topic Re: ACS + Wired dot1x machine authentication in Network Access Control

ACS + Wired dot1x machine authentication

scott-goodwin — Sun, 10 Mar 2019 22:53:56 GMT

Hi,

I am trying to setup wired machine based authentication. I have followed this guide

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req

However I simply get the same error all the time on ACS.

Invalid message authenticator in EAP request

Switch config;

interface GigabitEthernet0/46

switchport access vlan 20

switchport mode access

media-type rj45

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 20

i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.

Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.

Purely using machine auth.

Cheers

Scott

Re: ACS + Wired dot1x machine authentication

Jagdeep Gambhir — Tue, 10 Jun 2008 11:43:17 GMT

Scott,

I recommend to change/retype the shared secret on the switch as well as ACS server for the

AAA Client and AAA server.

Regards,

~JG

Do rate helpful posts

Re: ACS + Wired dot1x machine authentication

scott-goodwin — Tue, 10 Jun 2008 11:57:44 GMT

Tried that, also checked it with them different and i get nothing in the logs. Hence communication seems fine from switch to ACS???

Cheers

Scott

Re: ACS + Wired dot1x machine authentication

scott-goodwin — Tue, 10 Jun 2008 13:28:44 GMT

Ok!!

Checked that again and yes that stopped the message 😉

Now I am getting an external db authentication failure, however I dont see anything in AD event viewer??

Thanks

Scott

Re: ACS + Wired dot1x machine authentication

Jagdeep Gambhir — Tue, 10 Jun 2008 13:35:02 GMT

Scott,

Check unknown user policy settings and make sure you have proper permission for the account running acs services.

Regards,

~JG

Do rate helpful posts

Re: ACS + Wired dot1x machine authentication

scott-goodwin — Wed, 11 Jun 2008 08:43:17 GMT

Hi Guys,

The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??

Thanks for your help.

Scott

Re: ACS + Wired dot1x machine authentication

scott-goodwin — Wed, 11 Jun 2008 08:44:32 GMT

PS all the setting are identical, also the fact I can auth via user credentials proves the AD interop.

Cheers

Scott

Re: ACS + Wired dot1x machine authentication

Jagdeep Gambhir — Wed, 11 Jun 2008 11:55:38 GMT

Check the unknown user policy settings and permission issue. Checkout the auth.log , that will show more details about the issue.

Regards.

~JG

Re: ACS + Wired dot1x machine authentication

scott-goodwin — Wed, 11 Jun 2008 13:42:24 GMT

Hi Mate,

I have now done a fresh install of 4.1 and I can confirm that 4.1 works fine so it would definately indicate a 4.2 issue.

I will check the auth.log to get more details

Thanks

scott