802.1x over Wire + Dynamic VLAN

Unanswered Question
Jul 11th, 2007
User Badges:

Hi,


i am trying 802.1x (peap) over Wire.

equipment

-acs 4.0

-3750 switch w 802.1q trunk

-client windows xp


the problem i am getting is my switchport is getting the desire vlan.

acs - Authen OK

switchport - authorised

vlan - 1 (correct vlan should be '40')


ACS's user have been configured w:

-[64] Tunnel-Type = VLAN

-[65] Tunnel-Medium = 802

-[81] Tunnel-Private-Group-ID = VLAN 40


if i were to configure the switch for

-aaa authorization exec default group tacacs+ group radius

-aaa authorization network default group radius


the ACS fail attempts will show:

EAP-TLS or PEAP authentication failed during SSL handshake


i think i am missing some things

appreciate any advice.

cash

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Thu, 07/12/2007 - 11:57
User Badges:
  • Red, 2250 points or more

Hi Cash,

SSL handshake error points to certificate issue. On your client make sure that validate server certificate is not checked.


Network connection properties---> Authen TAB--->dot1x properties--->uncheck valid server certs.


Let me know how that goes.


Regards,

~JG

cashqoo Thu, 07/12/2007 - 19:17
User Badges:

Hi,


Its still not working.

i am getting these logs from ACS:

-Passed Authentications - ok

-Failed Attempts - EAP-TLS or PEAP authentication failed during SSL handshake

-switch - unauthorized

i like to confirm my understanding:

for this whole process, i need only 1 cert, which is for the ACS, am i right?


cash

Jagdeep Gambhir Fri, 07/13/2007 - 05:11
User Badges:
  • Red, 2250 points or more

Cash,

Yes, for peap you need one certs , that too on acs only.


Please Enable Fast Reconnect on Clients and on acs.


System Configuration >Global Authentication Setup > EAP Configuration > check "Enable Fast

Reconnect:" > Submit + Restart


Try to authenticate with both combinations ( with and without fast reconnect) and see if that makes any change.



If issue is still there then get me logs from switch


debug radius

debug dot1x all

debug aaa authentication


Regards,

~JG

Actions

This Discussion