Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Switch refuses EAP Certificate Authentication

Hi Everyone,

I'm hoping someone will be able to help me out here.

The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server.

The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:

EAP-TLS

EAP-FAST

PEAP (Smart Card)

Smart Card

I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works.

The log file for EAP-FAST on a SG-300 switch is:

    2147483643   2012-Jan-27 00:28:34 Informational   %LINK-I-Up:  gi10, aggregated (1)       

    2147483644   2012-Jan-27 00:28:31 Warning   %LINK-W-Down:  gi10, aggregated (1)       

    2147483645   2012-Jan-27 00:28:31 Informational   %LINK-I-Up:  gi10       

    2147483646   2012-Jan-27 00:28:16 Warning   %LINK-W-Down:  gi10       

I noticed that on this method it doesnt even report a result from the radius server, however the radius server reports an EAP Timeout

The log file for EAP-TLS on a SG-300 switch is:

     2147483642   2012-Jan-27 00:37:00 Warning   %SEC-W-SUPPLICANTUNAUTHORIZED: MAC xx:xx:xx:xx:xx:xx was rejected on port gi10     because Radius server does not respond       

    2147483643   2012-Jan-27 00:36:23 Informational   %LINK-I-Up:  gi10, aggregated (1)       

    2147483644   2012-Jan-27 00:36:20 Warning   %LINK-W-Down:  gi10, aggregated (1)       

    2147483645   2012-Jan-27 00:36:20 Informational   %LINK-I-Up:  gi10       

    2147483646   2012-Jan-27 00:36:02 Warning   %LINK-W-Down:  gi10       

In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.

Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.

Please help me.

Thanks!

zidacjarrett

5 REPLIES
New Member

Switch refuses EAP Certificate Authentication

I have the same problem with SG300-28.
Did you find any issues ?

Thanks.

Best Regard

New Member

Switch refuses EAP Certificate Authentication

Hi Dimitri,

We never did find a solution to this problem on the Cisco small business switches. Eventually we upgraded them all to the Cisco Catalyst 3750x and 3560x switches and these problems are not existant on the new switches. It may be some kind of limitation that was not mentioned.

If anyone has an idea why this is happening I would be greatful to hear it.

Thanks,

Jarrett
http://www.jarrettcadiz.com
http://www.cloudchase.net/company/jarrettcadiz

Jarrett http://www.jarrettcadiz.com http://www.cloudchase.net/company/jarrettcadiz
New Member

Hi zidacjarrett,I am trying

Hi zidacjarrett,

I am trying to fix the same issue, nearly two years after your tried it - still without success.

Even the latest software update for these sg300 didn`t help...

 

Someone else found a solution for this?

- I changed nearly every setting at the Radius server to find a possible work around...

 

Changing to a bigger switches is no option, as these small desktop switches are placed on some tables in the office.

 

Cheers

Stefan

 

 

New Member

Fixed now - without support

Fixed now - without support of Cisco, they were not able to help here... :/

 

General hints as I dont want to spend more time on this...:

- Enable EAP-MD5 on the Windows Server 2008R2 (via registry)

- created a rule to allow EAP-MD5 (SG300) beside PAP (all the rest)

- Hosts with username/password (both MAC address) and password decryption enabled (+special PSO for these settings)

have fun

New Member

Hi Stefanobi

Hi Stefanobi do you use in your configuration dynamic vpn assignment to authenticated ports? I have very simillar configuration in my network and port based authentication utilising computer certificates works without any problems except from Vlan assignments. I have two core switches catalyst 3560 and three esw540 access switches, trunk ports between switches are correctly configured, I have also network policies for 802.1x authentication and Vlan assignments, all works fine on 3560 switches and my workstations are authenticated correctly and also assigned to the correct Vlan, based on policy but somehow this doesn't work on my esw540 switches. I can see on my NHS that authentication works only when I specify access Vlan for the specific port otherwise Vlan is not assigned dynamically. hope I described my issue as clear as possible and someone can give me a tip how to make this up and running.
1834
Views
10
Helpful
5
Replies
CreatePlease to create content