ACS + Wired dot1x machine authentication

Answered Question
Jun 10th, 2008

Hi,


I am trying to setup wired machine based authentication. I have followed this guide

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req


However I simply get the same error all the time on ACS.


Invalid message authenticator in EAP request


Switch config;

interface GigabitEthernet0/46

switchport access vlan 20

switchport mode access

media-type rj45

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 20


i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.


Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.


Purely using machine auth.


Cheers


Scott

Correct Answer by Jagdeep Gambhir about 8 years 8 months ago

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.




Regards,

~JG


Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Tue, 06/10/2008 - 04:43

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.




Regards,

~JG


Do rate helpful posts

scott-goodwin Tue, 06/10/2008 - 04:57

Tried that, also checked it with them different and i get nothing in the logs. Hence communication seems fine from switch to ACS???


Cheers


Scott

scott-goodwin Tue, 06/10/2008 - 06:28

Ok!!


Checked that again and yes that stopped the message ;)


Now I am getting an external db authentication failure, however I dont see anything in AD event viewer??


Thanks


Scott

Jagdeep Gambhir Tue, 06/10/2008 - 06:35

Scott,

Check unknown user policy settings and make sure you have proper permission for the account running acs services.



Regards,

~JG


Do rate helpful posts

scott-goodwin Wed, 06/11/2008 - 01:43

Hi Guys,


The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??


Thanks for your help.


Scott

scott-goodwin Wed, 06/11/2008 - 01:44

PS all the setting are identical, also the fact I can auth via user credentials proves the AD interop.


Cheers


Scott

Jagdeep Gambhir Wed, 06/11/2008 - 04:55

Check the unknown user policy settings and permission issue. Checkout the auth.log , that will show more details about the issue.



Regards.

~JG

scott-goodwin Wed, 06/11/2008 - 06:42

Hi Mate,


I have now done a fresh install of 4.1 and I can confirm that 4.1 works fine so it would definately indicate a 4.2 issue.


I will check the auth.log to get more details


Thanks


scott

Actions

This Discussion