07-11-2007 10:12 PM - edited 03-05-2019 05:14 PM
Hi,
i am trying 802.1x (peap) over Wire.
equipment
-acs 4.0
-3750 switch w 802.1q trunk
-client windows xp
the problem i am getting is my switchport is getting the desire vlan.
acs - Authen OK
switchport - authorised
vlan - 1 (correct vlan should be '40')
ACS's user have been configured w:
-[64] Tunnel-Type = VLAN
-[65] Tunnel-Medium = 802
-[81] Tunnel-Private-Group-ID = VLAN 40
if i were to configure the switch for
-aaa authorization exec default group tacacs+ group radius
-aaa authorization network default group radius
the ACS fail attempts will show:
EAP-TLS or PEAP authentication failed during SSL handshake
i think i am missing some things
appreciate any advice.
cash
07-12-2007 11:57 AM
Hi Cash,
SSL handshake error points to certificate issue. On your client make sure that validate server certificate is not checked.
Network connection properties---> Authen TAB--->dot1x properties--->uncheck valid server certs.
Let me know how that goes.
Regards,
~JG
07-12-2007 07:17 PM
Hi,
Its still not working.
i am getting these logs from ACS:
-Passed Authentications - ok
-Failed Attempts - EAP-TLS or PEAP authentication failed during SSL handshake
-switch - unauthorized
i like to confirm my understanding:
for this whole process, i need only 1 cert, which is for the ACS, am i right?
cash
07-13-2007 05:11 AM
Cash,
Yes, for peap you need one certs , that too on acs only.
Please Enable Fast Reconnect on Clients and on acs.
System Configuration >Global Authentication Setup > EAP Configuration > check "Enable Fast
Reconnect:" > Submit + Restart
Try to authenticate with both combinations ( with and without fast reconnect) and see if that makes any change.
If issue is still there then get me logs from switch
debug radius
debug dot1x all
debug aaa authentication
Regards,
~JG
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: