Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
0
Replies

802.1x MAB with Juniper EX switch.

muhammadsafwan
Level 1
Level 1

‎03-18-2010 08:09 PM - edited ‎03-10-2019 05:00 PM

Hi,

I tried to authenticate user from juniper EX switch to Cisco ACS Radius. The ACS can authenticate normal user via 802.1x but not MAB.


I set in the acs to authenticate any request using RADIUS IETF.

I also tried to connect to different ACS server using the same config and supprisingly it works. The only different is the ACS do not has my certificate installed.

I attached the log for reference packet  capture for reference. It seems that the ACS replies encrpyted message to the EX switch

This is the log from EX switch ( i know, this is cisco forum, but i could give some clue.)

Feb 14 01:45:50.618026 Sending message to authentication client
Feb 14 01:45:50.622833 Received message from authentication client
Feb 14 01:45:50.622887 reply: 1cf7924 rply_hdr: 1cf9000 bytes_remnant len:28 reply_len:28
Feb 14 01:45:50.622917 hdr_bytes_read 0
Feb 14 01:45:50.622937 len read : 28 reply_len: 2983
Feb 14 01:45:50.622991 bytes_remnant 2955 tot_bytes_read 28
Feb 14 01:45:50.623028 bytes_read 2955
Feb 14 01:45:50.623048 Creating background job to process reply from authentication client
Feb 14 01:45:50.623117 Entering background job to process message from authentication client
Feb 14 01:45:50.623145 process_auth_reply len:2983
Feb 14 01:45:50.623182 Received Access-Challenge authentication message
Feb 14 01:45:50.623206 Invoking state machine for authentication response for mac address 00:1E:37:86:A2:04
Feb 14 01:45:50.623226  on intf ge-0/0/1.0

Feb 14 01:45:50.623259  ASIF: Handing over Server frame to Authenticator

Feb 14 01:45:50.623287  AUTH: Handling Server Frame

Feb 14 01:45:50.623318  SessNode got from SessIdtbl for Id 126 is : 1d1d000, Port: 67

Feb 14 01:45:50.623347 Code = 1, Id = 126, Len = 6

Feb 14 01:45:50.623375  ASIF: Handing over Server frame to Authenticator 67.

Feb 14 01:45:50.623403 PnacAsIfRecvFromServer : Rad Attr Statelen = 25
Feb 14 01:45:50.623421 Rad Attr Class Len = 0
Feb 14 01:45:50.623445 PnacAuthPrepareMD5Response Pkt type 25 is not MD5.

Feb 14 01:45:50.623473 PnacAuthMacRadiusReply : MD5 response prep failed.

Feb 14 01:45:50.623499 AuthHandleInServerFrame:MAC RADIUS RESP failed

3 people had this problem
Labels:
62343-Port Mirror.pcap.zip
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents