Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
0
Helpful
4
Replies

EAP-TLS SG300 vs. C2960G

m.dehkordy
Level 1
Level 1

‎05-08-2015 07:22 AM

Update: to add to this, it is also working on a C2950 (12.1(22)EA14) but still not on a C2960G

Hello

I am attempting to set up 802.1x authentication on all of our switches.

I have successfully got EAP-TLS computer and phone authentication working via Cisco SG300 (FW 1.2.9.44), Windows NPS and FreeRadius. (phones authenticate to FreeRadius and Windows computers authenticate to NPS)

However the same computers do not authenticate when plugged into a C2960G (12.2(25)SEE2)

The switch sends the access request and NPS replys, but it looks as though there is either something wrong with the request to negotiate or the switch is just completely ignoring it.

Here is the debug from the switch

RADIUS:  AAA Unsupported     [161] 19
RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30  [GigabitEthernet0]
RADIUS:   2F                                               [/]
RADIUS(00000024): Storing nasport 50041 in rad_db
RADIUS(00000024): Config NAS IP: 0.0.0.0
RADIUS/ENCODE(00000024): acct_session_id: 15925248
RADIUS(00000024): sending
RADIUS/ENCODE: Best Local IP-Address 192.168.1.104 for Radius-Server 192.168.1.24
RADIUS(00000024): Send Access-Request to 192.168.1.24:1645 id 21645/78, len 175
RADIUS:  authenticator 17 FA 37 C1 51 19 F1 3E - 51 D1 17 33 9C 58 55 E2
RADIUS:  User-Name           [1]   32  "host/laptop01.local-domain.com"
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  Framed-MTU          [12]  6   1500
RADIUS:  Called-Station-Id   [30]  19  "00-1A-6C-E7-F4-A9"
RADIUS:  Calling-Station-Id  [31]  19  "00-26-B9-CC-74-8B"
RADIUS:  EAP-Message         [79]  37
RADIUS:   02 02 00 23 01 68 6F 73 74 2F 6C 75 6B 6C 61 70  [???#?host/laptop]
RADIUS:   36 34 2E 6C 68 61 73 61 6C 69 6D 69 74 65 64 2E  [01.local-domain]
RADIUS:   6F 72 67                                         [com]
RADIUS:  Message-Authenticato[80]  18
RADIUS:   40 2E 67 59 BE 50 45 E4 0A B1 5F EF EC AC AE 55  [@.gY?PE???_????U]
RADIUS:  NAS-Port            [5]   6   50041
RADIUS:  NAS-Port-Type       [61]  6   Eth                       [15]
RADIUS:  NAS-IP-Address      [4]   6   192.168.1.104
%LINK-3-UPDOWN: Interface GigabitEthernet0/41, changed state to up
RADIUS: No response from (192.168.1.24:1645,1646) for id 21645/78
RADIUS/DECODE: parse response no app start; FAIL
RADIUS/DECODE: parse response; FAIL

Here the the EAP trace logs from the NPS server (the radius server 192.168.1.24)

