locked
problem with Authenticate both User and Workstation with 802.1X RRS feed

  • Question

  • Hi,

    I have the above problem. My setup is:

    - cisco 4506 switch

    - WLC5508

    - 802.1x/PEAP configured

    The supplicant on Win7 is configured for 802.1x/PEAP with "user and computer authentication". The problem is that it doesn't work.

    My problem is similar to

    http://social.technet.microsoft.com/Forums/en-AU/winserverNAP/thread/cab0a8c6-24fa-4046-a124-902d2e9dc634

    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/2f6a0146-fbb2-4603-a1fa-30d4d4386c94

    So basically what is happening is the following:

    - win7 machine is booting up

    - it is 802.1x corectly authenticated (machine/computer auth succeded)

    - now the end user is trying to log into AD domain

    - he/she is able to do that but the auth server doesn't show anything about 802.1x authentication of the user (despite the settings: user or computer auth)

    When I choose:

    - user authentication only everything is working ok

    - computer only auth everything is working ok

    - when I choose both of them it doesn't work

     

    Can anyone solved that problem?

    Wednesday, January 4, 2012 10:54 PM

Answers

  • Hi,

     

    Thanks for posting here.

     

    According to your description, I assume that you are setting user group and machine group in condition to give access when specific user logon with specific computer. If I am wrong, please correct me. Please note that even we set 802.1X to use “user or computer authentication”, the NPS cannot judge both conditions in an access request. When authenticating, you are providing a single set of credentials. It’s either a user’s credentials or a machine’s credentials. RADIUS is not validating anything else at a time.

     

    So before the user logs on, NPS verify the computer credential for access. If a user logs in, NPS only verify user credential and have no method to also check the machine meet the condition. This is not a limitation of Windows, but with the currently available authentication methods. Your understanding is highly appreciated.

     

     

    Best Regards,

    Aiden

    • Marked as answer by Aiden_Cao Monday, January 16, 2012 1:18 AM
    Friday, January 6, 2012 2:05 AM