Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

802.1x using tthe Microsoft Supplicant with Smart Cards

Status
Not open for further replies.

RookThis

Technical User
Jul 27, 2002
195
US
I am trying to get the microsoft supplicant to work with machine certificates and smart cards. I have the supplicant configure via the registry settings as AuthMode set to 1 and SupplicantMode set to 3. The AuthMode setting of 1 authenticates first by using the machine certificate, which works fine, and then forces another re-authentication with user credentials. This is the part that doesn't work. When the users gets the GINA screen (ctl/alt/del) and enters the user credentials the PC never responds to the EAP Identity Request that is generated by the switch. From the debugs that I am running I never see a response from the PC. It's as if the certificate can not be read from the smart card, or maybe the mechanism where you are prompted to enter a pin isn't support in this mode. Does anyone have any experience with this? I've been told that other third party supplicants will work, but that will require an added expense and would prefer getting the MS supplicant to work instead. Any suggestions?
 
are u using the IAS side of the 2003 server ?? microsoft

The most overlooked advantage to owning a computer is that if they foul up there's no law against wacking them around a little.
 
No I'm using Cisco's ACS server for the IAS piece. If that's what you are referring to.
 
yes i was, sorry i don't think i can help you.. does the cisco set up a RADIUS in the inviroment that you a using?

The most overlooked advantage to owning a computer is that if they foul up there's no law against wacking them around a little.
 
yes it does... PC==>switch===>Cisco Radius Server==> points to a GPO area where the certs are stored I think. I'm not exactly sure how this works on the radius side, but the part that I think is broken is on the PC when the user credentials are issued by the user I see an EAP identity request from the switch, but I never see a response from the PC, which I believe it should be getting it from the smart card.
 
my thoughts are having set this up on a 2003 server is to check the right certificates are being seen at the computer end from the cisco...

good luck ...merry xmas

The most overlooked advantage to owning a computer is that if they foul up there's no law against wacking them around a little.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top