802.1x Authentication in Extreme architecture

Unanswered Question
Apr 20th, 2009

Hi all,

Objectives :

Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2

Supplicant = IP Phone

Authenticator : Switch Extreme 450 E

Authentication Server : ACS SE 1113

1) We have done the tests with a Windows ACS and everything runs correctly, the supplicant authenticates without any problem.

2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.

3) We have upload UDvs and VSA on the ACS SE and it still not work.

These are the .csv file uploaded :

accountactionsVsa.csv (used for the vendor)

accountAttributes.csv (used for the vendor attributes)

accountProfile.csv (used for the Attributes profile)

accountvalues.csv (used for the Attributes values). This one is not on the attachment files :

1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0

2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0

3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0

4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0

5,4,,,355,,,,,15/04/2009 10:00,,,,0

The message in ACS Failed Attemps logs is : "Bad Request from NAS".

We have verified the authenticator address and the secret key, everything is ok.

With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.

With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.

We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).

Have you already had this kind of problem. How can i Solve it?

Thanks for your replies.

Best regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 04/20/2009 - 01:39

Please be aware if you defined a key for the NDG, that key takes precedence over the keys defined for the individual devices in the NDG.

Ensure that the key defined for the NDG matches the secret key of the switch.



LudovicDS Mon, 04/20/2009 - 04:01

We do not use NDG but we have done the test with NDG and the secret key was the same as the radius Client Extreme. So no problem of precedences.

Jagdeep Gambhir Mon, 04/20/2009 - 06:19

What do you see in auth.log and remote agent logs. Please go to remote agent system and get logs from cswinagent.

C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs

Please change loggin level to full and recreate the issue before getting the logs.



LudovicDS Mon, 04/20/2009 - 06:51

I have not implemented Remote Agent since i don't need it.

So i cannot view :\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs

What kind of login level do you mean? Administrative Login? I have the maximum one.

sahmedshahcsd Mon, 04/20/2009 - 08:16

Do verify appropriate PEAP or EAP-TLS check boxes are selected under Global Authentication Setup.

In case if the Dot1x supplicant used is a Cisco Supplicant then you need to select cisco LEAP as well under Global Authentication Setup in your ACS SE.



LudovicDS Mon, 04/20/2009 - 08:20

The Supplicant only use EAP MD5 since it is a Ip phone.

EAP MD5 is already checked in Global authentication Setup.

Just for remember :

802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.


This Discussion