NPS Radius

Fadi Najjar · ‎01-16-2014

i'm trying to do dot1x auth with Win8K NPS and Cisco 2960 ios V15

laptops connecting to the switch always failed authentication

NPS logs does not show any communication from the switch

if i try to do a manual test

test aaa group radius server x.z.64.30 username password legacy

Attempting authentication test to server-group radius using radius

User was successfully authenticated.

Test-SW1#

*Mar 3 22:54:22.112: RADIUS: Pick NAS IP for u=0x3AC1560 tableid=0 cfg_addr=0.0

.0.0

*Mar 3 22:54:22.112: RADIUS(00000000): Config NAS IPv6: ::

*Mar 3 22:54:22.112: RADIUS: ustruct sharecount=1

*Mar 3 22:54:22.112: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 3 22:54:22.112: RADIUS/ENCODE: Best Local IP-Address x.z.100.216 for Rad

ius-Server 10.10.64.30

*Mar 3 22:54:22.112: RADIUS(00000000): Sending a IPv4 Radius Packet

*Mar 3 22:54:22.112: RADIUS(00000000): Started 4 sec timeout

*Mar 3 22:54:22.121: RADIUS: Received from id 1645/122 x.10.z.30:1645, Access

-Accept, len 96

*Mar 3 22:54:22.121: RADIUS: saved authorization data for user 3AC1560 at 3A6B9

10

but when i try to connect a laptop to the switch

here is Radius debug

------------------

*Mar 3 22:43:38.589: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.7edb.a

f34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001230F2D2BE4

*Mar 3 22:43:38.589: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication s

erver type *invalid_group_handle*

*Mar 3 22:43:38.597: %DOT1X-5-FAIL: Authentication failed for client (0024.7edb

.af34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001230F2D2BE4

*Mar 3 22:43:38.597: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1

x' for client (0024.7edb.af34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001

230F2D2BE4

*Mar 3 22:43:38.597: %AUTHMGR-5-FAIL: Authorization failed or unapplied for cli

ent (0024.7edb.af34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001230F2D2BE4

*Mar 3 22:43:40.560: %LINK-3-UPDOWN: Interface FastEthernet0/20, changed state

to up

*Mar 3 22:43:41.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern

et0/20, changed state to up

-------------------------

please help

Bruno Costa · ‎06-14-2017

I'm with this same problem. Could anyone help me, please?

----------------------------

Configs:

Server NPS W2016

Switch WS-C2960+24PC-L v.15.0(2)SE5

------------------------------

Cisco Switch configuration:

aaa new-model
!
!
aaa authentication login default local
aaa authentication login gerencia group radius
aaa authentication dot1x default group dot1xwired
aaa authorization network default group dot1xwired
aaa authorization auth-proxy default group dot1xwired
aaa accounting update periodic 60
aaa accounting dot1x default start-stop group dot1xwired
aaa accounting connection infra start-stop group radius
aaa accounting system default start-stop group dot1xwired
!
authentication mac-move permit
!
!!
interface Vlan600
description MNG
ip address 3.3.3.3 255.255.254.0
!
ip device tracking probe delay 10
ip device tracking
!
dot1x system-auth-control
!
ip radius source-interface Vlan600
!
radius server gerencia
address ipv4 2.2.2.2 auth-port 1645 acct-port 1646
key xxxxx
!
radius server dot1xwired
address ipv4 1.1.1.1 auth-port 1645 acct-port 1646
key xxxxx

--------------
Interface config:

interface FastEthernet0/11
description PORTA_DE_ACESSO
switchport access vlan 100
switchport mode access
switchport voice vlan 11
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

__________________________________________

See the debug:

Jun 14 11:10:45: %AUTHMGR-5-START: Starting 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Jun 14 11:10:45: %DOT1X-5-FAIL: Authentication failed for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:10:45: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:10:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up
SWA01_CCO_X#
Jun 14 11:10:57: %DOT1X-5-FAIL: Authentication failed for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:10:57: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:11:22: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
Jun 14 11:11:22: %DOT1X-5-FAIL: Authentication failed for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Jun 14 11:11:22: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Jun 14 11:11:22: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (e411.5b25.e12
SWA01_CCO_X#d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F