ISE : error on wired 802.1x deployment

Similar Messages

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• 802.1x deployment with MAC filtering

  Hi All
  I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
  http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
  I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
  First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
  As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
  "AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
  Thanks

  Hi Sam
  Thank you for your reply.
  I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
  Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
  I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station  ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
  Anyway, I will try the second way you suggest.
  Thanks a lot.

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• FlexConnect Access Point - Wired 802.1X or MAB Authentication

  Hi all,
  We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
  I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
  Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
  Thanks in advance.
  Regards,
  Stephen.

  Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
  1. AP, authenticates via MAB and profiling
  2. Client authenticates via PEAP/EAP-TLS, etc
  3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
  So I have ran into this issue in my deployments and you have the following options (listed in preference order):
  1. Eliminate FlexConnect :)
  2. Utilize AutoSmartPorts where:
  - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
  - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
  More info on auto smart ports:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
  3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
  Hope this helps!
  Thank you for rating helpful posts!

• Wired 802.1x hardware compatible checklist

  Hi forumers'
  Would like to check what kind of access switch is support wired 802.1x, do cisco have a hardware compatible checklist for it?
  Backend Radius server would be Cisco ISE. Business requirement is able to support flexauth.
  Current infrastructure access list with
  a. Linksys switch
  b. ESW 540
  c. Cisco 2950 switch
  Thanks
  Noel

  I have a supplemental question regarding the 2003 update (KB968730).  I have a Kace KBOX that we do patching/inventory of our servers with, and it tells me that all of our 2003 servers are patched with KB968730.  However, when looking at one of
  the 2003 servers, I didn't see KB968730 in the updates list, nor in the registry.  After some research, it appears that the crypt32.dll file on the server now is already a newer version than the one in the KB968730 (it contains the version of crypt32.dll
  from MS14-049 in August 2014).  I went ahead and installed KB968730 anyways on the server, and it now shows up in the updates list.  However, the crypt32.dll file was unaffected on the machine since it was already newer.
  Upon reading the install log for KB968730, it seems that all the update did was add registry keys to say that the KB968730 was installed, but did not replace the crypt32.dll file, and no reboot was needed.
  I believe this will be the case for all of my 2003 R2 servers.  With the actual payload of the KB968730 being the crypt32.dll (and wcrypt.dll for x64), and those files already being newer than on my servers than what is in the KB968730, would it just
  be considered to be SHA2 supported...or would the presence of the reg keys that state the hotfix is installed be needed (sounds pointless to me)?
  EDIT: Not to mention that the KB968730 update never specifically mentions 2003 R2, just 2003.  The install log shows failures during file version checks and other lines, so it really looks like it simply added the registry info for the hotfix and
  that's all.

• Error while deploying an application on weblogic 12c. An error occurred while reading the deployment descriptor. The error was: Error processing annotations

  Anyone please help me solve this error. I am trying to deploy an application on weblogic 12c  i am getting an error but the same application gets successfully deployed on weblogic 11g. The error is
  An error occurred during activation of changes, please see the log for details.
  Exception preparing module: EJBModule(gsCallbackAdapterLGTX-ejb.jar) An error occurred while reading the deployment descriptor. The error was: Error processing annotations: .
  [EJB:015001]Unable to link class com.aep.gridsmart.adapters.lgtx.buslogic.deliver.xform.AdapterTransfomerDeliverSession in Jar /appl/oracle/middleware/WLS/12.1.1.0/user_projects/domains/Gridsmart/servers/ManagedServer1/tmp/_WL_user/gsCallbackAdapterLGTX/34vz4d/gsCallbackAdapterLGTX-ejb.jar : java.lang.NoClassDefFoundError: com/aep/gridsmart/adapter/deliver/CommonAdapterDeliverBean

  Cotton please let me know what is the mistake i am
  doingThe following path does not exist.
  C:\Sun\AppServer7\domains\domain1\server1\
  applications\j2ee-modules\task_1\WEB-INF\web.xml

• When deploy: Wizard error a connection to the deployment share could not be made "check physical connection"

  Hello everybody,
  yet another issue with deploying a masterdisk. I will give you a short explanation of the situation.
  I need to deploy Windows 8.1 PRO x86. 
  Using: Microsoft Deployment Workbench Microsoft Version: 6.2.5019.0
  1. Reference PC: Windows 8.1 PRO x86 is installed on ORACLE Virtual Box.
  2.  I installed  MDT on my workstation Windows 7 x64, where "C:\DeploymentShare\Windows8" is located.
  3. To change the Unattended.xml file, I have second ORACLE Virtual Box with
  Windows 8.1 PRO x86 with MDT, which connected to the DeploymentShare of Windows 7 x64.
   - The reason is because the Reference PC is x86 and the Unattended.xml file can be changed only if MDT is installed on x86 Windows, otherwise it is not possible.
  The image capture is successful.
  Then I create bootable USB device using rufus-1.4.12.exe. I use: C:\DeploymentShare\Windows8\Boot\LiteTouchPE_x86.iso
  I use a real PC (not virtual machine) and when the deployment starts
  I see: 
  1 Welcome screen, where I select: Run the deployment wizard to  install a new operating system.
  2. The next screen is an error screen where I see the error: 
  "Wizard error
  A connection to the deployment share (\\ComputerName\C\DeployemntShare )could not be made
  DHCP Lease was not obtained for any Networking devices!
  Possible cause: Check physical connection
  I am relatively new with MDT.
  Any suggestions are more than welcome.

  Nick,
  Thank you for the answer!
  Yesterday, I figured out that I need to create an offline bootable disk. 
  The issue is caused, because creating a bootable disk with rufus.exe include only the ISO file and not the WIM file. That is the reason why during OS installation process it asks me for the shared folder...

• In your experience what are the most common errors in binding files when deploying?

  As the title suggest I'm interested in discussing the most common errors in binding files when deploying.
  Reason for this is that I'm currently working on a Powershell script that can parse a binding file and create a reader friendly report (rtf format) with various information.
  But the main purpose for this script is to find common errors in the binding file used. And so far these are the ones I've thought of:
  - Tracking enabled for either services or the pipelines they are using (if it's a binding meant for Prod).
  - Orchestrations logical ports not having any ports bound to them.
  - URI containing certain words that's not ok. For example if a binding meant for Prod contains the word "test" anywhere in the URI then that should be reported in the created rtf report. This also applies vice versa.
  So now I need your help with coming up with more ideas on common errors that need to be looked after and reported on if found! 
  Additional features the report should contain:
  - Listing the details of each orchestration, send port, receive port along with their associated receive location(s). To better understand and get a quick overview on exactly what settings are planned to be deployed. Especially the "TransportTypeData"
  section which otherwise can be quite tedious to read.
  - List each unique host instance, so that I can easier see directly which ones might need a restart after an import.
  I'd appreciate if you can come up with any more features that should be included in this script.
  /Christian @ IntegrationAdmin.com

  Filter on send port not on the same line as the Filter tag.
  This one is a nice one, I ran into it several times. Mostly after copy/paste of a port definition for a binding file, because Visual Studio is formatting after paste the XML in a way the filter will get invalid. This leads to a cryptic error
  during importing the binding.
  http://winterdom.com/2008/06/biztalkfiltersnotgettingimported
  Jean-Paul Smit | Didago IT Consultancy
  Blog |
  Twitter | LinkedIn
  MCTS BizTalk 2006/2010 + Certified SOA Architect
  Please indicate "Mark as Answer" if this post has answered the question.

• Error in Embeded OC4J while deploying SessionBean

  I am using Jdeveloper version 9.0.5.1, since the project have brought to production at 2004, I have been using the same version.
  The workspace a number of project each contains a number of entity and session beans(EJB 2.0), lately I added a new project which contains a new session bean that references another session bean and an entity bean, when I attempt to run the application in the Jdeveloper the embedded OC4J returns the following errors messages:
  07/07/11 21:15:17 Copying default deployment descriptor from archive at D:\<Pathes>/META-INF/orion-ejb-jar.xml to deployment directory D:\TraineeCD\JDeveloper\jdev\system9.0.5.1.1605\oc4j-config\application-deployments\current-workspace-app\classes...
  07/07/11 21:15:18 Auto-deploying - file:/D:/TraineeCD/JDeveloper/jdev/mywork07/07/11 21:15:17 Copying default deployment descriptor from archive at D:\JDeveloper\jdev\mywork\<Pathes>classes/META-INF/orion-ejb-jar.xml to deployment directory D:\TraineeCD\JDeveloper\jdev\system9.0.5.1.1605\oc4j-config\application-deployments\current-workspace-app\classes...
  07/07/11 21:15:18 Auto-deploying - file:/D://JDeveloper/jdev/mywork/<Path>/classes/ (No previous deployment found)...
  07/07/11 21:15:19 Auto-deploying - file:/D://JDeveloper/jdev/mywork/<Path>/classes/ (No previous deployment found)...
  07/07/11 21:15:19 Auto-deploying - file:/D:/TraineeCD/JDeveloper/jdev/mywork/<Pathes>
  07/07/11 21:03:27 Auto-deploying - compiling and loading...
  07/07/11 21:03:53 SQL error: Io exception: The Network Adapter could not establish the connection
  07/07/11 21:04:21 Error creating table: Io exception: The Network Adapter could not establish the connection
  07/07/11 21:04:35 SQL error: Io exception: The Network Adapter could not establish the connection
  07/07/11 21:04:49 done.
  Ready message received from Oc4jNotifier.
  Embedded OC4J startup time: 101828 ms.
  07/07/11 21:04:53 Oracle Application Server Containers for J2EE 10g (9.0.4.0.0) initialized
  I dont know what is the meaning of this error, nor what is the cause as it never appeared before. Surprisingly the behaviour of the application seems to be behaving normally even though despite this error and when the Oc4J returns done does this mean it started successfully, this error is preventing me from deploying my application to production environment as I guess there's something abnormal going around.
  Note:When I get a fresh copy of the application without the new project which contain the session bean the OC4J starts with no errors.
  Any ideas what maybe the problem ?

