802.1x host auth fails with WinXP supplicant

microsoft.public.windows.server.security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

Subject	Author	Date
802.1x host auth fails with WinXP supplicant	Andrew	06-26-2006

Posted by Andrew on June 26, 2006, 3:41 pm

Please log in for more thread options

I'm testing 802.1x host-based authentication using smartcards and am not
having any success. Here's my setup:

WinXP supplicant (using EAP-TLS with AuthMode=1)
smartcard
Cisco Switch (wired connection to supplicant)
Cisco Secure ACS 3.3 (RADIUS server)
Microsoft AD and CA

Machine authentication works fine using EAP-TLS, but user auth fails with
error 997, 703 or 798 (see log below). The supplicant send an EAPOL_START
packet, the switch replies and asks the supplicant to identfy itself, but
the supplicant never responds. It seems the supplicant can't find or
doesn't have access to read the certificate off the smartcard. The
smartcard is currently used to login to the domain and works just fine. I'm
hoping that it will act as a single-sign on and authenticate the user on the
switch port via 802.1x as well. Is this a supplicant issue with WinXP or is
it an issue with the certificate? BTW, using a user certificate stored in
the Personal cert store doesn't work either. I know these are valid certs
that have the Client Authentication (1.3.6.1.5.5.7.3.2) set.

I'll include what shows up in the log files when I enable tracing (netsh ras
set tracing * en).

Thanks for any help you can offer me.

Andrew Jacobs
drewbono (a) hotmail (dot) com

RASTLS log:
[944] 16:03:53:896: EapTlsInvokeIdentityUI
[944] 16:03:53:896: GetCertInfo
[944] 16:04:23:889: EapTlsInvokeIdentityUI
[944] 16:04:23:889: GetCertInfo
[944] 16:04:53:882: EapTlsInvokeIdentityUI
[944] 16:04:53:882: GetCertInfo
[944] 16:05:07:992: EapTlsInvokeIdentityUI
[944] 16:05:07:992: GetCertInfo

EAPOL log:
[944] 16:03:53: ElUserLogonCallback: UserloggedOn = 0
[944] 16:03:53: ElCheckUserModuleReady: No user logged on
[944] 16:03:53: ElEapEnd entered
[944] 16:03:53: FSMLogoff entered for port Broadcom 570x Gigabit Integrated
Controller - Packet Scheduler Miniport
[944] 16:03:53: ElEapEnd entered
[944] 16:03:53: Setting state LOGOFF for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: FSMLogoff completed for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: ElReStartPort: Entered: Refcnt = 2
[944] 16:03:53: ElGetInterfaceNdisStatistics: pwszDeviceInterfaceName =
(\Device\{})
[944] 16:03:53: ElReadPerPortRegistryParams: dwTotalMaxAuthFailCount = (3)
[944] 16:03:53: FSMConnecting entered for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: TIMER: Restart PCB Time: 60
[944] 16:03:53: ElWriteToPort entered: Pkt Length = 7
[944] 16:03:53: ElWriteToPort: pPCB = 000C3838, RefCnt = 3
[944] 16:03:53: ElWriteToInterface entered
[944] 16:03:53: ElWriteToInterface completed, RetCode = 0
[944] 16:03:53: Setting state CONNECTING for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: FSMConnecting completed for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: ElUserLogonCallback: completed with error 0
[944] 16:03:53: ElIoCompletionRoutine called, 19 bytes xferred
[944] 16:03:53: ElReadCompletionRoutine entered, 19 bytes recvd
[944] 16:03:53: ElIoCompletionRoutine called, 19 bytes xferred
[944] 16:03:53: ElWriteCompletionRoutine sent out 19 bytes with error 0
[944] 16:03:53: ElWriteCompletionRoutine: pPCB= 000C3838, RefCnt = 2
[944] 16:03:53: ProcessReceivedPacket entered, length = 19
[944] 16:03:53: ProcessReceivedPacket: Src MAC address of packet matches
local address. Ignoring packet
[944] 16:03:53: ProcessReceivedPacket: Reposting buffer on port {}
[944] 16:03:53: ElReadFromPort entered
[944] 16:03:53: ElReadFromPort: pPCB = 000C3838, RefCnt = 3
[944] 16:03:53: ProcessReceivedPacket: pPCB= 000C3838, RefCnt = 3
[944] 16:03:53: ProcessReceivedPacket exit
[944] 16:03:53: ElIoCompletionRoutine called, 60 bytes xferred
[944] 16:03:53: ElReadCompletionRoutine entered, 60 bytes recvd
[944] 16:03:53: ProcessReceivedPacket entered, length = 60
[944] 16:03:53: ProcessReceivedPacket: EAP_Packet
[944] 16:03:53: ProcessReceivedPacket: EAPOLSTATE_CONNECTING
[944] 16:03:53: TIMER: Restart PCB Time: 2097148
[944] 16:03:53: FSMAcquired entered for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: TIMER: Restart PCB Time: 30
[944] 16:03:53: ElEapEnd entered
[944] 16:03:53: ElEapBegin entered
[944] 16:03:53: ElEapBegin done
[944] 16:03:53: ElEapWork: EapolPkt created at 00104708
[944] 16:03:53: ElEapMakeMessage entered
[944] 16:03:53: ElParseIdentityString: Packet length 5 less than minimum 5
[944] 16:03:53: ElGetIdentity: Userlogged, Prev !Machine auth
[944] 16:03:53: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine auth:
!MD5
[944] 16:03:53: ElGetUserIdentity entered
[944] 16:03:53: ElGetEapKeyFromToken: RegOpenKeyEx failed with error 2
[944] 16:03:53: ElGetEapUserInfo: Error in ElGetEapKeyFromToken 2
[944] 16:03:53: ElGetUserIdentityOptimized: Error in calling GetIdentity =
798
[944] 16:03:53: ElGetLoggedOnUserName: Got User Name [CORRECT
DOMAIN]\[CORRECT USERNAME]
[944] 16:03:53: ElCheckUserModuleReady: No appropriate advise found
[944] 16:03:53: ElGetUserIdentity: TrayIcon NOT ready
[944] 16:03:53: ElGetUserIdentity completed with error 997
[944] 16:03:53: ElGetIdentity: Error in ElGetUserIdentity 997
[944] 16:03:53: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine auth: No
Error: User Auth fine
[944] 16:03:53: ElEapMakeMessage: Error in ElGetIdentity 997
[944] 16:03:53: ElEapWork: ElEapMakeMessage returned error 997
[944] 16:03:53: Setting state ACQUIRED for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport
[944] 16:03:53: FSMAcquired completed for port Broadcom 570x Gigabit
Integrated Controller - Packet Scheduler Miniport

Similar Threads	Posted
How to set different USB access privileges in Win2K\WinXP\Win2003	March 15, 2008, 9:20 pm
Kerberos and HOST Headers	December 31, 2005, 6:40 pm
c2 failed login correlation to an origination IP/host ?	June 22, 2005, 11:35 am
Could not install the Dynamic Host Configuration Protocol (DHCP)...	August 1, 2005, 9:38 pm
Certificates 802.1X Auth.	November 21, 2005, 11:07 am
NTLM Auth (weird)	January 23, 2008, 4:15 pm
telnet server auth without password, how ?	September 13, 2005, 4:27 pm
INTERACTIVE group missing after SSPI auth	October 28, 2005, 12:54 pm
INTERACTIVE group missing after SSPI auth	November 2, 2005, 3:16 pm
IIS prompting for password but integrated auth is only method	July 10, 2006, 2:40 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML Sitemap

XML Sitemap