06-25-2010 12:48 AM - edited 03-10-2019 05:13 PM
Need a help
1) We have implementing 802.1x authentication( MAC authentication) for central location,each user need to be authenticate through Laptop/desktop MAC address based on 802.1x. after authenticating user have received IP address from DHCP server.
2) We are using separate DHCP server in Central location as well as each location which has been implemented in swicth.
3) For authentication we are using Cisco ACS 4.1 and authentication based on ieee
4) In central location all user able to authenticate properly through ACS
5) For remote branches if we are configured 802.1x related configuration user not able to get authenticate and not bale to attach with network.
6) Central Location and Remote location using class B and Class C network segment. All the swith in remote location work as a transparent bridging.
Configuration in switch :
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
ip dhcp excluded-address 192.168.108.1
ip dhcp excluded-address 192.168.108.1 192.168.108.5
!
ip dhcp pool LOCALLAN
network 192.168.108.0 255.255.255.0
default-router 192.168.108.1
dns-server 172.16.25.9 172.16.25.8
!
!
interface FastEthernet0/23
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 1
dot1x reauthentication
!
radius-server host 172.16.25.100 auth-port 1645 acct-port 1646 key 7 045802150C2E1D1C5A
1) We have implementing 802.1x authentication( MAC authentication) for central location,each user need to be authenticate through Laptop/desktop MAC address based on 802.1x. after authenticating user have received IP address from DHCP server.
2) WE are using separate DHCP server in Central location as well as each location which has been implemented in swicth.
3) For authentication we are using Cisco ACS 4.1 and authentication based on ieee
4) In central location all user able to authenticate properly through ACS
5) For remote branches if we are configured 802.1x related configuration user not able to get authenticate and not bale to attach with network.
Configuration in switch :
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
ip dhcp excluded-address 192.168.108.1
ip dhcp excluded-address 192.168.108.1 192.168.108.5
!
ip dhcp pool LOCALLAN
network 192.168.108.0 255.255.255.0
default-router 192.168.108.1
dns-server 172.16.25.9 172.16.25.8
!
!
interface FastEthernet0/23
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 1
dot1x reauthentication
!
radius-server host 172.16.25.100 auth-port 1645 acct-port 1646 key 7 045802150C2E1D1C5A
Switch not able to sending EAPOL packect to ACS and there is not blocking in Firewall for 1645 and 1646 service.
Could you please help us regarding that problem so that we are able to mitigate the issue.
06-28-2010 01:38 AM
Hi Nitin,
The switch is in a different subnet to the radius server is the switch able to see the radius server ok, can you ping the server from the switch? does your radius server show state as UP when issuing a 'show aaa servers' on the switch?
The client (supplicant) EAPOL frames will only travel as far as the switch (authenticator), after this the switch sends radius information to ACS (authentication server). If you make sure you can see the radius server from the switch try debugging radius on the switch to see what information it's sending and receiving.
HTH
Howard
Howard Hooper CCIE 23470
CCNP CCNA CCDA
MCP CWSE
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: