topic Re: dot1x, xp, amd 2950 connectivity issues.. in Network Access Control

dot1x, xp, amd 2950 connectivity issues..

rsd1234 — Sun, 10 Mar 2019 20:44:15 GMT

Hello all,

I am trying out port authentication on a cisco catalyst 2950g-24-ei switch and am having the following problem:

xp laptop ----------switch-----------Win 2k IAS

I have set up the cisco with the following commands :

aaa new-model

aaa auth dot1x default group radius

int f0/24

switchport mode-access

dot1x port-control auto

radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 key radkey

I have set up a client within IAS with the correct shared secret and vendor as cisco.

The problem i am having is that once i connect the laptop to the port it turns immediately orange and i try to authenticate but the port stays orange and i receive the message once logged in that the laptop was unbale to connect to network. The message in the windows eventviewer is that " user attempted to use an unauthorised authentication method ".

Obviously the laptop does not receive a correct ip and can not talk on the network,

does anyone have any suggestions ?

cheers

Richard

Re: dot1x, xp, amd 2950 connectivity issues..

umedryk — Fri, 02 Jul 2004 20:28:03 GMT

Do you use DHCP in your network ?

Re: dot1x, xp, amd 2950 connectivity issues..

jafrazie — Sat, 03 Jul 2004 13:00:35 GMT

This sounds like normal behavior. The port turns orange b/c spanning-tree isn't even in a forwarding state on an 802.1x-enabled port until the port is authorized via 802.1x.

Suggestion would be to find out why 802.1x isn't working. The config on the switch looks OK.

If you're running PEAP, the PC is probably trying to login via cached credentials. If you're running TLS, you need to insure certs are present on the PC.

This should help:

<http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx>

Re: dot1x, xp, amd 2950 connectivity issues..

scholzr74 — Thu, 05 Aug 2004 12:33:50 GMT

Hello Richard!

Did you already solve your problem because i got exactly the same one.

Could it be, that the Cisco 2950 doesn´t Support EAP-MSCHAP v2?

Best regards,

Rudolf

Re: dot1x, xp, amd 2950 connectivity issues..

rsd1234 — Thu, 05 Aug 2004 17:31:56 GMT

Hi Rudolf,

Unfortunately I didnt get a chance to look in to this further as I was called on to another project. I will be re-visiting this some time soon so if you come up with a solution I would be most grateful to hear from you,

regards

Richard

Re: dot1x, xp, amd 2950 connectivity issues..

jafrazie — Thu, 05 Aug 2004 17:39:03 GMT

This is normal behavior. The port begins amber b/c the port has not been authenticated. You should notice the port in an up/down status, and spanning-tree will not be in a forwarding state either.

The port will turn green when 802.1x has successfully authenticated the port (up/up status, and spanning-tree is in a forwarding state).

Need more info to determine root cause.

FYI, the switch doesn't really have visibility into PEAP+MS-CHAPv2. It transposes whatever the PC is sending it, and re-encapsulates the EAP conversation into RADIUS frames.

Couple of quick things to check:

sho dot1x int

If you see the port in a HELD state, this should mean that 802.1x actually failed (so look on the PC, IAS, and/or backend DB to determine why).

If you see the port in a CONNECTING state, this should mean that 802.1x isn't enabled on the PC.

Further debugging can be performed on the XP supplicant by enabling tracing:

netsh ras set tracing * enable

This enables tracing for all components on the supplicant (namely eap and mschapv2).

Verify tracing logs:

Explore to the C:\WINDOWS\tracing folder.

This folder should then contain the sets of traces for the components invoked from the command above.

Study the RASEAP, RASCHAP, RASTLS files for this context.

Hope this helps.

Re: dot1x, xp, amd 2950 connectivity issues..

scholzr74 — Fri, 06 Aug 2004 05:47:17 GMT

Hi thanks, i will try this.

Meanwhile i found another solution.I found the problem in the RAS Policies on the IAS Server (Windows 2003 Enterprise). I made my RAS Policies with the wizard for ethernet. If I checked my RAS Policies there was a term like "NAS Port = "Ethernet". I canceled this one and then it worked promptly.

The strange thing is, that my RAS Policies for WLAN with "NAS Port = "802.11" OR "WLAN " work perfectly.

best regards,

Rudolf

Re: dot1x, xp, amd 2950 connectivity issues..

rsd1234 — Mon, 09 Aug 2004 14:53:56 GMT

Is port authentication supposed to work at the same time as a users logs on to a network ? I am trying to get a user to log on to a system using an rsa token and want the following to happen :

1. user presses ctrl - alt - del on client and enters uname and password.

2. Info is taken by catalyst 2950 running port authentication and passed on to 2003 server.

3. the uname and password is authentacted.

4. port is opened and user is then prompted by ace server for tokencode.

5. tokencode accepted and user has acces to the network.

is this possible, has anyone done this ?

can you have a single authentication for the cisco port and the domain and can this be forwarded to an ace server ?

any advice is much appreciated,

regards

Richard

Re: dot1x, xp, amd 2950 connectivity issues..

aaffolter — Tue, 10 Aug 2004 12:18:01 GMT

I had the same problem with the IAS 2003 wizard.

The RAS Policies was "NAS Port= Ethernet", but my swith 3550 sent NAS port= Async. I could see that with a sniffer in the values for RADIUS Attribute 61 (rfc 2865), the value for Ethernet is 15 and for Async is 0.

First i changed my policie swith NAS port= Async and the authentication is OK. After i put the last Ios version on the 3550, then the swith sent the good value for the radius attribute 61, then i changed my policie with NAS port= Ethernet.

Re: dot1x, xp, amd 2950 connectivity issues..

jafrazie — Tue, 10 Aug 2004 13:30:45 GMT

Correct. This is CSCec86385.

You should be able to see the Releae Notes indicating the fix.

It was fixed in the following releases:

12.1(20)EA2

12.2(20)SE

Re: dot1x, xp, amd 2950 connectivity issues..

scholzr74 — Tue, 10 Aug 2004 15:16:55 GMT

Hi!

Ist there the same problem with den Cat 2950? I´using IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE(fc1).

Isn´t this the latest os version?

thanks in advance,

best regards,

rudolf