topic Re: 802.1x with ACS 3.3 and windowsXP in Network Access Control

802.1x with ACS 3.3 and windowsXP

gsales — Sun, 10 Mar 2019 20:57:36 GMT

We are using RADIUS IETF in ACS and EAP MD5.

My switch is 2950 whith this commands:

radius-server host a.b.c.d

radius-server key cisco

aaa authentication dot1x default group radius

aaa authorization network default group radius

dot1x system-auth-control

int fa 0/1

dot1x port-control auto

When we try authenticate appears this error: "CS user unknown" in ACS reports.

Has somethings that we forget?

Where I configure the respective VLAN to user when he authenticate?

Thanks

Re: 802.1x with ACS 3.3 and windowsXP

will.shaw — Fri, 07 Jan 2005 10:16:57 GMT

As far as the "CS user uknown" issue, this usually means that the user your using to authenticate, doesn't exist in the radius database.

Are the user ID's manually entered or are they externally mapped?

For the VLAN assignment from the radius server, assign the following IETF RADIUS attributes to either the individual user or the groups.

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-Id = VLAN NAME

Re: 802.1x with ACS 3.3 and windowsXP

jafrazie — Mon, 17 Jan 2005 17:27:28 GMT

CS User Unknown means that ACS doesn't know about the user. Have you defined the user that uses MD5 either locally in ACS or have you configured integration with a backend identity store?

As for VLAN Assignment, you can configure this as either a per-user or per-group RADIUS Attribute.

Hope this helps.

Re: 802.1x with ACS 3.3 and windowsXP

gsales — Fri, 21 Jan 2005 18:44:45 GMT

I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-Id = teste

At my network icon apears: Authentication Fail

See some debug message on my switch:

03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC

03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master

03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25

03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7

03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0

03:09:14: dot1x-ev:Inserted the request on to list of pending requests

03:09:14: dot1x-ev:Found a free slot at slot 0

03:09:14: dot1x-ev:Request id = 7 and length = 25

03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1

03:09:14: dot1x-ev:Username is SMSTESTE\joe

03:09:14: dot1x-ev:MAC Address is 0026.540f.5555

03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43

03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant

03:09:34: dot1x-err:EAP packet not recvd

03:09:34: dot1x-ev:going to send to backend on SP, length = 4

03:09:34: dot1x-ev:Received VLAN is No Vlan

03:09:34: dot1x-ev:Enqueued the response to BackEnd

03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request

03:09:34: dot1x-ev:Dot1x matching request-response found

03:09:34: dot1x-ev:Length of recv eap packet from radius = 4

03:09:34: dot1x-ev:Received VLAN Id -1

03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0

Can you help me?

Thanks,

Re: 802.1x with ACS 3.3 and windowsXP

jafrazie — Fri, 21 Jan 2005 19:57:04 GMT

Sure:

Before, when you said ACS told you "CS User Unknown", what user did it tell you was unknown, and was it the exact one you put into Windows? Example: the native supplicant avail in Windows is most likely prepending your MD5 username as \. So, if you only setup in ACS, it think they are different.

Hope this helps.

Re: 802.1x with ACS 3.3 and windowsXP

gsales — Tue, 25 Jan 2005 17:52:37 GMT

It's works now only if I create 2 users in ACS, one "username" and other "domain/username". I wanna use only windows database, but it don't works with only windows user.

thanks,

Re: 802.1x with ACS 3.3 and windowsXP

kschuster — Thu, 27 Jan 2005 13:30:23 GMT

as far as I know:

Authentication against windows database (AD) is not supported with EAP MD5. You have to use EAP PEAP, and you have to use certificates from a CA server.

Re: 802.1x with ACS 3.3 and windowsXP

gsales — Mon, 31 Jan 2005 18:30:31 GMT

kschuster,thanks for your help!

I wanna authenticatite against windows database without nay certificate. It's possible? If you has the steps to make this configuration...

Ob.: The configuration with MD5 works ok, but I nead to create 2 users: one with domain/name an other with name, so I'm think that it's not correct.

thanks