[5860] 05-08 14:52:32:902: EapPeapBegin
[5860] 05-08 14:52:32:902: EapPeapBegin - flags(0x2)
[5860] 05-08 14:52:32:902: PeapReadUserData dwSize:0x80
[5860] 05-08 14:52:32:902:
[5860] 05-08 14:52:32:902: EapTlsBegin(localdomain\laptop01$)
[5860] 05-08 14:52:32:902: SetupMachineChangeNotification
[5860] 05-08 14:52:32:902: State change to Initial
[5860] 05-08 14:52:32:902: EapTlsBegin: Detected PEAP authentication
[5860] 05-08 14:52:32:902: MaxTLSMessageLength is now 16384
[5860] 05-08 14:52:32:902: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[5860] 05-08 14:52:32:902: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[5860] 05-08 14:52:32:902: The root cert will not be checked for revocation
[5860] 05-08 14:52:32:902: The cert will be checked for revocation
[5860] 05-08 14:52:32:902: Unable to read TLS version registry key, return code 2
[5860] 05-08 14:52:32:902: EapPeapBegin done
[5860] 05-08 14:52:32:902: EapPeapMakeMessage
[5860] 05-08 14:52:32:902: EapPeapSMakeMessage, flags(0x405)
[5860] 05-08 14:52:32:902: EapPeapSMakeMessage, user prop flags(0x1)
[5860] 05-08 14:52:32:902: PEAP:PEAP_STATE_INITIAL
[5860] 05-08 14:52:32:902: EapTlsSMakeMessage, state(0)
[5860] 05-08 14:52:32:902: EapTlsReset
[5860] 05-08 14:52:32:902: State change to Initial
[5860] 05-08 14:52:32:902: EapGetCredentials
[5860] 05-08 14:52:32:902: Flag is Server and Store is local Machine
[5860] 05-08 14:52:32:902: GetCachedCredentials Flags = 0x40e1
[5860] 05-08 14:52:32:902: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[5860] 05-08 14:52:32:902: pNode->dwCredFlags = 0x14
[5860] 05-08 14:52:32:902: pNode->dwCredFlags = 0x12
[5860] 05-08 14:52:32:902: GetCachedCredentials: Using Cached Credentials
[5860] 05-08 14:52:32:902: GetCachedCredentials: Hash of the cert in the cache is
69 F0 63 1B 54 D9 25 14 2C 89 99 3F 62 76 A6 0C |i.c.T.%.,..?bv..|
A3 55 5F AB 00 00 00 00 00 00 00 00 00 00 00 00 |.U_.............|
[5860] 05-08 14:52:32:902: Certificate public key length = 1024 bits
[5860] 05-08 14:52:32:902: BuildPacket
[5860] 05-08 14:52:32:902: << Sending Request (Code: 1) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[5860] 05-08 14:52:32:902: State change to SentStart
[5860] 05-08 14:52:32:902: EapPeapSMakeMessage done
[5860] 05-08 14:52:32:902: EapPeapMakeMessage done

For comparrison, here is an EAP trace log from when it works with the SG300 switch

[5048] 05-08 13:24:38:565: EapPeapBegin
[5048] 05-08 13:24:38:565: EapPeapBegin - flags(0x2)
[5048] 05-08 13:24:38:565: PeapReadUserData dwSize:0x80
[5048] 05-08 13:24:38:565:
[5048] 05-08 13:24:38:565: EapTlsBegin(domain\laptop01$)
[5048] 05-08 13:24:38:565: SetupMachineChangeNotification
[5048] 05-08 13:24:38:565: State change to Initial
[5048] 05-08 13:24:38:565: EapTlsBegin: Detected PEAP authentication
[5048] 05-08 13:24:38:565: MaxTLSMessageLength is now 16384
[5048] 05-08 13:24:38:565: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[5048] 05-08 13:24:38:565: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[5048] 05-08 13:24:38:565: The root cert will not be checked for revocation
[5048] 05-08 13:24:38:565: The cert will be checked for revocation
[5048] 05-08 13:24:38:565: Unable to read TLS version registry key, return code 2
[5048] 05-08 13:24:38:565: EapPeapBegin done
[5048] 05-08 13:24:38:565: EapPeapMakeMessage
[5048] 05-08 13:24:38:565: EapPeapSMakeMessage, flags(0x405)
[5048] 05-08 13:24:38:565: EapPeapSMakeMessage, user prop flags(0x1)
[5048] 05-08 13:24:38:565: PEAP:PEAP_STATE_INITIAL
[5048] 05-08 13:24:38:565: EapTlsSMakeMessage, state(0)
[5048] 05-08 13:24:38:565: EapTlsReset
[5048] 05-08 13:24:38:565: State change to Initial
[5048] 05-08 13:24:38:565: EapGetCredentials
[5048] 05-08 13:24:38:565: Flag is Server and Store is local Machine
[5048] 05-08 13:24:38:565: GetCachedCredentials Flags = 0x40e1
[5048] 05-08 13:24:38:565: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[5048] 05-08 13:24:38:565: pNode->dwCredFlags = 0x14
[5048] 05-08 13:24:38:565: pNode->dwCredFlags = 0x12
[5048] 05-08 13:24:38:565: GetCachedCredentials: Using Cached Credentials
[5048] 05-08 13:24:38:565: GetCachedCredentials: Hash of the cert in the cache is
69 F0 63 1B 54 D9 25 14 2C 89 99 3F 62 76 A6 0C |i.c.T.%.,..?bv..|
A3 55 5F AB 00 00 00 00 00 00 00 00 00 00 00 00 |.U_.............|
[5048] 05-08 13:24:38:565: Certificate public key length = 1024 bits
[5048] 05-08 13:24:38:565: BuildPacket
[5048] 05-08 13:24:38:565: << Sending Request (Code: 1) packet: Id: 7, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[5048] 05-08 13:24:38:565: State change to SentStart
[5048] 05-08 13:24:38:565: EapPeapSMakeMessage done
[5048] 05-08 13:24:38:565: EapPeapMakeMessage done
[5048] 05-08 13:24:38:565: EapPeapEnd
[5048] 05-08 13:24:38:565: EapTlsEnd
[5048] 05-08 13:24:38:565: EapTlsEnd(domain\laptop01$)
[5048] 05-08 13:24:38:565: EapTlsEnd
[5048] 05-08 13:24:38:565: EapPeapEnd done
[5048] 05-08 13:24:38:565: EapPeapEnd
[5048] 05-08 13:24:38:565: EapTlsEnd
[5048] 05-08 13:24:38:565: EapTlsEnd(domain\laptop01$)
[5048] 05-08 13:24:38:565: EapTlsEnd
[5048] 05-08 13:24:38:565: EapPeapEnd done
[5048] 05-08 13:24:38:565: EapPeapEnd
[5048] 05-08 13:24:38:565: EapTlsEnd
[5048] 05-08 13:24:38:565: EapTlsEnd(domain\laptop01$)
[5048] 05-08 13:24:38:565: EapTlsEnd
[5048] 05-08 13:24:38:565: EapPeapEnd done
[5860] 05-08 13:24:38:580: EapPeapMakeMessage
[5860] 05-08 13:24:38:580: EapPeapSMakeMessage, flags(0x405)
[5860] 05-08 13:24:38:580: EapPeapSMakeMessage, user prop flags(0x1)
