Problem with EAP/MD5 behind ACSv4.2 Radius Proxy

Unanswered Question

Dear all,

I'm doing a 802.1x authenticated wired LAN with following items

802.1x client (Windows XP EAP-MD5 ) --> Cisco 3750 --- ACSv4.2 --ACSv4.2 (2)

My goal is user is authenticated @ second ACS Server, and authorized @ the first ACS Server.

It works fine with login-user , but failed with 802.1x authentication.

I tried to capture the packets with wireshark and found while 802.1x authentication , the first ACS Server did NOT forward RADIUS Access-Request to the second ACS Server , but in login user authentication, it did !!

Any ideas ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jhillend Wed, 10/29/2008 - 10:43

If you are using proxy, the second server provides all of the RADIUS functions (authentication and authorization). If you want authenticate only to the 2nd ACS but provide authorization from the 1st, try the RADIUS Token Server external database option. This way only a RADIUS authentication request will be forwarded to 2nd server while leaving the 1st server to be "in charge."

Note that this option is NOT limited to token processing.

Dear jhillend,

Yes, I'd configured the 1st ACS server to user the RADIUS Token Server external database option. It worked fine in authenticating login user, but 802.1x authentication, it failed. I tried to capture the traffic and found 1st ASC Server only did forward login authentication request to 2nd Server, but did not forward dot1x authentication request.

The log in 1st server said " Authentication Fail " and Auth-Fail-Code is "External DB password invalid". But I did NOT capture any forward authentication request in dot1x authentication. The id / password should be okay since it works in login authentication.

I'm confused. The only difference between login authentication and dot1.x authentication is "Authentication Method", i use EAP-MD5 in dot1x authentication.


This Discussion