Wired authentication 802.1X

Similar Messages

• Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

  Hi
  My company has implemented 802.1x Wired authentication, we use GPO to specify a
  Wired Profile that uses a COMPUTER certificate.
  We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
  This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
  I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
  KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
  issue still occurs.

  Hi,
  From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
  Meanwhile, I found the following hotfix which may related to this issue.
  No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
  Next Action Plan:
  1.Clean Boot
  a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
  b. In the Startup tab, click the "Disable All" button.
  c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
  ======================================================
  Clean Boot + binary search
  In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
  You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
  we find out the root cause. Please let me know if this action plan is OK for you.
  2.Collect etl trace on the problematic client.
  netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
  ****Try to reproduce this issue****
  netsh trace stop
  Please send the net.etl to us for underlying analysis.
  For any concerns, please let us know.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 802.1x wired authentication to AD

  Wired authentication:
  This is what I want to accomplish:
  Switch - ACS 4.0 -> Active Directory
  Assume a new user is logging into the network for the first time and he starts his computer which has been configured for 802.1x PEAP. I have checked off the option 'Automatically use my Windows logon name and password' in LAN properties
  Now, after the computer starts, the user is presented with the regular Windows dialog logon box to which he hits Ctrl+Alt+Del and enters his Windows AD credentials. I want those credentials to be sent to the switch as part of the 802.1x logon. After the port is authorized, those same credentials should be passed onto Active Directory to become authenticated to the Windows network.
  Possible? I'm assuming this is the way it should & can work

  Hi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.

• WRT54G2 V1 wired authentication with 802.1X

  Hello, does this device support WIRED authentication with 802.1X and MD5-crypt? If not, whether such a possibility in the next firmware version? Thanks for  your reply.

  Well i am not sure if that will work or not. May be you can give a try and check if its working or not.

• 802.1x Wireless versus Wired authentication ?

  Hi,
  I'm learning Wireless NPS configuration. Tings are confusing for me and I have couple of questions. The article below seems to be a good article for understanding Wireless authentication complex features, but it is a little bit conusing for me : http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx.
  My questions :
  1) What is the difference between 802.1x Wired and Wireless domain authentication processes ?
  2) Could someone help me get a basic understanding of Wireless Single Sign On on a domain authentication ?
  3) Could someone give me get a basic understanding of bootstrap profile on a domain authentication ?
  I have read couple of books and articles. Unfortunately ; none of them gave me a clear understanding on the subject.

  No, CA wasn't changed with R2.
  Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
  In the login keychain, when looking at the Users certificate, does it show as valid?

• NAP / 802.1x wired authentication issues

  NAP/NPS Server = 2012R2 NPS Role installedClient Swiches: HP Proliant 5400 seriesSupplicant: Windows 7 Pro domain joined, built in Windows 802.1x suplicant.We are using user and machine based authentication (to accomodate RDP sessions) with health checks (AV installed and Firewall enabled on all network profiles). User authentication policies are above Machine authentication policies in NPS so that when a user logs in, it superceedes the machine's authentication and switches VLANs based on the user's AD group membership. If a user or machine fails authentication, or fails the health check, they are quarantined on our 666 VLAN (We call it the Leper Colony!).Everything pretty much works...except one small thing...PROBLEMWhen a computer first boots up (maybe other times, I dont know), before presenting a user with a login screen, it gets...
  This topic first appeared in the Spiceworks Community

  Hi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.

• Layer 2 Authentication 802.x / PEAP

  Hello,
  I'm looking for a solution on how can I integrate WLC 5508 and IAS 2003 to allow clients to authenticate using their Active Directory username and password?
  Please note that;
  I can't join all clients to the domain.
  I don't want to install SSL certificate on the clients machine as I can't predict the type of client that is going to connect to the WiFi network.
  I have posted a thread before regarding this matter https://supportforums.cisco.com/discussion/12128796/layer-3-webauth-layer-2-authentication but haven't get the right answer to it.
  Appreciate your feed back please.
  Regards,

  "The first time you connect, you’ll be asked to accept the RADIUS server’s certificate."
  > This is because you are validating the server certificate of your are specifiying the radius server on the client.  On ipads and iphones, you will always have to accept the certificate on the first connection and this will apply to other devices as well.  Not all, but some.
  Also I can see the client machine Event Error 36882 "SChannel" which is stated that the Certificate received from the remote server was issued by an Untrusted Certificate Authority and none of the data contained can be validated. Connection request failed.
  > This is becauseyou are validating the server certificate.  
  Getting this to work is not easy if its your first time.  You will have to understand PKI and how certificates work so you understand the errors.  There are many variables to be honest and you can have an issue with the IAS server, its policies, clients setting and even a certificate that can't be used for 802.1x.  All I can say, is that you have to look at more guides on the internet and try to understand how each tries to deploy 802.1x.  For now, you only can use PEAP, which is just a cert on the radius side, but you need a valid certificate that can be used for 802.1x.

