I am using a Cisco 2950 Catalyst for 802.1X EAP-TLS based port security. For the radius servers, I'm using the Internet Authentication Service (IAS) for Windows 2000 Server. My problem is, when I list a second radius server for redundancy purposes on the switch, the device cannot authenticate via that server. If I remove the first radius entry and leave the second unchanged, authentication occurs successfully. The error that appears on the IAS server indicates the catalyst is including an inappropiate signature which is the same type of error is the shared secret is set incorrectly. The command I use to establish the two servers is essentially:
Did you ever get a response to this? I have the same problem using IAS on two W2K server in different domains. I had to add any remote users to the first domain listed to have the authentication using the IAS server to work.
I had the same issue trying to introduce redundancy in my network 802.1x Authentication using IAS on Win 2k3 and NPS on Win2k8, in a multiforest scenario.
I finally got it working introducing a RADIUS Proxy (IAS on Win2k3) with 2 backend server, running respectively Win2k3 (IAS) and Win2k8 (NPS) for each forest.
That simplified my config on networke equipments, such as switches and routers, setting only one radius-server host.
In order to avoid the single point of failure introduced by the Radius proxy, I used a backup solution taking frequent snapshot of the VM running the proxy and deployng at the same time a silent VM ready to boot in case of failover.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :