cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1175
Views
0
Helpful
8
Replies

ACS + Wired dot1x machine authentication

scott-goodwin
Level 1
Level 1

Hi,

I am trying to setup wired machine based authentication. I have followed this guide

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req

However I simply get the same error all the time on ACS.

Invalid message authenticator in EAP request

Switch config;

interface GigabitEthernet0/46

switchport access vlan 20

switchport mode access

media-type rj45

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 20

i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.

Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.

Purely using machine auth.

Cheers

Scott

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

View solution in original post

8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

Tried that, also checked it with them different and i get nothing in the logs. Hence communication seems fine from switch to ACS???

Cheers

Scott

Ok!!

Checked that again and yes that stopped the message ;)

Now I am getting an external db authentication failure, however I dont see anything in AD event viewer??

Thanks

Scott

Scott,

Check unknown user policy settings and make sure you have proper permission for the account running acs services.

Regards,

~JG

Do rate helpful posts

Hi Guys,

The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??

Thanks for your help.

Scott

PS all the setting are identical, also the fact I can auth via user credentials proves the AD interop.

Cheers

Scott

Check the unknown user policy settings and permission issue. Checkout the auth.log , that will show more details about the issue.

Regards.

~JG

Hi Mate,

I have now done a fresh install of 4.1 and I can confirm that 4.1 works fine so it would definately indicate a 4.2 issue.

I will check the auth.log to get more details

Thanks

scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: