cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
3
Replies

dot1x on catalyst express 520 and windows 2003 IAS

baneofmylife
Level 1
Level 1

Hi everyone,

I am looking for users with experience with catalyst express product especially CE520. My problem is that i can't make my XP client authenticate using 802.1x on CE520 and IAS on windows 2003 as RADIUS server (PEAP using certificates). I have several hundreds client working perfectly on 2950, 2970, 4506, pixes and 6509 switch. I used GUI config and smartports but no go. Also tried CLI config (same as on my other cisco switches, used CLI thru .../exec). I have no experience in deciphering debug output on CE520 or RAS tracing on IAS server so if anyone has experience with similar config/layout and CE switches it would be a great help. I can post debug output and config if needed.

Thank you,

Cheers...

Forgot to mention, it is wired config for 802.1x....

3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

On the CE500 device, the Network Security Settings set the Security Level to High and set the RADIUS parameters (On CNA Configure

>>> Security >>> Network Security Settings >>> Host Access Security Level High and set the RADIUS parameters).

The ports where the users connects should set to "Desktop", since dot1x is supported on "Desktop" and "Printer" port roles only.

Regards,

~JG

Do rate helpful posts

Thank you JG,

I already tried that, it was my initial setup. After my clients could not authenticate i tried to do manual setup using CLI ( http://switchip/exec ) but GUI did nice config anyway so i could not find any problem.

I have attached switch config, dot1x debug, and RAS tracing from Win 2003 (IASSAM.LOG part).

Ras tracing show that EAP is actually succeeding but authentication repeats 2 more time and eventually switch disables port for some reason probably presuming unsuccessful authorization (although it is successful) i think .

Few more info, supplicants are XP SP3 clients, other switches (cisco and other vendors) work perfectly.

Problem partially solved,

Setting Framed-MTU radius attribute at Windows IAS lower than 1400 got CE520 to successfully authenticate supplicant using MSCHAPv2. But, PEAP using certificates still does not work.

Looking at radius traffic form CE520 switch it looks that this switch by default use Framed-MTU higher than 1900 by default! EAP does not support fragmentation (eap methods do).

Still i have not found reason for PEAP not to work with certificates and now works with MSCHAPv2...

Anyone, any ideas?

Cheers...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: