Thank you very much for looking into this for me! What you said is 100% correct. 802.1x works if the user is already logged into XP.
I know for a fact that the exact same setup works on other switches (For example, Cisco). We have the XP systems setup properly to send the machine auth, but it looks like it never gets past the switch.
I am looking into this for you, I will get back to you. Just to confirm, if a user is already logged into XP, PEAP-MSCHAP-V2 802.1X authenticates the user sucessfully but you want the machine to be authenicated via PEAP before the user is prompted to login to the domain?
I have found out why this is failing. PowerConnect switches currently only support 802.1X EAP-MD5 authentication, and because machine authentication requires a certificate its not going to work. We are planning to add PEAP support to the PC5324 switch in a firmware release which is due around the June time frame.
Hi, The problem is that PowerConnect does not support PEAP at all, even if your using PEAP MSCHAPv2 it will not work. The only method of 802.1X authentication currently supported is EAP-MD5.
One other thing I should mention: Machine authentication does work with certificates, but it is also possible to have machine authentication work with the machine's username/password, identical to the way user's authenticate. This is the way we have it setup (using the machine's username/password and NOT certificates). As I said before, this is functional on other switches (Cisco) so we know it works properly. It it at all possible the PowerConnect is confused by the format of the username provided by the computer (host/computer.domain.com)? Would it be possible for you to check on this for me?
Ok, I hate to contradict you but we have the PowerConnect working with PEAP (MSCHAPv2). When a user is logged into the system, it is possible for them to authenticate to the switch fine with their username/password NOT using MD5. The computers are configured for PEAD (MSCHAPv2) as well as our backend RADIUS server, which is Microsoft IAS. This works fine.
Ok...interesting. I am trying to get PEAP MSCHAPv2 working on my test setup but its failing, and thats without machine authentication. If I test using EAP-MD5 it works straight away. Can you PM me some details on your IAS setup, primarily what settings do you have configured on your remote access policys and your connection request policys.
Also, I am assuming that once a user authenticates you are able to see the username listed if you execute "show dot1x users" on the switch?
Profile -> Authentication Tab -> no boxes checked -> EAP Button -> PEAP Selected -> Edit button -> Secure Password (EAP-MSCHAP v2) and the certificate issued is selected with the certificate of the IAS server
note: Only a certificate for the IAS server itself is required.
On the client:
For the NIC in question, PEAP is selected as the EAP type -> Properties button -> Secure password (EAP-MSCHAP v2) is selected as the Select Authentication Method
just trying to get this setup on my IAS server but for some reason even after installing the server certificate on the IAS server when configuring PEAP it cannot find the cert...will keep working on it.
On test #2 below, is the computer authenticated before anyone logs in (i.e. when the computer is sitting at the login screen)? Do you see that the computer account is the one that authenticated when viewing the switch administrator?
I think that what you are seeing is the system is automatically sending your Windows username/password to the IAS server AFTER you have logged in (because you have selected the option to use Windows login name and password automatically). I do not believe that in this case, the computer account has been used for authentication.
Ok found out what the problem was with my certs. Basically I needed to rebuild the CA as a Enterprise root rather than a stand-alone root and that works. I have been testing this today and I can authenticate as computer.
Test1:
Laptop - Win XP SP2, Local logon.
Authenticate as computer enabled
Automatically use windows logon disabled
Reboot
After I have logged on locally I am prompted for credentials
DOT1X Authentication Successfull.
Test2:
Laptop - Win XP SP2, Domain Logon
Authenticate as computer enabled
Automatically use windows logon ENABLED
Reboot
Logon to laptop with domain username & password
DOT1X Authentication Successfull
Can you try the above tests and report back your results for comparison.
yes your right..its the user account being used. If I just let the machine sit at the logon prompt then no authentication happens. I am going to have to get in contact with development and ask if machine authentication is possible.
tquinna
13 Posts
0
May 8th, 2006 14:00
Thank you very much for looking into this for me! What you said is 100% correct. 802.1x works if the user is already logged into XP.
I know for a fact that the exact same setup works on other switches (For example, Cisco). We have the XP systems setup properly to send the machine auth, but it looks like it never gets past the switch.
Adam N
2 Intern
•
128 Posts
0
May 8th, 2006 14:00
I am looking into this for you, I will get back to you. Just to confirm, if a user is already logged into XP, PEAP-MSCHAP-V2 802.1X authenticates the user sucessfully but you want the machine to be authenicated via PEAP before the user is prompted to login to the domain?
Thanks
Adam N
2 Intern
•
128 Posts
0
May 9th, 2006 07:00
I have found out why this is failing. PowerConnect switches currently only support 802.1X EAP-MD5 authentication, and because machine authentication requires a certificate its not going to work. We are planning to add PEAP support to the PC5324 switch in a firmware release which is due around the June time frame.
Sorry I cannot be of any further help.
Regards
Adam N
2 Intern
•
128 Posts
0
May 9th, 2006 11:00
Sorry..
Rgds
tquinna
13 Posts
0
May 9th, 2006 11:00
tquinna
13 Posts
0
May 9th, 2006 12:00
Adam N
2 Intern
•
128 Posts
0
May 9th, 2006 12:00
Also, I am assuming that once a user authenticates you are able to see the username listed if you execute "show dot1x users" on the switch?
Thanks
tquinna
13 Posts
0
May 9th, 2006 13:00
tquinna
13 Posts
0
May 9th, 2006 13:00
Adam N
2 Intern
•
128 Posts
0
May 10th, 2006 07:00
tquinna
13 Posts
0
May 10th, 2006 12:00
tquinna
13 Posts
0
May 10th, 2006 12:00
On test #2 below, is the computer authenticated before anyone logs in (i.e. when the computer is sitting at the login screen)? Do you see that the computer account is the one that authenticated when viewing the switch administrator?
I think that what you are seeing is the system is automatically sending your Windows username/password to the IAS server AFTER you have logged in (because you have selected the option to use Windows login name and password automatically). I do not believe that in this case, the computer account has been used for authentication.
Tom
Adam N
2 Intern
•
128 Posts
0
May 10th, 2006 12:00
Ok found out what the problem was with my certs. Basically I needed to rebuild the CA as a Enterprise root rather than a stand-alone root and that works. I have been testing this today and I can authenticate as computer.
Test1:
Laptop - Win XP SP2, Local logon.
Authenticate as computer enabled
Automatically use windows logon disabled
Reboot
After I have logged on locally I am prompted for credentials
DOT1X Authentication Successfull.
Test2:
Laptop - Win XP SP2, Domain Logon
Authenticate as computer enabled
Automatically use windows logon ENABLED
Reboot
Logon to laptop with domain username & password
DOT1X Authentication Successfull
Can you try the above tests and report back your results for comparison.
Thanks
Adam N
2 Intern
•
128 Posts
0
May 10th, 2006 13:00
tquinna
13 Posts
0
May 10th, 2006 14:00