802.1x authentication plz help

Unanswered Question
Feb 16th, 2007

hi guys, i was trying 802.1x authentication on 2950 switch, i had acs 3.3 configured properly, i was using win xp on the pc i need to be authenticated, all goes well and pc is prompted for username, password, domain name, i want to know wat i have to enter in the domain name ???? my pc wasnt connected to any doamin as far as i remember but still any help plz ????

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
purohit_810 Fri, 02/16/2007 - 11:36

Hi,

You have to say something more about problem such as what's problem?? such as .. authentication faulure by server or what?? or if possible log .

If you are working on domain... you need to upgrade you ACS server's operating system to SERVER addition.

After that you need to authenticate with domain and when you are creating the database...into ACS server.... you have to point out WINNT DATABASE.

Please let me know... r u solving problem or not???

shaila_rox Fri, 02/16/2007 - 11:44

see i have installed ACS 3.3 on 1 machine running windows server 2003, i have client running windows xp, now on client in LAN properties under Authentication TAB i have selected MD-5 challenge, on ACS i defined a username and password, on 2950 i have also configured 802.1x authentication, now whenever the client pc connects to the port it is asked for authentication, i supplied username and password and leaving the domain name blank so the authentication failed !!! my client pc is not part of any domain so which domain name authentication is asking for ??? plz tell now

magurwara Mon, 02/19/2007 - 22:43

You need to run through the following checklist:

1. Have you setup "aaa authentication dot1x..." command to use your ACS?

2. Have you added your 2950 as a AAA client. If yes, make sure you have the correct shared secret on both ACS and the 2950.

3. Have you used the "aaa authorization network ..." command to use the RADIUS (ACS) server?

4. Check the failed authentication section in "Activity Reports" on your ACS to see the reason for your logon failure. If you see "Unknown NAS" error, you have not configured No.2 above correctly. If you see "login failed" and "invalid username or Password" then the username/password is not setup correctly.

If possible copy/paste your 2950's configuration.

shaila_rox Mon, 02/19/2007 - 23:44

i already did all wat u have mentioned, actually wat i want to know is that on windows xp when i m prompted to enter the username and password it also asks 3rd thing the domain name !! i want to know where did this domain name came from ??? wat i have to enter in this field, plz remember my pc is on workgroup (its a lab environment) and not on any domain !! now plz tell me wat i have to enter in the domain name field ??

thanks in advance

shaila_rox Tue, 02/20/2007 - 01:05

see, i m using MD5 challenge in the authentication tab !! i m sorry i didnt mentioned it before really sorry, can u plz tell me now wat to do ???

jain.nitin Tue, 02/20/2007 - 23:31

did u try to put domain name as ur windows 2003 server domain where ACS is installed..try to put domain name of the server where ACS is installed.

Ninja

purohit_810 Wed, 02/21/2007 - 08:10

In That case shaila... Creat ACS server's own database.

In authentication box, select RADIUS.

So, it will not look up any domain at the time of authentication.

Regards,

Dharmesh Purohit

purohit_810 Wed, 02/21/2007 - 08:15

Hi Shaila,

Choose CISCO SECURE DATABSE.

To select CISCO SECURE DATABASE....... ACS SERVER WILL AUTHENTICATE LOCALLY..

It will not look up any domain or databse.

Regards,

Dharmesh Purohit

shaila_rox Wed, 02/21/2007 - 22:47

hi,, well this is wat i tried in the lab today, the pc running ACS was not on domain it was on workgroup, the client pc running windows xp was also running on workgroup, i selected md5 challenge in the auth tab, now i followed the bcmsn exam cert guide and i m quite sure that i configured everything correctly, i got the username/pass prompt still including logon domain !!, i tried all the combination --> leaving blank, entered the name of my own workgroup but nothing, authentication failed as usual, i ran debug on 2950 it said once that no server found !!! but after few tries i didnt get this msg anymore just couple other statements and authentication failed, wat is to note is the ip and mac address were successfully rec and processed but still the pc is not authenticated, wat i think is that something is wrong with the logon domain, i will be gratefull if any of u can consult some mcse expert to resolve the issue n i also thanks alot for ur guys feedback thank u very much but plz try to help me out

thanks again in advance to all tht r helping me out

purohit_810 Thu, 02/22/2007 - 09:05

Shaila,

Did you tried to do... what i said?

