Educause Security Discussion mailing list archives
Re: 802.1x authentication
From: "Stewart, Ian" <istewart () UMASSP EDU>
Date: Mon, 21 Nov 2005 10:54:28 -0500
FWIW I was only able to get Windows XP clients to obtain an IP address by using (Microsoft) certificate services and EAP. The client needed both a user and a machine cert, and the MS IAS server (instead of ACS) also needed a certificate. I could send a word document describing the design. -Ian -----Original Message----- From: David Warner [mailto:dwarner01 () WESLEYAN EDU] Sent: Monday, November 21, 2005 10:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] 802.1x authentication I've been testing the 802.1x authentication on Cisco catalyst switches with the ACS radius server with an Active Directory authentication database and a Microsoft windows XP client machine. I have found that I am unable to use the windows credentials for dot1x authentication when a new user is using a machine. The process of logging into the machine and changing the user's vlan often causes the machine to be unable to obtain an IP address. Cisco has recommended to not the the Windows credentials and use the separate dot1x authentication but we were hoping to avoid multiple logins. Another issue is that the current windows xp implementation stores the dot1x credentials in the registry. The username, password and domain are all cached in current_user\software\microsoft\eapol\UserEapInfo. Unless this entry is deleted it is always used to determine the user credentials. This is also a problem when a different person tries to use the same machine in a lab or classroom shared machine. Has anyone encountered these problems and found a workaround. TIA
Current thread:
- 802.1x authentication David Warner (Nov 21)
- <Possible follow-ups>
- Re: 802.1x authentication Stewart, Ian (Nov 21)
- Re: 802.1x authentication Dewitt Latimer (Nov 21)