Authenticating switch outside of wirecloset using NPS (dot1x pae supplicant)
We have purchased a few 2960CPD-8TT-L's which we want to connect to our other 2960 24 and 48-port switches.
We have implemented 802.1x for wireless and wired clients. Our last step is to replace a few remaining desktopswitches.
We do not have ISE and use Windows Network Policy Server (NPS) to authenticate clients using RADIUS. This all works well for clients using PEAP+Secure Password using EAP-MSCHAP v2 (for username-based autentication) and "Smart Card or other certificate" for computerbased authentication.
To authenticate the 2960CPD-8TT-L's we have setup them as supplicant:
I have tried to use an eap profile (tried mschapv2 and using pki-trustpoint) but without luck. The Windows NPS shows us the message "Network Policy Server discarded the request for a user." with the following reason "An internal error occurred. Check the system event log for additional information." (which isn't very helpfull).
Now I'm not sure if I it's required, but i don't really understand how to load our CA Root certificate in the c2960. What I tried:
Hi Peter, did you ever find an answer to getting supplicant switches authenticating with NPS correctly? I'm currently working on this and have just about hit a brick wall, as I can't figure out what version of EAP the switch is trying to use and it gets bounced on the NPS side. Thanks for any help :)
1. Current "workaround" (though this is not a safe / suggested approach) is to use EAP-MD5 since the current IOS images do not seem to include any PEAP methods (which NPS requires for 802.1x based authentication). For this workaround you can apply the following link (that does still work on 2008R2 and I believe also on 2012): http://support.microsoft.com/kb/922574/en-us
2. The actual answer is Cisco putting in PEAP support as an outer method in the IOS image. I still have an open case with Cisco in regards to this point. To be honest it even looks a little bit promising (though you never though if I might hit a brick wall somewhere down the line).
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...