There is nothing boss abnout domain of anything.

Unless You are specifying.

Do try one again.

in authentication Using BOX.

1) Need to specify WINDOWS NT DATABASE - It will use Domain database for authentication.

2) If you are specifying CISCO SECURE DATABASE - Mean it will authenticate local RADIUS SERVER databse. In this case, it is regardless DOMAIN AUTHENTICATION.

3)If you would put up into domain OR any EXTERNAL DATABASE, you have to follow following steps:

Please look into attached FILE.

Shaila what you are doing and where you are confident.... I don't know.

The ACS configuration is too simple and straight. In that nothing yaar.... beleive.

Regards,

Dharmesh Purohit

purohit_810 Thu, 02/22/2007 - 09:17

Also shaila you can do one testing....

Connect ACS server on one switch... On same switch connect one client machine and test for authentication.

If it will still asking DOMAIN name or something mean you ACS server configuration Mistake.

If Server is in Production.... Please install ACS server on another machine... do above setup. configure same. and test it.

Regards,

Dharmesh Purohit

shaila_rox Thu, 02/22/2007 - 10:45

Hi, i took a doc from cisco using cat 6500 in place of 2950, in that document i followed all the the steps ( they also left domain blank !! ) but again no success, the pc was not authenticated, rather the debug was also not showing anything then 1 or 2 lines on each authentication and it was weird, yesterday i saw so many debug lines coming but today just a few ! one thing is for sure that the pc was not authenticated, like u said i did, on the same switch i connected the ACs server and the client, and followed all the configuration but still no success, now wat shall i do,

i know u guys r doing a lot for me , i m sorry but i m not an expert and not able to do it but still thanks for ur support, i will let u guys know if my problem is solved or not

thanks alot to u guys may GOD bless u

purohit_810 Thu, 02/22/2007 - 12:37

Hey,

It is ok... Nobody expert yaar. Everybody doing help each other.

It is ok. What i am asking.

Forget abot PC.

IN ACS SERVER APPLICATON (SOFTWARE)... YOU HAVE TO SELECT CISCO SECURE DATABASE INSTEAD OF " windows nt " in AUTHENTICATION USING BOX.

Have checked that... that tell me.

I can go further from there.

You not answering me what i am asking. You are everytime telling about PC WORKGROUP AND DOMAIN.

LEAVE DOMAIN.

What i am asking understand and reply me.

GO in ACS SERVER --- > CLICK ON USER or GROUP BUTTON --- > LOOK into Authentication Using BOX -- {What is there tell me..... You have to select there CISCO SECURE DATABASE}

Regards,

Dharmesh Purohit

shaila_rox Fri, 02/23/2007 - 01:26

sorry pruhot, yes i have checked and its cisco secure database selected,, i never selected windows nt, it was cisco secure all of the time, sorry i couldnt reply before, now wat u think is the problem behind the domain ??

purohit_810 Fri, 02/23/2007 - 07:38

I don't think now.... generally that is the only option we can check out.

Because you know... when i asked you " Have you chacked on single switch " you said me YES .... and still it showing same thing.

Mean in that scenario we had nowere Live setup Domain. Ok.

Something.... i don't know.

In RADIUS server configuration we have nothing yaar. It is only one application. It is working normally.

Ok... shaila Bye... good chat with you.

Good cooperation from you we had during the support face.

keep it up with technology... mind.......... WE MAKES TECHNOLOGY

Bye

Regards,

Dharmesh Purohit

shaila_rox Fri, 02/23/2007 - 10:37

thanks purohit, and everybody for so much support, i guess there is some other problem tht none of us knows perhaps an ios bug may be, still thanks to every1,

and purohit wat abt my question regarding easy vpn ??? can u just tell me that when i make a router client, then wat i have to do actually with the ip that i receive from the server ?? in cisco doc it didnt showed much use of this ip, do u guys also agree that this ip is of no use ????

Actions

This Discussion