RE: 802.1x, Computers, Wired Security

I think part of the problem is that I was trying to use PEAP with MSCHAPv2.
From what I've read this won't work for computer auth. From what I understand
I should be using EAP-TLS for computer and user auth. Is this correct?

I have changed my IAS policy to use EAP-TLS and have also configured the
client to use EAP-TLS. The good thing is that I can auth with a user cert
using EAP-TLS no problem, but the computer auth is still failing. Yes the the
service is started and set to automatic. I have a computer cert and here is
the error message on the IAS server...

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: IAS
User host/ was denied access.
Fully-Qualified-User-Name = DOMAIN\LAPTOPTEST$
NAS-IP-Address =
NAS-Identifier = CORE2
Called-Station-Identifier = 00-17-08-cc-2f-00
Calling-Station-Identifier = 00-17-a4-d7-6b-45
Client-Friendly-Name = CORE2
Client-IP-Address =
NAS-Port-Type = Ethernet
NAS-Port = 93
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

For more information, see Help and Support Center at
0000: 00 00 00 00 ....

Here is the error on the client....

Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15514
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Wired 802.1X Authentication failed.

Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler
Interface GUID: {66cf62ec-9e70-44a2-b29a-fbe95796c647}
Peer Address: 001708CC2F00
Local Address: 0017A4D76B45
Connection ID: 0x00000004
Identity: host/
User: -
Domain: -
Reason: 327685
Reason Text: The authentication failed because there is a problem with the
user account

Error Code: 1078067472

For more information, see Help and Support Center at

"Miles Li [MSFT]" wrote:


From the description, you can authenticate the computer to the network
successfully with the Open1X supplicant by hardcode the user credentials.
However, you still failed to enter the network with the the Windows XP SP3

In Windows XP SP3, wired 802.1x service have separated from the wireless
service and created a new Dot3Svc (Wired AutoConfig service). By default
this service is set as a manual start as opposed to being automatic. In
the 802.1x deployed wired network, the client will not connect to the
network because of the absence of the service. So please make sure that
Wired AutoConfig service is set to Automatic before you restart the server.

Information needed:
To the further investigation of the issue, you can capture the network
traffic when the clients attempt to authenticate with IAS server and send
it to me at <tfwst@xxxxxxxxxxxxx>.

You can get the NetMon3.1 from the following link:

For your reference:

Changes to the 802.1X-based wired network connection settings in Windows XP
Service Pack 3

You cannot connect to an 802.1X wired network after you upgrade to Windows
XP Service Pack 3

A Windows XP-based wired client computer will not obtain a valid IP address
from a guest VLAN or from an "Authentication failed-VLAN"

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.

Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! -
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
This posting is provided "AS IS" with no warranties, and confers no rights.