06-25-2014 08:56 AM
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...
07-02-2014 07:12 AM
Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P?
06-26-2017 12:43 AM
Hi,
You have posted this quite a while ago. Is this fixed now?
Could you please post the full CLI config (without the passwords of course) of your switch?
Thank you very much for your information in advance.
KR,
07-14-2014 05:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Fixed now - without support of Cisco, they were not able to help here... :/
General hints (server side work around) as I dont want to spend more time on this...:
- Enable EAP-MD5 on the Windows Server 2008R2 (via registry)
- created a rule to allow EAP-MD5 (SG300) beside PAP (all the rest)
- Hosts with username/password (both MAC address) and password decryption enabled (+special PSO for these settings)
have fun