Access rejected on switch Extreme using 802.1x and strange user logon identity

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Marcos (anonymous_at_discussions.microsoft.com)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 09:11:25 -0800

Greetings.

I´m trying setup a 802.1x with PEAP/MSCHAPv2 using wired
network, but the identity of the user is strange. The
switch is receiving user marcos@matrix (it is not a UPN).
The domain is matrix.com and I´m not using UPN at login.

The user is authenticated by AD and IAS Server grants
access, but the authentication fails at workstation.

Additionally, I followed the instructions of "Enterprise
Deployment of Secure Wired Networks Using Microsoft
Windows" article.

I´m using two labs and I´m receiving the same error.

Lab 1 is DC Win2000 SP4, DNS/Wins/DHCP Win2000 SP4, IAS/CA
2003(English version).
Clients : Windows 2000 Professional SP4 and XP SP2
(Portuguese version)

Lab 2 DC Win2000 SP4, DNS/Wins/DHCP Win2000 SP4, IAS/CA
2003(English version).
Clients : Windows 2000 Professional SP4 and XP SP2
(Portuguese version)

Bellow, I attached some logs :

Strange user identity received by switch from Windows
2000/XP Workstation
======================================================
* Summit200-48:17 # sh net po 35 teste
Port: 35 Vlan: teste
Port State: Not Authenticated
Temp IP: 169.254.102.57
DHCP: Not Enabled

MAC IP address Auth Type ReAuth-Timer
User
------------------------------------------------------------------
00:10:4B:C7:64:47 169.254.102.57 No 802.1x 58
    marcos@MATRIX

Quiet Period Timer:0 Num. Authentication Attempt Failed:2
======================================================

Succesful login at IAS
======================================================
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 18/1/2005
Time: 15:10:50
User: N/A
Computer: TLABSESUP
Description:
User Marcos was granted access.
 Fully-Qualified-User-Name = matrix.com/Users/Marcos
 NAS-IP-Address = 10.1.3.101
 NAS-Identifier = <not present>
 Client-Friendly-Name = SwitchExtreme
 Client-IP-Address = 10.1.3.101
 Calling-Station-Identifier = 169.254.102.57
 NAS-Port-Type = Ethernet
 NAS-Port = <not present>
 Proxy-Policy-Name = 802.1x-Connection
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = 802.1x-Lab2003
 Authentication-Type = PEAP
 EAP-Type = Secured password (EAP-MSCHAP v2)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
======================================================

Successful login at Active Directory
======================================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/1/2005
Time: 15:10:50
User: MATRIX\Marcos
Computer: TLABSESUP
Description:
Successful Network Logon:
         User Name: Marcos
         Domain: MATRIX
         Logon ID: (0x0,0x838F4)
         Logon Type: 3
         Logon Process: CHAP
         Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
         Workstation Name:
         Logon GUID: -
         Caller User Name: TLABSESUP$
         Caller Domain: MATRIX
         Caller Logon ID: (0x0,0x3E7)
         Caller Process ID: 892
         Transited Services: -
         Source Network Address: -
         Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
======================================================

Relevant Pages

  • Re: Router/Switch authentication in the network
    ... scheme in my network for the network devices, ... from coming onto the network without proper authentication, ... the are some cisco best practice guides around for routers rather than ... get by Dot1x authentication by connecting a simple switch at the user ...
    (comp.dcom.sys.cisco)
  • RE: Deny Non XP Pro Computers
    ... but I don't have any switches that support authentication (read I ... authentication allows you to control access to your network based on a ... certificate that you will need to store on each client machine. ... plugged into the network it presents this certificate to the switch. ...
    (microsoft.public.windows.server.general)
  • RE: 802.1x Authentication
    ... If you set your NIC to use EAP and the switch is not set to ... you will get full access to the network without the need to auth. ... The default setting for XP is to turn on authentication, ...
    (Focus-Microsoft)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)