Re: 802.1x authentication

["Stewart, Ian" <istewart () UMASSP EDU>]

FWIW I was only able to get Windows XP clients to obtain an IP address
by using (Microsoft) certificate services and EAP. The client needed
both a user and a machine cert, and the MS IAS server (instead of ACS)
also needed a certificate. I could send a word document describing the
design.

-Ian

-----Original Message-----
From: David Warner [mailto:dwarner01 () WESLEYAN EDU] 
Sent: Monday, November 21, 2005 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 802.1x authentication

I've been testing the 802.1x authentication on Cisco catalyst switches
with 
the ACS radius server with an Active Directory authentication database
and 
a Microsoft windows XP client machine.

I have found that I am unable to use the windows credentials for dot1x 
authentication when a new user is using a machine.  The process of
logging 
into the machine and changing the user's vlan often causes the machine
to 
be unable to obtain an IP address.  Cisco has recommended to not the the

Windows credentials and use the separate dot1x authentication but we
were 
hoping to avoid multiple logins.

Another issue is that the current windows xp implementation stores the 
dot1x credentials in the registry.  The username, password and domain
are 
all cached in  current_user\software\microsoft\eapol\UserEapInfo.
Unless 
this entry is deleted it is always used to determine the user 
credentials.  This is also a problem when a different person tries to
use 
the same machine in a lab or classroom shared machine.

Has anyone encountered these problems and found a workaround.

TIA