topic Re: Dot1x using Windows server as an authenticator in Network Access Control

Dot1x using Windows server as an authenticator

user_net — Thu, 07 Jan 2021 19:06:55 GMT

So I set the Windows server as an authenticator, and configure the switch to authenticate windows 7 Pc (supplicant). At this point, I am pretty sure that the configuration on Windows 7 and windows server is fine, and the problem is with the switch.

Switch commands:

aaa new-model
!
aaa group server radius RADIUS_SERVERS
server-private 192.168.1.178 auth-port 1812 acct-port 1813 key BisBradius
!
aaa authentication login default group RADIUS_SERVERS local
aaa authentication dot1x default group RADIUS_SERVERS
aaa authorization console
aaa authorization exec default group RADIUS_SERVERS local if-authenticated
!
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 5000.000c.0000
 switchport port-security
 authentication port-control auto
 dot1x pae authenticator

Here is "show version":

Cisco IOS Software, Linux Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.2(201708                      09:194209) [dstivers-aug9_2017-high_iron_cts 101]
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 09-Aug-17 13:49 by xxxxxxxx

ROM: Bootstrap program is Linux

IT uptime is 58 minutes
System returned to ROM by reload at 0
System image file is "unix:/opt/unetlab/addons/iol/bin/i86bi_linux_l2-ipbasek9-ms.high_iron"
Last reload reason: Unknown reason



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Linux Unix (Intel-x86) processor with 943604K bytes of memory.
Processor board ID 67109504
8 Ethernet interfaces
1 Virtual Ethernet interface
1024K bytes of NVRAM.

Configuration register is 0x0

AAA authentication debug output:

*Jan  7 18:50:02.008: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
*Jan  7 18:50:02.008: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
*Jan  7 18:50:02.027: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
*Jan  7 18:50:02.027: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
IT#
*Jan  7 18:50:02.047: %DOT1X-5-FAIL: Authentication failed for client (5000.000c.0000) on Interface Et0/0 AuditSessionID 000000000000000C0008A341

Show run:

hostname IT
!
boot-start-marker
boot-end-marker
!
!
!
username admin privilege 15 secret 5 $1$xmmj$Ew/SMe3JG5JarDa0SiGBA0
username saad privilege 15 secret 5 $1$iNBr$o3mr8E9tn7x2Zccmmq2ce.
aaa new-model
!
!
aaa group server radius RADIUS_SERVERS
 server-private 192.168.1.178 auth-port 1812 acct-port 1813 key BisBradius
!
aaa authentication login default group RADIUS_SERVERS local
aaa authentication dot1x default group RADIUS_SERVERS
aaa authorization console
aaa authorization exec default group RADIUS_SERVERS local if-authenticated
!
!
!
!
!
!
aaa session-id common
clock timezone EET 2 0
!
!
!
!
!
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
!
!
!
!
!
ip cef
no ip igmp snooping
!
!
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 5000.000c.0000
 switchport port-security
 authentication port-control auto
 dot1x pae authenticator
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet1/0
!
interface Ethernet1/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
!
interface Ethernet1/2
!
interface Ethernet1/3
!
interface Vlan88
 ip address 192.168.88.6 255.255.255.0
!
ip default-gateway 192.168.88.1
ip forward-protocol nd
!
no ip http server
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip route 0.0.0.0 0.0.0.0 192.168.88.1
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
!
end

Re: Dot1x using Windows server as an authenticator

MHM Cisco World — Thu, 07 Jan 2021 22:52:48 GMT

radius server and pc use different auth protocol,

what the auth protocol you use PEAP,....?

Re: Dot1x using Windows server as an authenticator

Arne Bier — Thu, 07 Jan 2021 22:58:26 GMT

Wired 802.1X configurations are always full of moving parts (and dependent on whether it's classic config or IBNS 1.0/2.0) - I'd say look at the Wired Prescriptive Guide - example of a typical config - perhaps you're missing the aaa authorization network statement?

have a peek through the commands below ... admittedly, it's not complete but there might be some nuggets in there - I have a template that I tend to re-use ...

aaa authentication dot1x default group RADIUS_SERVERS
aaa authorization network default group RADIUS_SERVERS
aaa accounting identity default start-stop group RADIUS_SERVERS
aaa accounting update newinfo periodic 2880

radius-server dead-criteria time 10 tries 3
radius-server deadtime 15

dot1x critical eapol

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only 

device-tracking policy IPDT_POLICY
tracking enable

aaa server radius dynamic-author
 client 192.168.1.178 server-key BisBradius

dot1x system-auth-control

## Start with IBNS 1.0 Config 
## =================================
interface GigabitEthernet1/0/1
description ** Endpoints and Users **
switchport access vlan 1406
switchport voice vlan 1437
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast

Re: Dot1x using Windows server as an authenticator

Arne Bier — Thu, 07 Jan 2021 23:30:01 GMT

The Windows Supplicant can be configured with various EAP methods - it doesn't matter to the switch (Authenticator) - the main thing is that the Authenticating Server (Windows (NPS?) ... which @user_net incorrectly referred to as the 'Authenticator' - it's actually the Authenticating Server).

EAP-PEAP or EAP-TLS are valid methods on the Windows 7 client to talk to the switch. Windows requires the Wired Service to be enabled, before the wired supplicant configuration tab becomes visible. Supplicant configuration is also discussed all over the internet - just need to search for examples.