Re: 802.1X Machine Authentication Failure on Windows XP SP2

Tech-Archive recommends: Fix windows errors by optimizing your registry

If I'm understanding your question... You need to add the computer accounts
in AD to whatever group you are using that allows the users access. You can
just add domain computers to the group.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"rarmknecht" <rarmknecht@xxxxxxxxx> wrote in message
news:1115835468.214182.236320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Here's our setup:
> - Cat 6500 Switches
> - Cisco ACS 3.3 on Windows 2003 Server
> - Certificate Authority on Windows 2003 Enterprise Server
> - Windows XP Professional w/ SP2 on client machines
> - Certificate is installed and selected
> - PEAP and MS-MD5-CHAP v2 are selected
> - Authenticate as computer... checkbox checked
> - Active Directory is also on a 2003 Server box
>
> Here's the problem as we see it:
>
> Machine authentication is failing during the boot process of the client
> PC. This prevents it from grabbing updated GPOs as well as preventing
> users of the domain with non-cached passwords from logging onto the
> client machine. In addition, the machine will not recieve an IP
> address until a user logs on and its successfully authenticated. User
> Authentication works no problem.
>
> The errors that we see:
>
>>>From the logs on the ACS box we see the following error.
> Date 05/09/2005
> Time 10:11:52
> Message-Type Authen failed
> User-Name host/mypc.company.com
> Group-Name ..
> Caller-ID 00-AA-BB-CC-DD-EE
> Authen-Failure-Code External DB account restriction
> Author-Failure-Code ..
> Author-Data ..
> NAS-Port 120
> NAS-IP-Address 172.19.133.254
>
>>>From the Switch Console with security logging set to debug I grabbed
> the following:
>
> 2005 May 09 10:11:39 CDT -05:00 %ETHC-5-PORTTOSTP:Port 1/20 joined
> bridge port 1/20
> 2005 May 09 10:11:39 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is ABORT
> 2005 May 09 10:11:39 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is FINISHED
> 2005 May 09 10:11:39 CDT -05:00
> %SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
> port 1/20 is CONNECTING
> 2005 May 09 10:11:44 CDT -05:00
> %SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
> port 1/20 is AUTHENTICATING
> 2005 May 09 10:11:44 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:45 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:45 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:45 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:46 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:46 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:46 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:47 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:47 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:48 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:48 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:50 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:50 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:50 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:51 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is REQUEST
> 2005 May 09 10:11:51 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is RESPONSE
> 2005 May 09 10:11:52 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is FAIL
> 2005 May 09 10:11:52 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X:
> backend state for port 1/20 is FINISHED
> 2005 May 09 10:11:52 CDT -05:00
> %SECURITY-5-DOT1X_AUTHENTICATION_FAILURE:Authentication failed for port
> 1/20: port unauthorized
> 2005 May 09 10:11:52 CDT -05:00
> %SECURITY-5-DOT1X_PORT_UNAUTHORIZED:DOT1X: port 1/20 unauthorized
> 2005 May 09 10:11:52 CDT -05:00
> %SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
> port 1/20 is HELD
> 2005 May 09 10:11:56 CDT -05:00
> %SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
> port 1/20 is CONNECTING
> 2005 May 09 10:11:57 CDT -05:00
> %SECURITY-7-DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for
> port 1/20 is AUTHENTICATING
> < clipped the repeating of the above >
>
>
>
> Is there some type of special setting that needs to be done in AD to
> allow RADIUS to verify the machine? I did come across the tidbit
> below, and we don't have two-way encrypted passwords. User
> Authentication doesn't seem to mind though....
>
>
>
> "To verify the challenge response sent from the wired client, the
> RADIUS server must use the plain-text version of the password. By
> default, Windows domains store a one-way encrypted form of the account
> password. Therefore, Windows domains must be configured to store a
> version of the password using two-way (reversible) encryption. The
> account password is stored in an encrypted form. When authenticating,
> the account password is converted to its plain-text form using
> reversible encryption."
> -- Enterprise Deployment of Secure Wired Networks Using Microsoft
> Windows
>
> Has anyone else ran into similar problems? Any help anyone can give to
> point me in the right direction is greatly appreciated!
>
> -randy
>


.

Relevant Pages

  • Re: 802.1X Machine Authentication Failure on Windows XP SP2
    ... > Machine authentication is failing during the boot process of the client ... > backend state for port 1/20 is ABORT ... > backend state for port 1/20 is FINISHED ... > backend state for port 1/20 is RESPONSE ...
    (microsoft.public.internet.radius)
  • 802.1X Machine Authentication Failure on Windows XP SP2
    ... Machine authentication is failing during the boot process of the client ... backend state for port 1/20 is ABORT ... backend state for port 1/20 is FINISHED ... backend state for port 1/20 is RESPONSE ...
    (microsoft.public.internet.radius)
  • Re: Best Plan of action for 2 forest.......
    ... PortQry reports the status of a port in one of the following ways: ... ..LISTENING This response indicates that a process is listening on the target ...
    (microsoft.public.windows.server.active_directory)
  • RE: MBSA and MSs attempts at "security"
    ... >the port status of TCP and UDP ports on a computer you choose. ... you can also query an LDAP service. ... LDAP query and interpret an LDAP server's response to ...
    (Focus-Microsoft)
  • Re: BEFVP41 -2003 SBS Help Please
    ... Couple of things to keep in mind about exposed ports, VPN, and security ... + 1723 is authentication, it doesn't pass the data stream. ... 1723 is an authentication port, if someone authenticated, they get in. ...
    (microsoft.public.windows.server.sbs)