• Cisco ISE Wired authentication

  Hi Dears,
  I want to configurate the wired user authenticate from ISE server.
  I need a configuartion documentation for configurate ISE and switch.
  thanks.

  check
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

• Configuring wired 802.1x with Cisco 2950 and NPS 2012 problem

  Hi,
  I am trying to setup wired authentication on my corporate network. For testing purposes, I have setup a Cisco 2950 switch for RADIUS authentication.
  On the first day of the test, access messages were appearing on the event log of the 2012 Server and  we were trying to address the issues with EAP and policy.(Network Policy and Access services)
  Then, suddenly no events are written to the event log for the wired authentication. Accounting data is written to the log file at c:\windows\system32\logfiles, but nothing happens on the event log as if the NPS is not answering. We are using the same server for wireless 802.1x and all is working fine.
  Checking the wired autoconfig log on the client, Restart Reason : Onex Auth Timeout appears.
  Logging seems to be configured properly, there are no entries in event log. Below is the debug information from the 2950 switch;
  KAT2-BATISW1#
  00:18:28: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
  0/17
  00:18:28: dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthern
  et0/17
  00:18:28: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEth
  ernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_initialize_enter called
  00:18:28: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
  00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
  uto)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_disconnected_enter_action called
  00:18:28: dot1x-sm:
  dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
  D
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
  HORIZED
  00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to send po
  rt to unauthorized on vlan 0
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
  astEthernet0/17
  00:18:28: dot1x-ev:    GuestVlan configured=0
  00:18:28: dot1x-ev:supplicant 0000.0000.0000 is default
  00:18:28: dot1x-ev:supplicant 0000.0000.0000 is last
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:0000.0000.0000 is now unauthorized on port FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
  00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_enter called
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
  00:18:28: dot1x-sm:Dot1x Initialize State Entered
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
  6383(idle)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:28: dot1x-sm:Dot1x Idle State Entered
  00:18:28: dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 cu
  rrent_id=0
  00:18:28: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at memloc 80D
  71C74
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:
  dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  000.0000.0000
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:28: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
  00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
  00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_initialize_enter called
  00:18:28: dot1x-ev:auth_initialize_enter:0024.1d10.d7c5: Current ID=0
  00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
  uto)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_disconnected_enter_action called
  00:18:28: dot1x-sm:
  dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
  D
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
  HORIZED
  00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0024.1d10.d7c5 to send po
  rt to unauthorized on vlan 0
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
  astEthernet0/17
  00:18:28: dot1x-ev:    GuestVlan configured=0
  00:18:28: dot1x-ev:supplicant 0024.1d10.d7c5 is last
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:0024.1d10.d7c5 is now unauthorized on port FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
  00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
  00:18:28: dot1x-sm:Dot1x Initialize State Entered
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
  6383(idle)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:28: dot1x-sm:Dot1x Idle State Entered
  00:18:28: dot1x-ev:Created port supplicant block 0024.1d10.d7c5 expected_id=1 cu
  rrent_id=1
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:28: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 21 (Fa0/17)
  00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:18:28: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:18:28: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:18:28: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:18:28: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:18:28: dot1x-sm:Started the ServerTimeout Timer
  00:18:28: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and leng
  th = 21
  00:18:28: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967283
  00:18:28: dot1x-ev:Couldn't Find a process thats already handling the request fo
  r this id 0
  00:18:28: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
  .1d10.d7c5, VLAN 0 on pending request queue
  00:18:28: dot1x-ev:Found a free slot at slot 0
  00:18:28: dot1x-ev:Found a free slot at slot 0
  00:18:28: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
  24.1d10.d7c5, VLAN 0 from pending request queue
  00:18:28: dot1x-ev:Request id = -13 and length = 21
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
  t0/17
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Username is DUZEY\SAYTAMANER
  00:18:28: dot1x-ev:MAC Address is 0024.1d10.d7c5
  00:18:28: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:30: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
  00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:46: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
  00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:18:46:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
  apStart)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
  led
  00:18:46: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
  00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
  nitialize)
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
  00:18:46: dot1x-sm:Dot1x Initialize State Entered
  00:18:46:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:46: dot1x-sm:Dot1x Idle State Entered
  00:18:46:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
  Abort_noeapLogoff)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:18:46: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:18:46: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:46: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
  00:18:46: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:46: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:46: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
  00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:18:46:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:18:46: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:18:46: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:18:46: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:18:46: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:18:46: dot1x-sm:Started the ServerTimeout Timer
  00:18:46: dot1x-ev:Going to Send Request to AAA Client on RP for id = 1 and leng
  th = 21
  00:18:46: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967284
  00:18:46: dot1x-ev:Found a process thats already handling therequest for this id
   1
  00:18:48: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_ERROR)
  00:18:48: dot1x-ev:Received VLAN is No Vlan
  00:18:48: dot1x-ev:Enqueued the response to BackEnd
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:dot1x_process_txWhen_expire called
  00:18:58:     dot1x_auth Fa0/17: during state auth_connecting, got event 19(txWh
  en_expire)
  00:18:58: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_connecting
  00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_connecting_action calle
  d
  00:18:58: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for def
  ault supplicant
  00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:19:07: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
  00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:19:07:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
  apStart)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
  led
  00:19:07: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
  00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
  nitialize)
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
  00:19:07: dot1x-sm:Dot1x Initialize State Entered
  00:19:07:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:19:07: dot1x-sm:Dot1x Idle State Entered
  00:19:07:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
  Abort_noeapLogoff)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:19:07: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:19:07: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:19:07: dot1x-packet:Tx EAP-Request(Id), id 2, ver 1, len 5 (Fa0/17)
  00:19:07: dot1x-registry:registry:dot1x_ether_macaddr called
  00:19:07: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:19:07: dot1x-packet:Rx EAP-Response(Id), id 2, ver 1, len 21 (Fa0/17)
  00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:19:07:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:19:07: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:19:07: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:19:07: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:19:07: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:19:07: dot1x-sm:Started the ServerTimeout Timer
  00:19:07: dot1x-ev:Going to Send Request to AAA Client on RP for id = 2 and leng
  th = 21
  00:19:07: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967285
  00:19:07: dot1x-ev:Couldn't Find a process thats already handling the request fo
  r this id 2
  00:19:07: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
  .1d10.d7c5, VLAN 0 on pending request queue
  00:19:07: dot1x-ev:Found a free slot at slot 0
  00:19:07: dot1x-ev:Found a free slot at slot 0
  00:19:07: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
  24.1d10.d7c5, VLAN 0 from pending request queue
  00:19:07: dot1x-ev:Request id = -11 and length = 21
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
  t0/17
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Username is DUZEY\SAYTAMANER
  00:19:07: dot1x-ev:MAC Address is 0024.1d10.d7c5
  00:19:07: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:19: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
  0/17
  00:19:19: dot1x-ev:supp_info=80D7E584 txWhen_timer=80D7E5D4 quietWhile_timer=80D
  7E594reAuthWhen_timer=80D7E5B4 awhile_timer=80D7E5F4
  00:19:19: dot1x-ev:destroy supplicant block for 0024.1d10.d7c5
  00:19:19: dot1x-ev:supp_info=80D71C74 txWhen_timer=80D71CC4 quietWhile_timer=80D
  71C84reAuthWhen_timer=80D71CA4 awhile_timer=80D71CE4
  00:19:19: dot1x-ev:destroy supplicant block for 0000.0000.0000
  00:19:19: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:19:19: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:19:19: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  This is driving me crazy, working on it for a whole week and no results..
  Thank you..

