Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3Com VSA and 802.1x end-station authentication

I am using the CiscoSecure ACS v3.3 build 11 on Windows to handle authentication of some network devices. I had added in a VSA for our 3Com 4400-series switches which allowed us to authenticate against our Windows AD for administration of the switches. The VSA is below:

---------------------------------

[User Defined Vendor]

Name=3Com

IETF Code=43

VSA 1=3Com-User-Access-Level

[3Com-User-Access-Level]

Type=INTEGER

Profile=OUT

Enums=3Com-User-Access-Level-Values

[3Com-User-Access-Level-Values]

1=Monitor

2=Manager

3=Administrator

------------------------------

This has been working well.

The complication started when I was tasked with implementing 802.1x authentication for the end-nodes on these 4400-series switches (Windows XPsp2 clients). After doing the initial configuration, I was getting a "Bad request from NAS" in the ACS logs. As I feared, the fact that the 4400s, the NASes, were using the Radius (3Com) interface configuration as shown above, this seems to exclude the 802.1x authentication from happening. I moved the 4400 in question out of the radius group using the 3com VSA and into just a IETF Radius VSA and the users were able to authenticate just fine using 802.1x. Of course, it seems to be one or the other, I can't seem to have radius authentication to the switches themselves AND authentication of devices hanging off the switch at the same time. I suspect that if I add the IETF parameters to the VSA above, I might be able to accomplish both, but I don't know what the format would look like. Of course, I can't have the switch in two different AAA Client groups, so one client group needs to be able to do both.

Any ideas?

-Scott

2 REPLIES
Silver

Re: 3Com VSA and 802.1x end-station authentication

The "Bad request from NAS" error indicates one of four things:

1. Invalid key - (do not cut and paste as this cause a key mismatch)

2. Wrong IP in authentication request

3. Wrong protocol specified in Network Configuration for NAS

4. Special characters in Key.

New Member

Re: 3Com VSA and 802.1x end-station authentication

Thanks. I figure one of those is probably true, especially since the information being passed as an administrator trying to connect to the switch autenticating against the ACS is going to be different than an 802.1x user trying to authenticate against the ACS. The problem right now is that it's an either/or scenario, and I'm trying to figure out how to make it so that the tacacs+ authentication to the switch AND 802.1x authentication can occur at the same time, which would seem to involve having a VSA that incorporated elements of both.

In short -

1. Configure the ACS to handle the 3Com VSA, then you can authenticate against the switch via tacacs+ but not 802.1x users (get the "Bad request from NAS" error, which I would expect)

2. Configure the ACS to handle the 3com via just straight radius and then 802.1x authentication works, but authentication for administration to the switch doesn't work.

Ideally, both should be able to occur at the same time I would think.

-Scott

739
Views
0
Helpful
2
Replies
CreatePlease to create content