802.1x/PEAP over Ethernet

Unanswered Question
Jun 1st, 2007

I am trying to setup 802.1x PEAP in my home lab. I have:

a windows 2003 enterprise server with SP2 and latest patches running as

Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.

The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed

certififcate. I can log into the box https://PEAP8021x:2002 so the cert

works. I also configure the ACS so that I can also talk to the

Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.

This version supports 802.1x

A couple of WindowsXP with Service Pack 2 and latest patches that will act as

clients for the domain LAB

Everything is connected to the Catalyst switch 2960 via CAT-5 cables.

I would like to accomplish something very simple, I think:

Before

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Fri, 06/01/2007 - 17:06

repost:

I am trying to setup 802.1x PEAP in my home lab. I have:

a windows 2003 enterprise server with SP2 and latest patches running as

Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.

The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed

certififcate. I can log into the box https://PEAP8021x:2002 so the cert

works. I also configure the ACS so that it can also use AD accounts for

authentication

Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.

This version supports 802.1x

A couple of WindowsXP with Service Pack 2 and latest patches that will act as

clients for the domain LAB.

Everything is connected to the Catalyst switch 2960 via CAT-5 cables.

I would like to accomplish something very simple. Before user(s) on

WinXP can even access the domain LAB, the winXP machine must be

authenticated with Cisco ACS with username/password on the AD Server

so that the machine can be placed in the correct VLAN(s). If this is just

a visitor and their machine is plugged into my network, authentication will

fail and they will be put in a guest VLAN where the only connection they have

will be acess to the Internet and that will be it. All the information will be pushed

out to the catalyst from the Cisco ACS

Can someone help me out on how to get this done? Thanks.

charrellc011699 Sun, 06/03/2007 - 07:42

Hi,

This is a simple setup.

Initially, you must configure ACS External Database to use the Windows Domain database for unknown users.

Configure ACS (network configuration) to define the switch as a network client with the shared key.

Configure the switch with the radius server's ip and shared key.

Then configure the switchport access vlan to be the "protected" vlan, and configure a dot1x guest vlan. Then set dot1x port-control auto.

Then configure the client's ethernet port to use 802.1x authentication, EAP type set to PEAP (rather than smart card or other certificate), MS-CHAP V2 (optionally set to authenticate using machine account when user account is unavailable in order for the machine to authenticate if a user is not logged in - this allows the machine to get an IP and be "on the domain" by the time the user is prompted to login at the ctrl-alt-del screen). Optionally configure PEAP to automatically use windows logon name and password - this way authentication is transparent to the user as the 802.1x supplicant uses the same account the user logs in to the machine with - avoiding pop-up promptings to log in.

* NOTE: if system is configured with "Wake on LAN" then often the switch sees the network connection as soon as the system powers on, but by the time the OS is up and able to send supplicant username/password, the EAPoL timer has expired and the switchport is placed into guest VLAN. Suggest to disable Wake on LAN for wired 802.1x clients.

If you need additional detail on any of the above steps, post a reply.

Thanks,

Curtis H.

daviddtran Thu, 06/07/2007 - 16:15

Hi Curtis,

"Initially, you must configure ACS External Database to use the Windows Domain database for unknown users."

this part is done. I can authenticate user

who ssh into Pix firewall with microsoft

Active Directory via ACS so it works.

"Configure the switch with the radius server's ip and shared key."

It's done.

"Then configure the switchport access vlan to be the "protected" vlan, and configure a dot1x guest vlan. Then set dot1x port-control auto."

dot1x system-auth-control

interface GigabitEthernet0/6

switchport access vlan 2

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 3

When I setup md5-challenge on the WindowsXP

machine, I can login but only if I create

an account with ACS internal database. In

other words, it only works with ACS

internally created account and not accounts

from Microsoft Active Directory Server. If

I use the account on the MS AD server, I get

the following message:

Auth type not supported by External DB

Why am I getting message? Obviously, my AD

works because I can ssh into a pix firewall

connfiguring for AAA with my Active Directory

account.

The question I have for you is that does

the XP machine have to be part of the domain "LAB" first before I can implement

PEAP?

Thanks.

David

Chetan Kumar Ress Wed, 07/28/2010 - 11:48

Hi David ,

The following error occur when your authentication protocol mismatch.

Configure you ACS & Windows Machine to use same authenticaiton protocol.

"Auth type not supported by External DB"

Configure ACS to user PEAP & MS-CHAP authentication protocol & in windown NIC select PEAP or EAP  protocol.

Please refer the below link

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3/troubleshooting/guide/ecodes.html

Regards

Chetan Kumar

http://chetanress.blogspot.com

NicolasMtl Wed, 07/28/2010 - 12:37

Hi Chetan,

I have already configured ACS to use PEAP & MS-CHAP authentication protocol &  in windows NIC select PEAP or EAP  protocol but I always have this error.

Regards,

Nicolas.

Chetan Kumar Ress Wed, 07/28/2010 - 13:10

Hi Nicolas

Might be issue with your certificate that you installed in user machine.

Can you check the log in ACS for that particular user which you are using to log in.

Or  generate new certificate in ACS and installed in user machine selecting PEAP & MSCHAP authentication protocol.

Regards

Chetan Kumar

http://chetanress.blogspot.com

Actions

This Discussion