Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS + Wired dot1x machine authentication

Hi,

I am trying to setup wired machine based authentication. I have followed this guide

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req

However I simply get the same error all the time on ACS.

Invalid message authenticator in EAP request

Switch config;

interface GigabitEthernet0/46

switchport access vlan 20

switchport mode access

media-type rj45

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 20

i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.

Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.

Purely using machine auth.

Cheers

Scott

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS + Wired dot1x machine authentication

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

8 REPLIES

Re: ACS + Wired dot1x machine authentication

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS + Wired dot1x machine authentication

Tried that, also checked it with them different and i get nothing in the logs. Hence communication seems fine from switch to ACS???

Cheers

Scott

New Member

Re: ACS + Wired dot1x machine authentication

Ok!!

Checked that again and yes that stopped the message ;)

Now I am getting an external db authentication failure, however I dont see anything in AD event viewer??

Thanks

Scott

Re: ACS + Wired dot1x machine authentication

Scott,

Check unknown user policy settings and make sure you have proper permission for the account running acs services.

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS + Wired dot1x machine authentication

Hi Guys,

The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??

Thanks for your help.

Scott

New Member

Re: ACS + Wired dot1x machine authentication

PS all the setting are identical, also the fact I can auth via user credentials proves the AD interop.

Cheers

Scott

Re: ACS + Wired dot1x machine authentication

Check the unknown user policy settings and permission issue. Checkout the auth.log , that will show more details about the issue.

Regards.

~JG

New Member

Re: ACS + Wired dot1x machine authentication

Hi Mate,

I have now done a fresh install of 4.1 and I can confirm that 4.1 works fine so it would definately indicate a 4.2 issue.

I will check the auth.log to get more details

Thanks

scott

679
Views
0
Helpful
8
Replies