PEAP Machine Authentication is SLOW!!!

[wauger]

Hi All,
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema!

I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.

BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.

My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)

Any thoughts? Thanks much!

 

[codecref]

Try to put your gateway as DNS first and see if there's any change

Seyed

 

[wauger]

Thanks, but I am not sure what you mean. Can you elaborate? How can I put the gateway as DNS?
Thanks

 

[codecref]

lets say your gateway is 192.168.0.1
and your dns is 212.212.212.212

and what I am basically offer to try is set your Primary DNS 192.168.0.1 and then 212.212.212.212 as secondary DNS server and see if there's any change

 

[wauger]

I will try this, but what do you think this is going to do? Just curious. Thanks

 

[codecref]

I had same problem in authetication in my win2k domain and by changing dns it fixed.

Hope it helps you.
Seyed

 

[wauger]

So you had the same problem with Machine authentication in Windows 2k domain? What type of clients, 2k or XP?

 

[vipergg]

For any client machine attached to the Catalyst make you do a "set port host" on all client interfaces , this will turn off trunking and channeling and turn on portfast , without this it will take 30-45 seconds before the ports do anything due to spanning tree . As far as the wireless problem I am not sure .

 

[TreyJ]

I would suggest upgrading your Cisco ACS to the latest version. There's a known Windows/Cisco issue in previous versions...

Also, for Windows 2000, there is a patch you have to install to get 802.1x to work. Go to the Microsoft website and search for "Windows 2000 802.1x". Once you get the patch and install it, you may need to re-install service pack 4.

 

[wauger]

Thanks for the info. Looks like that by enabling dot1x on the switch port it automatically disables trunking...

Port(s) 4/40 channel mode set to off.
Command Rejected : 4/40 is a dot1x port.
Dot1q tunnel feature disabled on port(s) 4/40.
Port(s) 4/40 trunk mode set to off.