ACS + Wired dot1x machine authentication

Answered Question
Jun 10th, 2008

Hi,

I am trying to setup wired machine based authentication. I have followed this guide

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req

However I simply get the same error all the time on ACS.

Invalid message authenticator in EAP request

Switch config;

interface GigabitEthernet0/46

switchport access vlan 20

switchport mode access

media-type rj45

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 20

i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.

Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.

Purely using machine auth.

Cheers

Scott

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 8 years 5 months ago

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Tue, 06/10/2008 - 04:43

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

scott-goodwin Tue, 06/10/2008 - 04:57

Tried that, also checked it with them different and i get nothing in the logs. Hence communication seems fine from switch to ACS???

Cheers

Scott

scott-goodwin Tue, 06/10/2008 - 06:28

Ok!!

Checked that again and yes that stopped the message ;)

Now I am getting an external db authentication failure, however I dont see anything in AD event viewer??

Thanks

Scott

Jagdeep Gambhir Tue, 06/10/2008 - 06:35

Scott,

Check unknown user policy settings and make sure you have proper permission for the account running acs services.

Regards,

~JG

Do rate helpful posts

scott-goodwin Wed, 06/11/2008 - 01:43

Hi Guys,

The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??

Thanks for your help.

Scott

scott-goodwin Wed, 06/11/2008 - 01:44

PS all the setting are identical, also the fact I can auth via user credentials proves the AD interop.

Cheers

Scott

Jagdeep Gambhir Wed, 06/11/2008 - 04:55

Check the unknown user policy settings and permission issue. Checkout the auth.log , that will show more details about the issue.

Regards.

~JG

scott-goodwin Wed, 06/11/2008 - 06:42

Hi Mate,

I have now done a fresh install of 4.1 and I can confirm that 4.1 works fine so it would definately indicate a 4.2 issue.

I will check the auth.log to get more details

Thanks

scott

Actions

This Discussion