Weird 802.1x EAP-TLS Behavior with Windows XP SP3
I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.
In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.
During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.