[5860] 05-08 13:24:38:580: Cloned PPP_EAP_PACKET packet
[5860] 05-08 13:24:38:580: PEAP:PEAP_STATE_TLS_INPROGRESS
[5860] 05-08 13:24:38:580: EapTlsSMakeMessage, state(1)
[5860] 05-08 13:24:38:580: MakeReplyMessage
[5860] 05-08 13:24:38:580: Reallocating input TLS blob buffer
[5860] 05-08 13:24:38:580: SecurityContextFunction
[5860] 05-08 13:24:38:596: AcceptSecurityContext returned 0x90312
[5860] 05-08 13:24:38:596: State change to SentHello
[5860] 05-08 13:24:38:596: BuildPacket
[5860] 05-08 13:24:38:596: << Sending Request (Code: 1) packet: Id: 8, Length: 1468, Type: 13, TLS blob length: 1458. Flags: L
[5860] 05-08 13:24:38:596: EapPeapSMakeMessage done
[5860] 05-08 13:24:38:596: EapPeapMakeMessage done
[5048] 05-08 13:24:38:611: EapPeapMakeMessage
[5048] 05-08 13:24:38:611: EapPeapSMakeMessage, flags(0x605)
[5048] 05-08 13:24:38:611: EapPeapSMakeMessage, user prop flags(0x1)
[5048] 05-08 13:24:38:611: Cloned PPP_EAP_PACKET packet
[5048] 05-08 13:24:38:611: PEAP:PEAP_STATE_TLS_INPROGRESS
[5048] 05-08 13:24:38:611: EapTlsSMakeMessage, state(2)
[5048] 05-08 13:24:38:611: MakeReplyMessage
[5048] 05-08 13:24:38:611: Reallocating input TLS blob buffer
[5048] 05-08 13:24:38:611: SecurityContextFunction
[5048] 05-08 13:24:38:611: AcceptSecurityContext returned 0x0
[5048] 05-08 13:24:38:611: PEAP: Negotiated protocol and cipher information (SecPkgContext_ConnectionInfo)                         
                              dwProtocol = 64                         
                                aiCipher = 26126                         
                        dwCipherStrength = 128                         
                                  aiHash = 32772                         
                          dwHashStrength = 160                         
                                  aiExch = 41984                         
                          dwExchStrength = 1024
[5048] 05-08 13:24:38:611: AuthenticateUser
[5048] 05-08 13:24:38:611: Got no credentials from the client and executing PEAP. This is normal for PEAP.
[5048] 05-08 13:24:38:611: CreateMPPEKeyAttributes
[5048] 05-08 13:24:38:611: State change to SentFinished
[5048] 05-08 13:24:38:611: BuildPacket
[5048] 05-08 13:24:38:611: << Sending Request (Code: 1) packet: Id: 9, Length: 69, Type: 13, TLS blob length: 59. Flags: L
[5048] 05-08 13:24:38:611: EapPeapSMakeMessage done
[5048] 05-08 13:24:38:611: EapPeapMakeMessage done
[5860] 05-08 13:24:38:611: EapPeapMakeMessage
[5860] 05-08 13:24:38:611: EapPeapSMakeMessage, flags(0x605)
[5860] 05-08 13:24:38:611: EapPeapSMakeMessage, user prop flags(0x1)
[5860] 05-08 13:24:38:611: Cloned PPP_EAP_PACKET packet
[5860] 05-08 13:24:38:611: PEAP:PEAP_STATE_TLS_INPROGRESS
[5860] 05-08 13:24:38:611: EapTlsSMakeMessage, state(3)
[5860] 05-08 13:24:38:611: Negotiation successful
[5860] 05-08 13:24:38:611: IsTLSSessionReconnect
[5860] 05-08 13:24:38:611: Full Tls authentication performed
[5860] 05-08 13:24:38:611: BuildPacket
[5860] 05-08 13:24:38:611: << Sending Success (Code: 3) packet: Id: 9, Length: 4, Type: 0, TLS blob length: 0. Flags:
[5860] 05-08 13:24:38:611: AuthResultCode = (0), bCode = (3)
[5860] 05-08 13:24:38:611: PeapGetTunnelProperties
