Re: 802.1x authentication

[Dewitt Latimer <dewitt () ND EDU>]

David -- you might want to search the Educause Wireless-LAN constituent
group where this topic and 802.1x in general has been heavily discussed.

http://www.educause.edu/WirelessLocalAreaNetworkingConstituentGroup/987

-d

------------------------------
Dewitt Latimer, Ph.D.
Deputy CIO and Chief Technology Officer
The University of Notre Dame
dewitt () nd edu


-----Original Message-----
From: David Warner [mailto:dwarner01 () WESLEYAN EDU]
Sent: Monday, November 21, 2005 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 802.1x authentication

I've been testing the 802.1x authentication on Cisco catalyst switches with
the ACS radius server with an Active Directory authentication database and
a Microsoft windows XP client machine.

I have found that I am unable to use the windows credentials for dot1x
authentication when a new user is using a machine.  The process of logging
into the machine and changing the user's vlan often causes the machine to
be unable to obtain an IP address.  Cisco has recommended to not the the
Windows credentials and use the separate dot1x authentication but we were
hoping to avoid multiple logins.

Another issue is that the current windows xp implementation stores the
dot1x credentials in the registry.  The username, password and domain are
all cached in  current_user\software\microsoft\eapol\UserEapInfo.  Unless
this entry is deleted it is always used to determine the user
credentials.  This is also a problem when a different person tries to use
the same machine in a lab or classroom shared machine.

Has anyone encountered these problems and found a workaround.

TIA