Re: Configuring IEEE 802.1x Port-Based Configuration

gopinath.krishna · ‎12-26-2007

Hi,

when we do 802.1x port based configuration, is there any specific authentication settings required on windows client pc.

regards

gopi

royalblues · ‎12-26-2007

Generally the EAP type is used as MD-5 Challenge under network properties --> advanced

Narayan

gopinath.krishna · ‎12-27-2007

Hi,

I am trying to enable 802.1x authentication in our lan.... i have document talking about .1x config on the switches, but i was wondering what to be configured on acs server... can u help me on this

gopi

royalblues · ‎12-28-2007

Have a look at this link (Dynamic VLAN Assignment for 802.1x and ACS)

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#cg3

HTH

Narayan

shrikar.dange · ‎12-28-2007

.1x Port based configuration can be used for various purposes.One of the well known use is 80.1x port based authentication.

gopinath.krishna · ‎12-28-2007

L2 switch dot1x config

----------------------

hostname L2SWITCH

!

aaa new-model

aaa authentication dot1x default group radius

!

aaa session-id common

ip subnet-zero

!

dot1x system-auth-control

no file verify auto

--More-- spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport trunk native vlan 10

switchport mode trunk

!

interface FastEthernet0/2

switchport access vlan 20

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 40

dot1x auth-fail vlan 50

!

interface FastEthernet0/3

switchport access vlan 20

!

interface FastEthernet0/4

--More-- !

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

--More-- interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

--More-- no ip address

no ip route-cache

!

interface Vlan10

ip address 10.10.10.2 255.255.255.0

no ip route-cache

!

ip default-gateway 10.10.10.1

ip http server

radius-server host 30.30.30.2 auth-port 1645 acct-port 1646 key cisco

!

control-plane

!

line con 0

line vty 5 15

!

end

***************************************************************

debug radius authentication

***************************************************************

1d03h: RADIUS(00000005): sending

1d03h: RADIUS/ENCODE: Best Local IP-Address 10.10.10.2 for Radius-Server 30.30.3

0.2

1d03h: RADIUS(00000005): Send Access-Request to 30.30.30.2:1645 id 21645/26, len

138

1d03h: RADIUS: authenticator 1D FC CB D1 72 D8 4C B1 - D2 D3 82 15 4C E0 58 31

1d03h: RADIUS: User-Name [1] 14 "0018fe6705bb"

1d03h: RADIUS: User-Password [2] 18 *

1d03h: RADIUS: Service-Type [6] 6 Call Check [10]

1d03h: RADIUS: Framed-MTU [12] 6 1500

1d03h: RADIUS: Called-Station-Id [30] 19 "00-19-30-EE-C0-02"

1d03h: RADIUS: Calling-Station-Id [31] 19 "00-18-FE-67-05-BB"

1d03h: RADIUS: Message-Authenticato[80] 18

1d03h: RADIUS: CC 09 BD 5A 1D 14 5B 85 9C 2D 76 51 49 F0 EB 2D [???Z??[??-vQI

??-]

1d03h: RADIUS: NAS-Port [5] 6 50002

1d03h: RADIUS: NAS-Port-Type [61] 6 Eth [15]

1d03h: RADIUS: NAS-IP-Address [4] 6 10.10.10.2

1d03h: RADIUS: Retransmit to (30.30.30.2:1645,1646) for id 21645/26

1d03h: RADIUS: No response from (30.30.30.2:1645,1646) for id 21645/26

1d03h: RADIUS/DECODE: parse response no app start; FAIL

1d03h: RADIUS/DECODE: parse response; FAIL

**************************************************************

On ACS

--------------

I have created a user name / password with pc mac address "0018fe6705bb". I have also configured a network profile with "Allow Agentless Request Processing" option and the same profile is mapped to the group to which the above mentioned user name is mapped

Problem:

User is not getting authenticated. On Acs am getting hit and log error as Auth failed

hope somebody could help me on this issue

rraja2006 · ‎12-28-2007

Your radius server at 30.30.30.2 is not responding to the client at 10.10.10.2. Look for access lists on the router between the 2 networks which prevent radius communications. Alternatively move your radius server to the 10.10.10 network.

R