[5860] 05-08 13:24:38:611: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x660e, CipherStrength=0x80, Hash=0x8004
[5860] 05-08 13:24:38:611: PeapGetTunnelProperties done
[5860] 05-08 13:24:38:611: GetTLSSessionCookie
[5860] 05-08 13:24:38:611: IsTLSSessionReconnect
[5860] 05-08 13:24:38:611: Full Tls authentication performed
[5860] 05-08 13:24:38:611: Full authentication
[5860] 05-08 13:24:38:611: PeapEncryptTunnelData
[5860] 05-08 13:24:38:611: Blob length 37
[5860] 05-08 13:24:38:611: PeapEncryptTunnelData completed with status 0x0
[5860] 05-08 13:24:38:611: EapPeapSMakeMessage done
[5860] 05-08 13:24:38:611: EapPeapMakeMessage done
[5048] 05-08 13:24:38:627: EapPeapMakeMessage
[5048] 05-08 13:24:38:627: EapPeapSMakeMessage, flags(0x605)
[5048] 05-08 13:24:38:627: EapPeapSMakeMessage, user prop flags(0x1)
[5048] 05-08 13:24:38:627: Cloned PPP_EAP_PACKET packet
[5048] 05-08 13:24:38:627: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT
[5048] 05-08 13:24:38:627: PeapDecryptTunnelData dwSizeofData = 69, pData = 0xdb1c17c6
[5048] 05-08 13:24:38:627: Blob length 69
[5048] 05-08 13:24:38:627: PeapDecryptTunnelData completed with status 0x0
[5048] 05-08 13:24:38:627:  Buffer length is 31
[5048] 05-08 13:24:38:627: PEAP: Sending PEAP capabilities request to client
[5048] 05-08 13:24:38:627: PeapEncryptTunnelData
[5048] 05-08 13:24:38:627: Blob length 53
[5048] 05-08 13:24:38:627: PeapEncryptTunnelData completed with status 0x0
[5048] 05-08 13:24:38:627: EapPeapSMakeMessage done
[5048] 05-08 13:24:38:627: EapPeapMakeMessage done
[5860] 05-08 13:24:38:627: EapPeapMakeMessage
[5860] 05-08 13:24:38:627: EapPeapSMakeMessage, flags(0x605)
[5860] 05-08 13:24:38:627: EapPeapSMakeMessage, user prop flags(0x1)
[5860] 05-08 13:24:38:627: Cloned PPP_EAP_PACKET packet
[5860] 05-08 13:24:38:627: PEAP:PEAP_STATE_CAPABILITIES_REQ_SENT
[5860] 05-08 13:24:38:627: PeapDecryptTunnelData dwSizeofData = 53, pData = 0x9b09c1c6
[5860] 05-08 13:24:38:627: Blob length 53
[5860] 05-08 13:24:38:627: PeapDecryptTunnelData completed with status 0x0
[5860] 05-08 13:24:38:627:  Buffer length is 16
[5860] 05-08 13:24:38:627: PEAP: Received PEAP capabilities response from client
[5860] 05-08 13:24:38:627: Client is Inner fragmentation Capable
[5860] 05-08 13:24:38:643:
[5860] 05-08 13:24:38:643: EapTlsBegin(domain\laptop01$)
[5860] 05-08 13:24:38:643: SetupMachineChangeNotification
[5860] 05-08 13:24:38:643: State change to Initial
[5860] 05-08 13:24:38:643: EapTlsBegin: Detected PEAP authentication
[5860] 05-08 13:24:38:643: MaxTLSMessageLength is now 16384
[5860] 05-08 13:24:38:643: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[5860] 05-08 13:24:38:643: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[5860] 05-08 13:24:38:643: The root cert will not be checked for revocation
[5860] 05-08 13:24:38:643: The cert will be checked for revocation
[5860] 05-08 13:24:38:643: Unable to read TLS version registry key, return code 2
[5860] 05-08 13:24:38:643:
[5860] 05-08 13:24:38:643: EapTlsMakeMessage(domain\laptop01$)
[5860] 05-08 13:24:38:643: EapTlsSMakeMessage, state(0)
