08-20-2010 10:02 PM - edited 03-10-2019 05:21 PM
1.48 port Cisco 3550 Series 12.2 with enchanced feature set has to make dot1.x for the clients with windows 7 Pro OS. The radius must be W2008 Standart.
2.WInd2008 NPS is configured with Network policy and appropriate NPS client settings. It works when I try to connect to them from linux mashine with radtest. It doesn't work when I try to connect to them from Cisco (trying from client Windows 7 mashine).
debug radius authenticatis tell me the authentiaction fails - the same information is in the server event log too -The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
.I saw the client sends the correct username (in cisco with debug).
1 06:23:57.298: RADIUS/ENCODE: Best Local IP-Address 10.10.3.250 for Radius-Server 10.10.3.3
*Mar 1 06:23:57.298: RADIUS(0000005B): Send Access-Request to 10.10.3.3:1645 id 1645/102, len 192
*Mar 1 06:23:57.298: RADIUS: authenticator 79 AB 6F EA D2 D7 F7 24 - 6A 87 01 BF C1 E0 44 91
*Mar 1 06:23:57.298: RADIUS: User-Name [1] 23 "test@semointernal.com"
*Mar 1 06:23:57.298: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 06:23:57.298: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 06:23:57.298: RADIUS: Called-Station-Id [30] 19 "00-0D-BD-90-D3-07"
*Mar 1 06:23:57.298: RADIUS: Calling-Station-Id [31] 19 "00-1A-6B-69-82-B0"
*Mar 1 06:23:57.298: RADIUS: EAP-Message [79] 8
*Mar 1 06:23:57.298: RADIUS: 02 03 00 06 03 19
*Mar 1 06:23:57.298: RADIUS: Message-Authenticato[80] 18
*Mar 1 06:23:57.298: RADIUS: DD 3F 9D 53 E1 F4 5A 60 E9 81 5B EB 6A 1E D0 01 [ ?SZ`[j]
*Mar 1 06:23:57.298: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 06:23:57.298: RADIUS: NAS-Port [5] 6 50007
*Mar 1 06:23:57.298: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/7"
*Mar 1 06:23:57.298: RADIUS: State [24] 38
*Mar 1 06:23:57.302: RADIUS: 15 14 01 DD 00 00 01 37 00 01 02 00 7F 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 46 22 08 AD [ 7F"]
*Mar 1 06:23:57.302: RADIUS: NAS-IP-Address [4] 6 10.10.3.250
*Mar 1 06:23:57.306: RADIUS: Received from id 1645/102 10.10.3.3:1645, Access-Reject, len 44
*Mar 1 06:23:57.306: RADIUS: authenticator 87 83 0F 8E 73 FC 79 6C - 27 82 55 3D 9D AB A2 42
*Mar 1 06:23:57.306: RADIUS: EAP-Message [79] 6
*Mar 1 06:23:57.306: RADIUS: 04 03 00 04
*Mar 1 06:23:57.306: RADIUS: Message-Authenticato[80] 18
*Mar 1 06:23:57.306: RADIUS: 69 AC 62 1B C9 00 9E A8 FA 79 AD 7B 08 02 CE 8D [ iby{]
*Mar 1 06:23:57.306: RADIUS(0000005B): Received from id 1645/102
*Mar 1 06:23:57.306: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 1 06:23:57.414: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
When I remove the authentiacation, cisco tell ACCESS-ACCEPT, but the question mark on the network card settings in Windows 7 still exists. I think this is second separate problem.
3.Windows 7 client mashine is configured with dot1.x authentication eap/peap and mschapv2. The user and password as I told were correct. I thied with the mashines joined to domain, not joined to domain (in workgroup) and joined to other domain. There is no difference.
4.Cisco settings has been made regarding http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/sw8021x.html and additionally - here I think I tried all the combinations.
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# endSwitch(config)# interface fastethernet0/1
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x host-mode multi-hostSwitch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123Switch(config-if)# dot1x reauthentication
Can't understand what is wrong. Again - Windows 2008 NPS authenticate other user from Linux with radtest user password IP-addres_of_radius 0 key
08-20-2010 10:08 PM
and of course
dot1x pae authenticator exists in switch config
08-26-2010 04:44 AM
try this Port-Config
switchport mode access
authentication control-direction in
authentication event fail action authorize vlan 1
authentication event no-response action authorize vlan 1
authentication host-mode multi-domain
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer restart 30
authentication timer reauthenticate 120
authentication violation protect
dot1x pae authenticator
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide