10-29-2008 02:48 AM - edited 03-10-2019 04:09 PM
Dear all,
I'm doing a 802.1x authenticated wired LAN with following items
802.1x client (Windows XP EAP-MD5 ) --> Cisco 3750 --- ACSv4.2 --ACSv4.2 (2)
My goal is user is authenticated @ second ACS Server, and authorized @ the first ACS Server.
It works fine with login-user , but failed with 802.1x authentication.
I tried to capture the packets with wireshark and found while 802.1x authentication , the first ACS Server did NOT forward RADIUS Access-Request to the second ACS Server , but in login user authentication, it did !!
Any ideas ?
Jerry
10-29-2008 10:43 AM
If you are using proxy, the second server provides all of the RADIUS functions (authentication and authorization). If you want authenticate only to the 2nd ACS but provide authorization from the 1st, try the RADIUS Token Server external database option. This way only a RADIUS authentication request will be forwarded to 2nd server while leaving the 1st server to be "in charge."
Note that this option is NOT limited to token processing.
10-29-2008 06:19 PM
Dear jhillend,
Yes, I'd configured the 1st ACS server to user the RADIUS Token Server external database option. It worked fine in authenticating login user, but 802.1x authentication, it failed. I tried to capture the traffic and found 1st ASC Server only did forward login authentication request to 2nd Server, but did not forward dot1x authentication request.
The log in 1st server said " Authentication Fail " and Auth-Fail-Code is "External DB password invalid". But I did NOT capture any forward authentication request in dot1x authentication. The id / password should be okay since it works in login authentication.
I'm confused. The only difference between login authentication and dot1.x authentication is "Authentication Method", i use EAP-MD5 in dot1x authentication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: