topic Re: Wired 802.1x Authentication in Network Access Control

Wired 802.1x Authentication

h.parsons — Sun, 10 Mar 2019 21:16:15 GMT

I am trying to configure a simple authentication using WinXP(MD5) to ACS v3.3, I have configured my 3550 and ACS according to the documentation but I recieve the following error message on the ACS :Invalid message authenticator in EAP request. Any help would be appreciated.

aaa authentication dot1x default group radius

dot1x system-auth-control

interface FastEthernet0/12

switchport access vlan 314

switchport mode access

dot1x port-control auto

spanning-tree portfast

radius-server host 10.xx.xx.xx auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key secret

Re: Wired 802.1x Authentication

Frank Durham — Wed, 17 Aug 2005 14:54:34 GMT

Your config looks good so far, how does your ACS configs look? Can you post some of that info...

Frank

Re: Wired 802.1x Authentication

h.parsons — Thu, 18 Aug 2005 12:00:35 GMT

My server is set as "CiscoSecure ACS" and the client setup is the address of the switch with a key= secret and authenticate using RADIUS(IETF)

The IETF attributes I have set are:

[006] Service-typt login

[064] TunnelType Tag=1 value=vlan

[065]Tunnel-Medium Tag=1 value=802

and on the Windows XP box I set it to use md5 authentication

Re: Wired 802.1x Authentication

Frank Durham — Fri, 19 Aug 2005 13:57:52 GMT

1. How come you are using the Radius(IETF) instead of the Radius(Cisco IOS)?

2. The attributes you set are for if you plan on using the group to assign a specific vlan to the user in the group. On your switch configuration, you have a vlan already attached.

3. Do you have a user already configured on the ACS 3.3 server?

Frank

Re: Wired 802.1x Authentication

jafrazie — Fri, 19 Aug 2005 15:11:11 GMT

FWIW, it doesn't matter in this case if you have RADIUS(IETF) or RADIUS(Cisco IOS). Reason being, all the attributes stated here are std RADIUS attributes anyway.

Also, if you want to achieve VLAN-Assignment for a session, then you need to set attributes [64], [65], and [81]. The value in [81] should be the name of your VLAN, or optionally the number. I didn't see that in your note before.

Hope this helps,

Re: Wired 802.1x Authentication

h.parsons — Fri, 19 Aug 2005 18:20:48 GMT

I have tried two different computers one with XP and another with 2K and every possible combination but I still recieve this error:

Bad request from NAS

Invalid message authenticator in EAP request.

Using md5 authentication there is not a lot of configuration needed. I feel this problem is with the ACS server.

Re: Wired 802.1x Authentication

pkapoor — Mon, 22 Aug 2005 19:15:11 GMT

Change MD5 to PEAP and the ask it to use the Windows login (if you want). I could not get it to work with MD5 either. I think it may have something to do with the 802.1x supplicant client that comes in-built with Windows.

Re: Wired 802.1x Authentication

jwmiller — Thu, 01 Sep 2005 21:59:20 GMT

I'd be looking for Certificate problems... you can prove it by unchecking the validate certficate box in the PC's NIC setup (authentication tab). If that works, I'd say it's a cert problem. If you must check the box, you must AT MINIMUM generate a self-signed cert on ACS and install the same cert in the PC's root store.