Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No Radius-accept-request received on Radius server

Hi,

I'm trying to access my network through 802.1X Radius authentication. My PC is connected to a 2950 switch with following configuration:

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host 11.0.0.2 key Ralf

on interface level(connection to PC):

switchport mode access

switchport access vlan 8

dot1x port-control auto

on interface level(connection to Radius server):

switchport mode access

switchport access vlan 8

I enabled 802.1X authentication on my PC via the service 'Wired Autoconfig' and in the tab authentication (one of the tabs of the interface configuration)

I choose PEAP.

Result:

When I trace my PC-interface with Wireshark, I see an EAPOL- EAP-Request and a EAP-Response message. The next message in the flow should be a Radius-Accept-request message but it seems that this message is never sent. Although, when i open a 'debug radius' session on the switch, the logs are indicating that the accept-request message is sent. Strange because I see no message coming in on the Radius-server interface.

The Radius-server has IP-address 11.0.0.2 and my PC 11.0.0.3.

Does anybody see a reason why the Radius-Accept-Request message is not received on my Radius-server interface?

Kind regards,Ralf.

2 REPLIES
Cisco Employee

Re: No Radius-accept-request received on Radius server

Hi,

When using PEAP, the authnetication is not as simple as that.

This is the PEAP authentication process:

http://layer3.files.wordpress.com/2009/08/wireless-security-peap.jpg

Here you can see the switch as the AP.

So, after the first  EAP-Response message, the ACS must reply with an Access-Challenge containing the EAP-TLS start, so the encryption tunnel can be started.

One possible reason for this not to happen is simply because the ACS does not support PEAP and/or does not conatin the server certificate needed to build the TLS tunnel.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: No Radius-accept-request received on Radius server

I found a solution to my problem. I administered an IP-adress for the VLAN-interface on the switch:

int vlan 8

ip address 11.0.0.4 255.255.255.0

Apparentlt the switch needs an IP-address to send the Radius-accept-request from.

Next step is to get a Radius-server running and get the PC authenticated.

588
Views
0
Helpful
2
Replies
CreatePlease to create content