[5860] 05-08 13:24:38:643: EapTlsReset
[5860] 05-08 13:24:38:643: State change to Initial
[5860] 05-08 13:24:38:643: EapGetCredentials
[5860] 05-08 13:24:38:643: Flag is Server and Store is local Machine
[5860] 05-08 13:24:38:643: GetCachedCredentials Flags = 0x10061
[5860] 05-08 13:24:38:643: FindNodeInCachedCredList, flags(0x10061), default cached creds(0), check thread token(1)
[5860] 05-08 13:24:38:643: pNode->dwCredFlags = 0x14
[5860] 05-08 13:24:38:643: GetCachedCredentials: Using Cached Credentials
[5860] 05-08 13:24:38:643: GetCachedCredentials: Hash of the cert in the cache is
69 F0 63 1B 54 D9 25 14 2C 89 99 3F 62 76 A6 0C |i.c.T.%.,..?bv..|
A3 55 5F AB 00 00 00 00 00 00 00 00 00 00 00 00 |.U_.............|
[5860] 05-08 13:24:38:643: Certificate public key length = 1024 bits
[5860] 05-08 13:24:38:643: BuildPacket
[5860] 05-08 13:24:38:643: << Sending Request (Code: 1) packet: Id: 12, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[5860] 05-08 13:24:38:643: State change to SentStart
[5860] 05-08 13:24:38:643: PeapEncryptTunnelData
[5860] 05-08 13:24:38:643: Blob length 37
[5860] 05-08 13:24:38:643: PeapEncryptTunnelData completed with status 0x0
[5860] 05-08 13:24:38:643: EapPeapSMakeMessage done
[5860] 05-08 13:24:38:643: EapPeapMakeMessage done
[5048] 05-08 13:24:38:643: EapPeapMakeMessage
[5048] 05-08 13:24:38:643: EapPeapSMakeMessage, flags(0x605)
[5048] 05-08 13:24:38:643: EapPeapSMakeMessage, user prop flags(0x1)
[5048] 05-08 13:24:38:643: Cloned PPP_EAP_PACKET packet
[5048] 05-08 13:24:38:643: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[5048] 05-08 13:24:38:643: PeapDecryptTunnelData dwSizeofData = 165, pData = 0xfea4a436
[5048] 05-08 13:24:38:643: Blob length 165
[5048] 05-08 13:24:38:643: PeapDecryptTunnelData completed with status 0x0
[5048] 05-08 13:24:38:643:  Buffer length is 135
[5048] 05-08 13:24:38:643:
[5048] 05-08 13:24:38:643: EapTlsMakeMessage(domain\laptop01$)
[5048] 05-08 13:24:38:643: >> Received Response (Code: 2) packet: Id: 12, Length: 139, Type: 13, TLS blob length: 129. Flags: L
[5048] 05-08 13:24:38:643: EapTlsSMakeMessage, state(1)
[5048] 05-08 13:24:38:643: MakeReplyMessage
[5048] 05-08 13:24:38:643: Reallocating input TLS blob buffer
[5048] 05-08 13:24:38:643: SecurityContextFunction
[5048] 05-08 13:24:38:643: AcceptSecurityContext returned 0x90312
[5048] 05-08 13:24:38:643: State change to SentHello
[5048] 05-08 13:24:38:643: BuildPacket
[5048] 05-08 13:24:38:643: << Sending Request (Code: 1) packet: Id: 13, Length: 155, Type: 13, TLS blob length: 145. Flags: L
[5048] 05-08 13:24:38:643: PeapEncryptTunnelData
[5048] 05-08 13:24:38:643: Blob length 181
[5048] 05-08 13:24:38:643: PeapEncryptTunnelData completed with status 0x0
[5048] 05-08 13:24:38:643: EapPeapSMakeMessage done
[5048] 05-08 13:24:38:643: EapPeapMakeMessage done
[5860] 05-08 13:24:38:658: EapPeapMakeMessage
[5860] 05-08 13:24:38:658: EapPeapSMakeMessage, flags(0x605)
[5860] 05-08 13:24:38:658: EapPeapSMakeMessage, user prop flags(0x1)
[5860] 05-08 13:24:38:658: Cloned PPP_EAP_PACKET packet
[5860] 05-08 13:24:38:658: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[5860] 05-08 13:24:38:658: PeapDecryptTunnelData dwSizeofData = 101, pData = 0xcce918d6
[5860] 05-08 13:24:38:658: Blob length 101
[5860] 05-08 13:24:38:658: PeapDecryptTunnelData completed with status 0x0
[5860] 05-08 13:24:38:658:  Buffer length is 65
[5860] 05-08 13:24:38:658:
[5860] 05-08 13:24:38:658: EapTlsMakeMessage(domain\laptop01$)
[5860] 05-08 13:24:38:658: >> Received Response (Code: 2) packet: Id: 13, Length: 69, Type: 13, TLS blob length: 59. Flags: L
[5860] 05-08 13:24:38:658: EapTlsSMakeMessage, state(2)
[5860] 05-08 13:24:38:658: MakeReplyMessage
[5860] 05-08 13:24:38:658: SecurityContextFunction
[5860] 05-08 13:24:38:658: AcceptSecurityContext returned 0x0
[5860] 05-08 13:24:38:658: EAPTLS: Negotiated protocol and cipher information (SecPkgContext_ConnectionInfo)                         
                              dwProtocol = 64                         
                                aiCipher = 26126                         
                        dwCipherStrength = 128                         
                                  aiHash = 32772                         
                          dwHashStrength = 160                         
                                  aiExch = 41984                         
                          dwExchStrength = 1024
[5860] 05-08 13:24:38:658: AuthenticateUser
[5860] 05-08 13:24:38:658: DwGetEKUUsage
[5860] 05-08 13:24:38:658: GetEKUUsage
[5860] 05-08 13:24:38:658: Number of EKUs on the cert are 2
[5860] 05-08 13:24:38:658: FCheckPolicy
[5860] 05-08 13:24:38:658: FCheckPolicy done.
[5860] 05-08 13:24:38:658: FCheckUsage: All-Purpose: 1
[5860] 05-08 13:24:38:658: CheckUserName
[5860] 05-08 13:24:38:658: CreateOIDAttributes
[5860] 05-08 13:24:38:658: CreateMPPEKeyAttributes
[5860] 05-08 13:24:38:658: State change to SentFinished
[5860] 05-08 13:24:38:658: Negotiation successful
[5860] 05-08 13:24:38:658: IsTLSSessionReconnect
[5860] 05-08 13:24:38:658: TlsReconnect performed
[5860] 05-08 13:24:38:658: BuildPacket
[5860] 05-08 13:24:38:658: << Sending Success (Code: 3) packet: Id: 14, Length: 4, Type: 0, TLS blob length: 0. Flags:
[5860] 05-08 13:24:38:658: AuthResultCode = (0), bCode = (3)
[5860] 05-08 13:24:38:658: PeapSetTypeUserAttributes
[5860] 05-08 13:24:38:658: RasAuthAttributeConcat
[5860] 05-08 13:24:38:658: Peap passing Inner Method attributes
[5860] 05-08 13:24:38:658: EapPeapSMakeMessage done
[5860] 05-08 13:24:38:658: EapPeapMakeMessage done
[5860] 05-08 13:24:38:658: EapPeapMakeMessage
[5860] 05-08 13:24:38:658: EapPeapSMakeMessage, flags(0x605)
[5860] 05-08 13:24:38:658: EapPeapSMakeMessage, user prop flags(0x1)
[5860] 05-08 13:24:38:658: PEAP:PEAP_STATE_WAIT_FOR_SERVER_TLV
[5860] 05-08 13:24:38:658: CreateEAPTLVPacket
[5860] 05-08 13:24:38:658: TLV contents:
80 03 00 02 00 01 00 00 00 00 00 00 00 00 00 00 |................|
[5860] 05-08 13:24:38:658: Found a status TLV
[5860] 05-08 13:24:38:658: Client returned Success TLV
[5860] 05-08 13:24:38:658: Creating Cryptobinding TLV
[5860] 05-08 13:24:38:658: Adding Cryptobinding TLV
[5860] 05-08 13:24:38:658: CreateCryptoBindingTLV
[5860] 05-08 13:24:38:658: HmacSha1
[5860] 05-08 13:24:38:658: HmacSha1
[5860] 05-08 13:24:38:658: HmacSha1
[5860] 05-08 13:24:38:658: HmacSha1
[5860] 05-08 13:24:38:658: PeapEncryptTunnelData
[5860] 05-08 13:24:38:658: Blob length 101
[5860] 05-08 13:24:38:658: PeapEncryptTunnelData completed with status 0x0
[5860] 05-08 13:24:38:658: EapPeapSMakeMessage done
[5860] 05-08 13:24:38:658: EapPeapMakeMessage done
[5048] 05-08 13:24:38:674: EapPeapMakeMessage
[5048] 05-08 13:24:38:674: EapPeapSMakeMessage, flags(0x605)
[5048] 05-08 13:24:38:674: EapPeapSMakeMessage, user prop flags(0x1)
[5048] 05-08 13:24:38:674: Cloned PPP_EAP_PACKET packet
[5048] 05-08 13:24:38:674: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
[5048] 05-08 13:24:38:674: PeapDecryptTunnelData dwSizeofData = 101, pData = 0xbd8c6ea6
[5048] 05-08 13:24:38:674: Blob length 101
[5048] 05-08 13:24:38:674: PeapDecryptTunnelData completed with status 0x0
[5048] 05-08 13:24:38:674:  Buffer length is 71
[5048] 05-08 13:24:38:674: IsEapTLVInsidePEAP
[5048] 05-08 13:24:38:674: CheckForUnsupportedMandatoryTLV
[5048] 05-08 13:24:38:674: GetPEAPTLVStatusMessageValueServer
[5048] 05-08 13:24:38:674: Found a result TLV 1
[5048] 05-08 13:24:38:674: GetTLV
[5048] 05-08 13:24:38:674: CreateCryptoBindingTLV
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: HmacSha1
[5048] 05-08 13:24:38:674: PeapCreateCookie
[5048] 05-08 13:24:38:674: SetTLSSessionCookie
[5048] 05-08 13:24:38:674: Session cookie set successfully
[5048] 05-08 13:24:38:674: SetTLSFastReconnect
[5048] 05-08 13:24:38:674: IsTLSSessionReconnect
[5048] 05-08 13:24:38:674: Full Tls authentication performed
[5048] 05-08 13:24:38:674: Error enabling Fast Reconnects : 0x80090302
[5048] 05-08 13:24:38:674: PeapAddContextAttributes
[5048] 05-08 13:24:38:674: RasAuthAttributeConcat
[5048] 05-08 13:24:38:674: EapPeapSMakeMessage done
[5048] 05-08 13:24:38:674: EapPeapMakeMessage done

 

I am at a loss here, I cannot understand why it is working with the SG300 but the C2960 is failing to negotiate.

Labels:
0 Helpful
4 Replies 4

network.moh
Level 1
Level 1

‎05-11-2015 09:39 AM

Hello Dehkordy,

 

Could you please let me know wish command you used to configure redius with 2960? and I like to know wish switch act as access and with switch is distribution switch?  did you configure SG300 in L3 mode? or it is by default L2?

 

Thanks, 

0 Helpful

m.dehkordy
Level 1
Level 1
In response to network.moh

‎05-12-2015 02:19 AM

Upgrading ios to 122-55.SE10 fixed the issue.

 

commands i have used are....

 

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

interface
 authentication port-control auto
 dot1x pae authenticator

 

 

As mentioned it is fixed with the latest IOS, do I am not sure what has changed between the two versions.

 

 

 

0 Helpful

network.moh
Level 1
Level 1
In response to m.dehkordy

‎05-18-2015 01:27 AM

  

0 Helpful

m.dehkordy
Level 1
Level 1
In response to network.moh

‎05-18-2015 01:27 AM

No, I had my radius server in the config (see debug log, it is contacting radius IP)

The resolution was upgrading the IOS version, not config related.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents