Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
8
Replies

ACS + Wired dot1x machine authentication

Go to solution
scott-goodwin
Level 1
Level 1

‎06-10-2008 04:25 AM - edited ‎03-10-2019 03:53 PM

Hi,

I am trying to setup wired machine based authentication. I have followed this guide

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req

However I simply get the same error all the time on ACS.

Invalid message authenticator in EAP request

Switch config;

interface GigabitEthernet0/46

switchport access vlan 20

switchport mode access

media-type rj45

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 20

i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.

Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.

Purely using machine auth.

Cheers

Scott

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-10-2008 04:43 AM

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-10-2008 04:43 AM

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
scott-goodwin
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-10-2008 04:57 AM

Tried that, also checked it with them different and i get nothing in the logs. Hence communication seems fine from switch to ACS???

Cheers

Scott

0 Helpful

Go to solution
scott-goodwin
Level 1
Level 1
In response to scott-goodwin

‎06-10-2008 06:28 AM

Ok!!

Checked that again and yes that stopped the message ;)

Now I am getting an external db authentication failure, however I dont see anything in AD event viewer??

Thanks

Scott

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to scott-goodwin

‎06-10-2008 06:35 AM

Scott,

Check unknown user policy settings and make sure you have proper permission for the account running acs services.

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
scott-goodwin
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-11-2008 01:43 AM

Hi Guys,

The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??

Thanks for your help.

Scott

0 Helpful

Go to solution
scott-goodwin
Level 1
Level 1
In response to scott-goodwin

‎06-11-2008 01:44 AM

PS all the setting are identical, also the fact I can auth via user credentials proves the AD interop.

Cheers

Scott

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to scott-goodwin

‎06-11-2008 04:55 AM

Check the unknown user policy settings and permission issue. Checkout the auth.log , that will show more details about the issue.

Regards.

~JG

0 Helpful

Go to solution
scott-goodwin
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-11-2008 06:42 AM

Hi Mate,

I have now done a fresh install of 4.1 and I can confirm that 4.1 works fine so it would definately indicate a 4.2 issue.

I will check the auth.log to get more details

Thanks

scott

0 Helpful
Customers Also Viewed These Support Documents