  Is your new project trying to access the database?
  SQL error: Io exception: The Network Adapter could not establish the connection
  Seems to indicate that you have a problem accessing the database probably due to wrong settings of the database connection information.
  Also check your data-sources.xml file for any new entries.

• Error at the time of Deployment of Composit ---  ant-sca-compile.xml

  Hi,
  While deploying the composite, it’s throwing given error
  [03:03:42 PM] ---- Deployment started. ----
  [03:03:42 PM] Target platform is (Weblogic 10.3).
  [03:03:42 PM] Running dependency analysis...
  [03:03:42 PM] Building...
  [03:03:49 PM] Deploying profile...
  [03:03:50 PM] Wrote Archive Module to H:\AIASOAProject\AIAFrameworkProject\ReceiptListEBS\deploy\sca_ReceiptListEBS_rev1.0.jar
  [03:03:50 PM] Deploying sca_ReceiptListEBS_rev1.0.jar to soa_server1 [edpsvddb002.baea.com.au:8001]
  [03:03:50 PM] Processing sar=/H:/AIASOAProject/AIAFrameworkProject/ReceiptListEBS/deploy/sca_ReceiptListEBS_rev1.0.jar
  [03:03:50 PM] Adding sar file - H:\AIASOAProject\AIAFrameworkProject\ReceiptListEBS\deploy\sca_ReceiptListEBS_rev1.0.jar
  [03:03:50 PM] Preparing to send HTTP request for deployment
  [03:03:50 PM] Creating HTTP connection to host:edpsvddb002.baea.com.au, port:8001
  [03:03:50 PM] Sending internal deployment descriptor
  [03:03:50 PM] Sending archive - sca_ReceiptListEBS_rev1.0.jar
  [03:03:52 PM] Received HTTP response from the server, response code=401
  [03:03:52 PM] Problem in sending HTTP request to the server. Check standard HTTP response code for 401
  [03:03:52 PM] Error deploying archive sca_ReceiptListEBS_rev1.0.jar to soa_server1 [edpsvddb002.baea.com.au:8001]
  [03:03:52 PM] HTTP error code returned [401]
  [03:03:52 PM] No error message is returned from the server.
  [03:03:52 PM] Error deploying archive sca_ReceiptListEBS_rev1.0.jar to soa_server1 [edpsvddb002.baea.com.au:8001]
  [03:03:52 PM] #### Deployment incomplete. ####
  [03:03:52 PM] Error deploying archive file:/H:/AIASOAProject/AIAFrameworkProject/ReceiptListEBS/deploy/sca_ReceiptListEBS_rev1.0.jar
  (oracle.tip.tools.ide.fabric.deploy.common.SOARemoteDeployer)
  Buildfile: C:\jdeveloper1112\jdeveloper\bin\ant-sca-compile.xml
  scac:
  *[scac] Validating composite : 'H:\AIASOAProject\AIAFrameworkProject\ReceiptListEBS\composite.xml'*
  *[scac] Error occurred during initialization of VM*
  *[scac] Could not reserve enough space for object heap*
  BUILD FAILED
  C:\jdeveloper1112\jdeveloper\bin\ant-sca-compile.xml:264: Java returned: 1 Check log file : H:\AIASOAProject\AIAFrameworkProject\ReceiptListEBS\SCA-INF\classes\scac.log for errorsTotal time: 1 second
  Is this issue occuring due to server ant-sca-compile.xml or C:\jdeveloper1112\jdeveloper\bin\ant-sca-compile.xml in my desktop.
  Kindly Confirm.
  Regards
  Manish

  Same composite we were able to deploy successfully without any error, from Monday onward we are experiencing this issue.
  We checked in Installation Guide provided by oracle. Oracle has suggested few memory related changes in ant-sca-compile.xml file.
  Increasing Memory to avoid Compilation Errors
  To avoid out-of-memory errors during compilation of a SOA composite application, you need to
  increase the following memory settings.
  To increase memory settings:
  1. Open the ant-sca-compile.xml file in the SOA_HOME/bin directory.
  2. Under the scac element, increase the following memory settings.
  <jvmarg value="-Xms2048m"/>
  <jvmarg value="-Xmx2048m"/>
  <jvmarg value="-XX:PermSize=32m"/>
  <jvmarg value="-XX:MaxPermSize=256m"/>
  3. For Windows change the following memory settings to.
  <jvmarg value="-Xms1536m"/>
  <jvmarg value="-Xmx1536m"/>
  <jvmarg value="-XX:PermSize=32m"/>
  <jvmarg value="-XX:MaxPermSize=256m"/>
  We did those changes but still experiencing same error. I checked H:\AIASOAProject\AIAReceiptInterface\ReceiptListEbizProvider\SCA-INF\classes\scac.log ; file its showing Could not create the Java virtual machine.
  Regards
  Manish

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• Wired 802.1x re-authentication passes but no connectivity after 1 hour

  I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.
  1st observation:
  The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.
  2nd observation:
  I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.
  Any ideas?

  No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.
  The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.
  At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.