  Hi again,
  I have put the config on 2960. Now as soon as the authentication starts, this is the message on debug;
  dot1x authentication unable to start - authenticator not enabled..
  Any ideas?
  regards,
  onur

• 802.1X authentication process in Active Directory joined computer.

  Hi,
  I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
  1. When Windows start up,
  2. it will authenticate to the 802.1x network using computer account.
  3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
  4. once 3 is done, the AD credential will be used to auth to AD again to login.
  Why do we need 3 times of authentication? Why do we need steps 3?
  Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
  Thank you!
  Ah_Chao|| MCSE,VCP,EMCSAe

  Hi,
  According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
  It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
  With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
  logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
  (computer credentials when no user is logged on and user credentials when a user is logged on).
  Detailed description you may reference:
  https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
  And more information about 802.1x, you may reference:
  Understanding 802.1X authentication for wireless networks
  https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Creating a secure 802.1x wireless infrastructure using Microsoft Windows
  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 802.1x authentucation only on Virtaul machine. i want to by pass EAP authentication on Host machine

  i want to do EAP authentication (802.1x) authentication by the client installed on Virtual machine. i want to by pass EAP authentication(802.1x) on Host machine, because i wanted to test it on the client in VM not on the host machine. for wifi it works fine because i can have a USB wifi NIC which connects to VM directly and the authentication goes fine as host machine NIC does not come into the picture at all.
  but in Case of wired VM NIC has to go via Host NIC.

