Re: 802.1x with machine authentication and XP SP3

Hi Lora,

Can we see the failed authentication ACS logs please? I have seen similar
issues around expired certificates but the fact that yours is intermittent
makes it abit tricky!

Sadiq

On Fri, Oct 2, 2009 at 4:56 PM, Lora Ganeva <L.Ganeva_at_mobiltel.bg> wrote:

> Hi,
>
> actually our domain is 2008 and we don't need the schema extension:(
>
> Thanks for help anyway
>
>
>
>
> On 02.10.2009, at 18:24, "Ryan West" <rwest_at_zyedge.com> wrote:
>
> Lora,
>>
>> It's nice to use ACS when it really makes a difference. Since AD already
>> has to be extended (assumption of a 2003 domain) to support the added
>> supplicant information, it seems easiest to just use IAS at that point.
>> This will give you one neck to wring.
>>
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
>>
>> Inside this document, there is a link to enable wireless LAN PEAP auth,
>> but there are two schema extensions in there as well. One for wired and
>> another for wireless. Applying the extension should allow you to configure
>> the proper GPO settings that both IAS/ACS would be expecting. I found a
>> walk through a while back that shows wired PEAP auth with dynamic VLAN
>> assignments for use with IAS. If you want I can forward this along to you
>> as well.
>>
>> Good luck,
>>
>> -ryan
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Lora Ganeva
>> Sent: Friday, October 02, 2009 9:05 AM
>> To: ccielab_at_groupstudy.com
>> Subject: 802.1x with machine authentication and XP SP3
>>
>> Hello experts,
>>
>> I am running a small project with Windows XP SP3 native supplicants using
>> machine authentication towards cisco 3560 switches and the newest Cisco
>> ACS
>> 5.0. Machine authentication is done via PEAP/MSCHAPv2 towards Microsoft
>> AD.
>> I am having a lot of troubles, mainly because my poor knowledge of
>> Microsoft
>> technologies. Here is one of them - the most most common reasons for
>> computers to fail authentication towards AD:
>>
>> Invalid EAP payload type
>>
>> cisco has reported this to happen when there is a problem with the
>> supplicant.
>> Unfortunately, my supplicants are having such problems from time to time
>> only.
>>
>> In addition, i have updated the PCs, applied one hotfix for fixing up
>> failed
>> authentication after reboot and made all the recommended settings through
>> Group Policy. The issue appears in the middle of the day, not after reboot
>> or
>> any other specific activity.
>>
>> Any help will be appreciated,
>>
>> Regards,
>> Lora
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>>
>
>
> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net