Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x MAB with Juniper EX switch.

Hi,

I tried to authenticate user from juniper EX switch to Cisco ACS Radius. The ACS can authenticate normal user via 802.1x but not MAB.


I set in the acs to authenticate any request using RADIUS IETF.

I also tried to connect to different ACS server using the same config and supprisingly it works. The only different is the ACS do not has my certificate installed.

I attached the log for reference packet  capture for reference. It seems that the ACS replies encrpyted message to the EX switch

This is the log from EX switch ( i know, this is cisco forum, but i could give some clue.)

Feb 14 01:45:50.618026 Sending message to authentication client
Feb 14 01:45:50.622833 Received message from authentication client
Feb 14 01:45:50.622887 reply: 1cf7924 rply_hdr: 1cf9000 bytes_remnant len:28 reply_len:28
Feb 14 01:45:50.622917 hdr_bytes_read 0
Feb 14 01:45:50.622937 len read : 28 reply_len: 2983
Feb 14 01:45:50.622991 bytes_remnant 2955 tot_bytes_read 28
Feb 14 01:45:50.623028 bytes_read 2955
Feb 14 01:45:50.623048 Creating background job to process reply from authentication client
Feb 14 01:45:50.623117 Entering background job to process message from authentication client
Feb 14 01:45:50.623145 process_auth_reply len:2983
Feb 14 01:45:50.623182 Received Access-Challenge authentication message
Feb 14 01:45:50.623206 Invoking state machine for authentication response for mac address 00:1E:37:86:A2:04
Feb 14 01:45:50.623226  on intf ge-0/0/1.0

Feb 14 01:45:50.623259  ASIF: Handing over Server frame to Authenticator

Feb 14 01:45:50.623287  AUTH: Handling Server Frame

Feb 14 01:45:50.623318  SessNode got from SessIdtbl for Id 126 is : 1d1d000, Port: 67

Feb 14 01:45:50.623347 Code = 1, Id = 126, Len = 6

Feb 14 01:45:50.623375  ASIF: Handing over Server frame to Authenticator 67.

Feb 14 01:45:50.623403 PnacAsIfRecvFromServer : Rad Attr Statelen = 25
Feb 14 01:45:50.623421 Rad Attr Class Len = 0
Feb 14 01:45:50.623445 PnacAuthPrepareMD5Response Pkt type 25 is not MD5.

Feb 14 01:45:50.623473 PnacAuthMacRadiusReply : MD5 response prep failed.

Feb 14 01:45:50.623499 AuthHandleInServerFrame:MAC RADIUS RESP failed

958
Views
0
Helpful
0
Replies