Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2696
Views
0
Helpful
3
Replies

sg300 - 802.1x NPS - mac authentication not working

Stefanobi
Level 1
Level 1

‎06-25-2014 08:56 AM

I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.

Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.

My current port configuration on the SG300:

interface fastethernet1
 dot1x guest-vlan enable
 dot1x max-req 1
 dot1x reauthentication
 dot1x timeout quiet-period 10
 dot1x authentication 802.1x mac
 dot1x radius-attributes vlan static
 dot1x port-control auto
 switchport mode access

 

On the Windows NPS server there is following error to see:

Authentication Details:
    Connection Request Policy Name:    Secure Wire
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        myradius.local
    Authentication Type:        -
    EAP Type:            -
    Account Session Identifier:        30353030399999
    Reason Code:            1
    Reason:                An internal error occurred. Check the system event log for additional information.

 

There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

 

Labels:
0 Helpful
3 Replies 3

Stefanobi
Level 1
Level 1

‎07-02-2014 07:12 AM

Still not working.

I tried different settings and (also older) software versions on the SF302-08P.

Also started to change the settings on the NPS (though it is working with the 3850X!), without success.

The NPS reports following error:

Schannel:

The following fatal alert was received: 40.

EventID 36887

 

If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!

... is this a bug on the SF302-08P?

0 Helpful

kris000011111111
Level 1
Level 1
In response to Stefanobi

‎06-26-2017 12:43 AM

Hi,

You have posted this quite a while ago. Is this fixed now?

Could you please post the full CLI config (without the passwords of course) of your switch?

Thank you very much for your information in advance.

KR, 

0 Helpful

Stefanobi
Level 1
Level 1

‎07-14-2014 05:19 AM

Fixed now - without support of Cisco, they were not able to help here... :/

 

General hints (server side work around) as I dont want to spend more time on this...:

- Enable EAP-MD5 on the Windows Server 2008R2 (via registry)

- created a rule to allow EAP-MD5 (SG300) beside PAP (all the rest)

- Hosts with username/password (both MAC address) and password decryption enabled (+special PSO for these settings)

 

have fun

0 Helpful
Customers Also Viewed These Support Documents