1.48 port Cisco 3550 Series 12.2 with enchanced feature set has to make dot1.x for the clients with windows 7 Pro OS. The radius must be W2008 Standart.
2.WInd2008 NPS is configured with Network policy and appropriate NPS client settings. It works when I try to connect to them from linux mashine with radtest. It doesn't work when I try to connect to them from Cisco (trying from client Windows 7 mashine).
debug radius authenticatis tell me the authentiaction fails - the same information is in the server event log too -The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
.I saw the client sends the correct username (in cisco with debug).
1 06:23:57.298: RADIUS/ENCODE: Best Local IP-Address 10.10.3.250 for Radius-Server 10.10.3.3
*Mar 1 06:23:57.298: RADIUS(0000005B): Send Access-Request to 10.10.3.3:1645 id 1645/102, len 192
*Mar 1 06:23:57.298: RADIUS: authenticator 79 AB 6F EA D2 D7 F7 24 - 6A 87 01 BF C1 E0 44 91
*Mar 1 06:23:57.298: RADIUS: User-Name [1] 23 "test@semointernal.com"
*Mar 1 06:23:57.298: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 06:23:57.298: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 06:23:57.298: RADIUS: Called-Station-Id [30] 19 "00-0D-BD-90-D3-07"
*Mar 1 06:23:57.298: RADIUS: Calling-Station-Id [31] 19 "00-1A-6B-69-82-B0"
*Mar 1 06:23:57.298: RADIUS: EAP-Message [79] 8
*Mar 1 06:23:57.298: RADIUS: 02 03 00 06 03 19
*Mar 1 06:23:57.298: RADIUS: Message-Authenticato[80] 18
*Mar 1 06:23:57.298: RADIUS: DD 3F 9D 53 E1 F4 5A 60 E9 81 5B EB 6A 1E D0 01 [ ?SZ`[j]
*Mar 1 06:23:57.298: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 06:23:57.298: RADIUS: NAS-Port [5] 6 50007
*Mar 1 06:23:57.298: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/7"
*Mar 1 06:23:57.298: RADIUS: State [24] 38
*Mar 1 06:23:57.302: RADIUS: 15 14 01 DD 00 00 01 37 00 01 02 00 7F 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 46 22 08 AD [ 7F"]
*Mar 1 06:23:57.302: RADIUS: NAS-IP-Address [4] 6 10.10.3.250
*Mar 1 06:23:57.306: RADIUS: Received from id 1645/102 10.10.3.3:1645, Access-Reject, len 44
*Mar 1 06:23:57.306: RADIUS: authenticator 87 83 0F 8E 73 FC 79 6C - 27 82 55 3D 9D AB A2 42
*Mar 1 06:23:57.306: RADIUS: EAP-Message [79] 6
*Mar 1 06:23:57.306: RADIUS: 04 03 00 04
*Mar 1 06:23:57.306: RADIUS: Message-Authenticato[80] 18
*Mar 1 06:23:57.306: RADIUS: 69 AC 62 1B C9 00 9E A8 FA 79 AD 7B 08 02 CE 8D [ iby{]
*Mar 1 06:23:57.306: RADIUS(0000005B): Received from id 1645/102
*Mar 1 06:23:57.306: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 1 06:23:57.414: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
When I remove the authentiacation, cisco tell ACCESS-ACCEPT, but the question mark on the network card settings in Windows 7 still exists. I think this is second separate problem.
3.Windows 7 client mashine is configured with dot1.x authentication eap/peap and mschapv2. The user and password as I told were correct. I thied with the mashines joined to domain, not joined to domain (in workgroup) and joined to other domain. There is no difference.
4.Cisco settings has been made regarding http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/sw8021x.html and additionally - here I think I tried all the combinations.
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Switch(config)#
interface fastethernet0/1
Switch(config-if)#
dot1x port-control autoSwitch(config-if)#
dot1x host-mode multi-host
Switch(config)#
radius-server host 172.l20.39.46 auth-port 1612 key rad123
Switch(config-if)# dot1x reauthentication
Can't understand what is wrong. Again - Windows 2008 NPS authenticate other user from Linux with radtest user password IP-addres_of_radius 0 key
