cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
654
Views
0
Helpful
3
Replies

Authenticating switch outside of wirecloset using NPS (dot1x pae supplicant)

Peter Elbertse
Level 1
Level 1

Hi,

We have purchased a few 2960CPD-8TT-L's which we want to connect to our other 2960 24 and 48-port switches.

We have implemented 802.1x for wireless and wired clients. Our last step is to replace a few remaining desktopswitches.

We do not have ISE and use Windows Network Policy Server (NPS) to authenticate clients using RADIUS. This all works well for clients using PEAP+Secure Password  using EAP-MSCHAP v2 (for username-based autentication) and "Smart Card or other certificate" for computerbased authentication.

To authenticate the 2960CPD-8TT-L's we have setup them as supplicant:

dot1x system-auth-control
dot1x credentials <my-name>
 username <my username>
 password <my password>
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 dot1x pae supplicant
 dot1x credentials <my-name>
!

I have tried to use an eap profile (tried mschapv2 and using pki-trustpoint) but without luck.
The Windows NPS shows us the message "Network Policy Server discarded the request for a user." with the following reason "An internal error occurred. Check the system event log for additional information." (which isn't very helpfull).

Now I'm not sure if I it's required, but i don't really understand how to load our CA Root certificate in the c2960. What I tried:

crypto pki trustpoint <CA-Name>
 revocation-check none
 certificate chain flash:/root.cer
!
!
crypto pki certificate chain <CA-Name>

I'm curious if anyone has been able to get this to work and would be able to point me out what to do.

Any suggestions are very much appriciated.

Kind regards,
Peter

 

3 Replies 3

ciscobacon
Level 1
Level 1

Hi Peter,  did you ever find an answer to getting supplicant switches authenticating with NPS correctly?  I'm currently working on this and have just about hit a brick wall, as I can't figure out what version of EAP the switch is trying to use and it gets bounced on the NPS side.  Thanks for any help :)

"Semi-yes".

The answer consist of two parts though :)

1. Current "workaround" (though this is not a safe / suggested approach) is to use EAP-MD5 since the current IOS images do not seem to include any PEAP methods (which NPS requires for 802.1x based authentication). For this workaround you can apply the following link (that does still work on 2008R2 and I believe also on 2012): http://support.microsoft.com/kb/922574/en-us

2. The actual answer is Cisco putting in PEAP support as an outer method in the IOS image. I still have an open case with Cisco in regards to this point. To be honest it even looks a little bit promising (though you never though if I might hit a brick wall somewhere down the line).

Kind regards,
Peter

Update: Good news. It seems that the PEAP methods are in the development code, but have never been included in the official releases (though the 2960 platform does support these features).

A bugtrack has been created: https://tools.cisco.com/bugsearch/bug/CSCus24812

Question now is ofcourse, when will release a new IOS version that will include it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco