Lora,
It's nice to use ACS when it really makes a difference. Since AD already has to be extended (assumption of a 2003 domain) to support the added supplicant information, it seems easiest to just use IAS at that point. This will give you one neck to wring.
Inside this document, there is a link to enable wireless LAN PEAP auth, but there are two schema extensions in there as well. One for wired and another for wireless. Applying the extension should allow you to configure the proper GPO settings that both IAS/ACS would be expecting. I found a walk through a while back that shows wired PEAP auth with dynamic VLAN assignments for use with IAS. If you want I can forward this along to you as well.
Good luck,
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Lora Ganeva
Sent: Friday, October 02, 2009 9:05 AM
To: ccielab_at_groupstudy.com
Subject: 802.1x with machine authentication and XP SP3
Hello experts,
I am running a small project with Windows XP SP3 native supplicants using
machine authentication towards cisco 3560 switches and the newest Cisco ACS
5.0. Machine authentication is done via PEAP/MSCHAPv2 towards Microsoft AD.
I am having a lot of troubles, mainly because my poor knowledge of Microsoft
technologies. Here is one of them - the most most common reasons for
computers to fail authentication towards AD:
Invalid EAP payload type
cisco has reported this to happen when there is a problem with the supplicant.
Unfortunately, my supplicants are having such problems from time to time
only.
In addition, i have updated the PCs, applied one hotfix for fixing up failed
authentication after reboot and made all the recommended settings through
Group Policy. The issue appears in the middle of the day, not after reboot or
any other specific activity.
Any help will be appreciated,
Regards,
Lora
Blogs and organic groups at http://www.ccie.net
Received on Fri Oct 02 2009 - 11:24:25 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART