruser" I will reset to "machine" and see if that helps.
ASKER
So i have tried with both computer only and also computer and user authentication and still have the same issue.
Post switch port configuration.
ASKER
using cisco small business SLM2048. Not the best but it is what I have to work with. Attached is the radius config:
.20 = radius server and .18=switch address
slm2048.jpg
.20 = radius server and .18=switch address
slm2048.jpg
can you post debug from switch?
debug radius
debug dot1x
debug radius
debug dot1x
ASKER
Turns out there was an issue with the certificates. I revoked all certificates, re-issued, edited the network connection profiles to authenticate as Machine Only and Authentication Required, and deployed. Wooohooo it worked.
ASKER
Started looking at the certificate side after this comment was added.