802.1x MAB with Juniper EX switch.

Unanswered Question
Mar 18th, 2010

Hi,

I tried to authenticate user from juniper EX switch to Cisco ACS Radius. The ACS can authenticate normal user via 802.1x but not MAB.


I set in the acs to authenticate any request using RADIUS IETF.

I also tried to connect to different ACS server using the same config and supprisingly it works. The only different is the ACS do not has my certificate installed.

I attached the log for reference packet  capture for reference. It seems that the ACS replies encrpyted message to the EX switch

This is the log from EX switch ( i know, this is cisco forum, but i could give some clue.)

Feb 14 01:45:50.618026 Sending message to authentication client
Feb 14 01:45:50.622833 Received message from authentication client
Feb 14 01:45:50.622887 reply: 1cf7924 rply_hdr: 1cf9000 bytes_remnant len:28 reply_len:28
Feb 14 01:45:50.622917 hdr_bytes_read 0
Feb 14 01:45:50.622937 len read : 28 reply_len: 2983
Feb 14 01:45:50.622991 bytes_remnant 2955 tot_bytes_read 28
Feb 14 01:45:50.623028 bytes_read 2955
Feb 14 01:45:50.623048 Creating background job to process reply from authentication client
Feb 14 01:45:50.623117 Entering background job to process message from authentication client
Feb 14 01:45:50.623145 process_auth_reply len:2983
Feb 14 01:45:50.623182 Received Access-Challenge authentication message
Feb 14 01:45:50.623206 Invoking state machine for authentication response for mac address 00:1E:37:86:A2:04
Feb 14 01:45:50.623226  on intf ge-0/0/1.0

Feb 14 01:45:50.623259  ASIF: Handing over Server frame to Authenticator

Feb 14 01:45:50.623287  AUTH: Handling Server Frame

Feb 14 01:45:50.623318  SessNode got from SessIdtbl for Id 126 is : 1d1d000, Port: 67

Feb 14 01:45:50.623347 Code = 1, Id = 126, Len = 6

Feb 14 01:45:50.623375  ASIF: Handing over Server frame to Authenticator 67.

Feb 14 01:45:50.623403 PnacAsIfRecvFromServer : Rad Attr Statelen = 25
Feb 14 01:45:50.623421 Rad Attr Class Len = 0
Feb 14 01:45:50.623445 PnacAuthPrepareMD5Response Pkt type 25 is not MD5.

Feb 14 01:45:50.623473 PnacAuthMacRadiusReply : MD5 response prep failed.

Feb 14 01:45:50.623499 AuthHandleInServerFrame:MAC RADIUS RESP failed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion