"Guillaume Tamboise" <gtambo***@gmail.com> wrote in message
news:Oeb1glV6FHA.2608@tk2msftngp13.phx.gbl...
> Hello,
>
> I am trying to set up 802.1X for wired access.
> I have two kinds of clients, running Windows 2000 and Windows XP, but
> all the following tests are carried out on Windows XP SP2.
> IAS is running on a Windows 2000 server (SP4), that is also an AD domain
> controller.
> The router is a Cisco 2950 running 12.1(20)EA2.
>
> I am planning on
> - using PEAP,
> - set SupplicantMode at 3 (Transmit EAPOL-Start per 802.1x standard),
> - set AuthMode at 1 (computer authentication with re-authentication),
> - Interface: "Show icon in task bar when connected"
> - "Authenticate as computer when computer information is available",
> - "Validate server certificate" against my Microsoft CA certificate,
> - "Automatically use my Windows logon name and password (and domain if
> any)".
>
> During the boot-up process, I can see that the machine authenticates
> successfully. I enter my domain username and password, the login process
> starts, but when the user authentication is supposed to kick in,
> authentication fails twice and works only the third time.
> I do not see the failure in the IAS logs. I see it
> - on the client computer ("Windows could not log you on the network" or
> something similar in a bubble, in the bottom right corner of the screen)
> - in the eap exchange, as I am getting an EAP frame code 4 (failure) for
> each failure.
>
> Basically, here is the full boot-up process:
> - Client machine powers up
> - Windows supplicant says "EAPOL Start"
> - Switch requests identity
> - Windows supplicant provides "host/computer_name"
> - TLS session established, then 8 TLS frames are exchanged
> - Switch sends EAP code 3 (success)
> Then the user attempts to log in:
> - Windows supplicant says "EAPOL Start"
> - Switch requests identity
> - Windows supplicant provides "domain\account"
> - TLS session established, then 6 TLS frames are exchanged
> - 30 seconds later, switch gets tired and requests identity
> During those 30 seconds, Windows XP complains with a "clear here to
> process your logon information for the network". It then shows the icon
> with an unavailable network connection.
> - Windows supplicant provides "domain\account"
> - TLS session established, then 8 TLS frames are exchanged
> - Switch sends EAP code 3 (success).
>
>
> If at any time I unplug my computer and plug it to an 802.1X port, it
> manages to authenticate just fine.
> The only problem is really the boot-up process, with these two symptoms
> to get rid of:
> - Total of 141 seconds between the "user" EAPOL Start and the EAP
> Success. At least 30 seconds result from a timeout, either from the
> supplicant or from IAS (see values later).
> - Error messages coming from the supplicant that are going to confuse
> users regarding the state of their network logon.
>
>
> The router has a pretty standard configuration:
>
> interface FastEthernet0/1
> description whatever
> switchport access vlan 123
> switchport mode access
> speed 100
> duplex full
> dot1x port-control auto
> dot1x timeout reauth-period 7200
> dot1x reauthentication
> spanning-tree portfast
> end
>
> with a
>
> $ show dot1x interface fastEthernet 0/1
> Supplicant MAC 0000.1234.1234
>   AuthSM State      = AUTHENTICATED
>   BendSM State      = IDLE
> PortStatus        = AUTHORIZED
> MaxReq            = 2
> HostMode          = Single
> Port Control      = Auto
> QuietPeriod       = 60 Seconds
> Re-authentication = Enabled
> ReAuthPeriod      = 7200 Seconds
> ServerTimeout     = 30 Seconds
> SuppTimeout       = 30 Seconds
> TxPeriod          = 30 Seconds
> Guest-Vlan        = 0
>
>
> Anyone having already faced this issue, and with a fix available?
>
> Thanks
>
>
> Guillaume Tamboise