Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x Port Authentication via RADIUS

I am investigating implementing 802.1x port authentication on our network.

I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.

I have configured the switch with the following commands

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host x.x.x.x key test

and the port to be authorised has been configured with

dot1x port-control auto

As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.

When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasn’t available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.

Client address [x.x.x.x]

NAS address [x.x.x.x]


Realm = def

User = Administrator

Code = Access request

ID = 26

Length = 169

Authenticator = 0xCCD65F510764D2B2635563104D0C2601

NAS-IP-Address = x.x.x.x

NAS-Port = 50024

NAS-Port-Type = Ethernet

User-Name = Administrator

Called-Station-Id = 00-11-00-11-00-11

Calling-Station-Id = 11-00-11-00-11-00

Service-Type = Framed

Framed-MTU = 1500

State = 0x3170020000FCB47C00

EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72

Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC

Client address [x.x.x.x]

NAS address [x.x.x.x]


Realm = def

User = Administrator

Code = Access reject

ID = 26

Length = 0

Authenticator = 0xCCD65F510764D2B2635563104D0C2601

EAP-Message = 0x04010004

Message-Authenticator = 0x00000000000000000000000000000000

On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:

*Mar 2 01:58:38: dot1x-ev:Username is Administrator

*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011

*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11

*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26

*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan

*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd

*Mar 2 01:58:38: dot1x-ev:Sent to Bend

*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request

*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found

*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26

*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1

Again there doesn’t appear to be a password, shouldn't I see one?

Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.

I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

Cisco Employee

Re: 802.1x Port Authentication via RADIUS

These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).

I would recommend either:

a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).

b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.

Eval copies are available on their websites.

Hope this helps,