802.1x over Wire + Dynamic VLAN

Unanswered Question
Jul 11th, 2007

Hi,

i am trying 802.1x (peap) over Wire.

equipment

-acs 4.0

-3750 switch w 802.1q trunk

-client windows xp

the problem i am getting is my switchport is getting the desire vlan.

acs - Authen OK

switchport - authorised

vlan - 1 (correct vlan should be '40')

ACS's user have been configured w:

-[64] Tunnel-Type = VLAN

-[65] Tunnel-Medium = 802

-[81] Tunnel-Private-Group-ID = VLAN 40

if i were to configure the switch for

-aaa authorization exec default group tacacs+ group radius

-aaa authorization network default group radius

the ACS fail attempts will show:

EAP-TLS or PEAP authentication failed during SSL handshake

i think i am missing some things

appreciate any advice.

cash

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Thu, 07/12/2007 - 11:57

Hi Cash,

SSL handshake error points to certificate issue. On your client make sure that validate server certificate is not checked.

Network connection properties---> Authen TAB--->dot1x properties--->uncheck valid server certs.

Let me know how that goes.

Regards,

~JG

cashqoo Thu, 07/12/2007 - 19:17

Hi,

Its still not working.

i am getting these logs from ACS:

-Passed Authentications - ok

-Failed Attempts - EAP-TLS or PEAP authentication failed during SSL handshake

-switch - unauthorized

i like to confirm my understanding:

for this whole process, i need only 1 cert, which is for the ACS, am i right?

cash

Jagdeep Gambhir Fri, 07/13/2007 - 05:11

Cash,

Yes, for peap you need one certs , that too on acs only.

Please Enable Fast Reconnect on Clients and on acs.

System Configuration >Global Authentication Setup > EAP Configuration > check "Enable Fast

Reconnect:" > Submit + Restart

Try to authenticate with both combinations ( with and without fast reconnect) and see if that makes any change.

If issue is still there then get me logs from switch

debug radius

debug dot1x all

debug aaa authentication

Regards,

~JG

Actions

This Discussion