  Hello,
  I managed to do that with a VM and a host, both authenticating in wired, behind a phone. The host would receive an ACL limiting its traffic to just internet and the VM could access the internal network. (do not ask to discuss the use case).
  The considerations were that :
  both host and VM would need to be on the same dynamically assigned VLAN, as 2960/3750 do not support two DATA domain hosts in different vlans (3850 apparently supports or will support it), so I had to have 802.1X both on host and in VM.
  the VSwitch in VMworkstation had to be in bridge mode.
  authentication mode multiauth had to be enabled in the interface in order to cope with multiple authenticated sessions behind the same interface.
  What is exactly your question?
  Gustavo

• 802.1x on a wired Lan Connection

  Dear Community,
  i have the job to connect a Windows CE 6.0 device to a Network (wired) with 802.1x. The switch to wich i connect the device  is operating as authenticator and the Wince device is the supplicant. A Radius Server with AD is also present .
  All the informations and samples  that i can find are relating to wireless LAN connections (WZCSVC). A description of the EAPOL API is also absent (or i was not able to find it).
  I'm afraid that Wince 6.0 is not prepared for using 802.1x over a wired connection like Win XP can, but i'm not sure about that. I can not find a definite  statement whether it is possibe or not.
  Does anybody know if it is possible and/or how i can solve this problem.
  Regards Achim

  Community,
  anybody has answer to this problem?  I have to do the same thing...
  Achim,
  did you solve this problem?Thank you
  in advance for any help you
  can provide.
  Regards Bruno

• Systemd with wpa_supplicant 802.1X wired and dhcpcd - Need help

  Hi,
  At work we use 802.1X wired authentication on the network to get access. If successfully authenticated then I get 10.x.x.x network address from DHCP,
  and if not successfully authenticated, I get a 172.x.x.x address from DHCP.
  Now I've configured wpa_supplicant with certificates in its configuration file so that one is working fine.
  What I have problems with is the startup, this is what I need in order:
  * I need wpa_supplicant to start up
  * wpa_supplicant needs to authenticate completely
  * now dhcpcd may run and I should get 10.x.x.x address.
  I've tried two (b*ttfugly) ways of solving this under systemd:
  wpa_auth.service
  [Unit]
  Description=WPA 802.1X
  Requires=sys-subsystem-net-devices-eth0.device
  After=sys-subsystem-net-devices-eth0.device
  [Service]
  Type=simple
  ExecStart=/usr/sbin//wpa_supplicant -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
  [Install]
  Alias=multi-user.target.wants/wpa_auth.service
  And in [email protected] I've added:
  After=wpa_auth.service
  However this won't work since wpa_supplicant isn't done authenticating when dhcpcd starts up.
  I've also tried using -B option to wpa_supplicant and forking in wpa_auth.service like this:
  Type=forking
  ExecStart=/usr/sbin//wpa_supplicant -B -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
  Now if I'm lucky this works, but it's still a race condition.
  So: Next things I've tried is to make the wpa_auth.service start up a script (Type=forking) that executes wpa_supplicant, and adds a sleep 1, this gives wpa_supplicant 1 second to authenticate, but its still a shitty and unsafe solution.
  Last solution I tried was using the above solution but replaced sleep with wpa_cli -a script that according to man page executes the script when it recieves an event. So right now the chain looks like this:
  In chronological order:
  - wpa_auth.service (systemd)
  Type=forking
  - script
  - wpa_supplicant
  - wpa_cli -a script2 (will block until recieving an CONNECTED/DISCONNECTED event from wpa_supplicant, then run script2)
  - script2
  -pkill wpa_cli
  - exit 0
  done - dhcpcd may start
  I just want to find a way to start dhcpcd after wpa_supplicant has authenticated so I get a correct IP address.
  How do I do this in a correct way? Can I use dbus somehow to make wpa_supplicant signal that it is done authenticating?
  Thanks
  Last edited by dimman (2012-11-23 15:56:01)

  From the sample wpa_supplicant.conf:
  # scan_ssid:
  # 0 = do not scan this SSID with specific Probe Request frames (default)
  # 1 = scan with SSID-specific Probe Request frames (this can be used to
  # find APs that do not accept broadcast SSID or use multiple SSIDs;
  # this will add latency to scanning, so enable this only when needed)
  So... looks like that likely isn't the solution. Of course, this is all just speculation now, until I can resolve the hardware issues or get a new laptop.

• How about joining IEEE 802.1X wired client to a AD domain ?

  http://technet.microsoft.com/en-us/library/bb727033.aspx
  This nice Technet link says clearly that there is three methods could be used for joining Wireless IEEE 802.1X client to a domain. Do these methods also apply for joining Wired IEEE 802.1X clients to a domain ?

  Hi,
  In some cases, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.
  Did you use NPS for authentication?
  Follow this procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy.
  Configure the EAP Payload Size
  http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29
  Hope this helps.