topic in order to perform dot1x we in Network Access Control

Dot1x authentication for cisco AP

Andreas Larsen — Mon, 11 Mar 2019 05:39:22 GMT

Hi everybody

We are experimenting with a dot1x port authentication setup.

The setup is as fallows:

Microsoft 20008r2 NPS

Cisco 3560 compact switch

Cisco 3702i AP

I will be using dynamic vlan assignment. So far it Works fine with pc and mac. However when connecting my Cisco 3702 ap i get an error on the NPS saying:

Reason Code: 22

Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

From the Wireless controller i have overriden the global configuration, and added the supplicant username and password to match with a user i have created in AD. I

At the NPS i have set the EAP type to: MIcrosoft: Secured Password (EAP-MSCHAPv2). According to the datasheet on the AP that should be supported.

Here's my switch configuration:

dot1x system-auth-control

aaa new-model
aaa group server radius NPSSERVERS
server-private 10.180.15.231 auth-port 1812 acct-port 1813 key 7 ************
aaa authentication dot1x default group NPSSERVERS
aaa authorization network default group NPSSERVERS

Interfaces:

switchport mode access
authentication event fail action authorize vlan 85
authentication event server dead action authorize vlan 85
authentication event no-response action authorize vlan 85
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
spanning-tree bpduguard enable
spanning-tree guard root

I am not entirely sure if i need to make more settings on the AP, or more on the switch. Any suggestions will be greatly appriciated.

/Andreas

in order to perform dot1x we

Venkatesh Attuluri — Thu, 28 May 2015 10:16:36 GMT

In order to perform dot1x auth endpoint needs suppliant and windows and MAC have a default supplicant that comes with OS. AP are supposed for MAB

So when the data sheet for

Andreas Larsen — Thu, 28 May 2015 13:10:26 GMT

So when the data sheet for the AP reads fallowing, it refers to its abilities as an authenticator, and not a supplicant, correct? I guess dot1x might no be such a great solution for wired network afterall.

● Extensible Authentication Protocol (EAP) types:

◦ EAP-Transport Layer Security (TLS)

◦ EAP-Tunneled TLS (TTLS) or Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2)

◦ Protected EAP (PEAP) v0 or EAP-MSCHAPv2

◦ EAP-Flexible Authentication via Secure Tunneling (FAST)

◦ PEAP v1 or EAP-Generic Token Card (GTC)

◦ EAP-Subscriber Identity Module (SIM)

The problem is probably due

jan.nielsen — Thu, 28 May 2015 14:30:50 GMT

The problem is probably due to certificate errors, either the AP doesn't trust the cert you use on your NPS, or the NPS does not trust the cert issuer that the AP uses. In Cisco ISE, which is what most new solution would use, these manufacturer ca certs are already imported for Cisco AP's and IP Phones.