topic Re: 802.1X EAP-TLS Error in Network Access Control

802.1X EAP-TLS Error

michaelglosker — Tue, 27 Jun 2023 12:37:21 GMT

Over the past few weeks, I have been working on configuring 802.1x port-based authentication between my Cisco switch (RADIUS Client) and the NPS Server (My DC) using EAP-TLS authentication.

After completing the configuration on both sides following the tutorial provided in this link: Tutorial Link, I noticed that the status of my Ethernet port changed to "Authentication failed." To investigate further, I captured the EAP packets using Wireshark and observed that my computer responded with the identity but received a failure response with "EAP Code Failure 4."

Now, I'm trying to determine which side might be causing the error - the switch or the NPS server. I have referred to several guides, and it seems that the configuration on the NPS server was done correctly, and the CA certificate was imported to the client.

For reference, here is the configuration from the NPS and endpoint side: Configuration Link

Any insights or guidance on resolving this issue would be greatly appreciated.

Best regards,

Michael

Re: 802.1X EAP-TLS Error

M02@rt37 — Tue, 27 Jun 2023 12:49:48 GMT

Hello @michaelglosker,

Do you check that you have a policy taht matches the conditions for the AUTH. request form the Cisco Switch. Constraints....Conditions....that might prevent successful AUTH.

Also, take a closer look at the Wireshark capture of the EAP packets exchanged between the client abd the NPS server. Analyze the packet flow to identify ant abnormalities/errors in the EAP messages exchanged.

Re: 802.1X EAP-TLS Error

Aref Alsouqi — Tue, 27 Jun 2023 15:54:34 GMT

Code failure 4 would mean access rejected which would suggest there is no policy match on the NPS. Could you please share the NPS policies and the endpoints NIC settings for review?

Re: 802.1X EAP-TLS Error

michaelglosker — Wed, 28 Jun 2023 06:28:52 GMT

Here is my post including NIC Setting and the NPS policy.

https://learn.microsoft.com/en-us/answers/questions/1318668/eap-tls-authentication-failed

Re: 802.1X EAP-TLS Error

Aref Alsouqi — Wed, 28 Jun 2023 10:32:42 GMT

It could be the order of the policies, it could be the policy is not enabled, I think the best place to look at to trying to find out the root cause of this would be the NPS logs on the server, usually the are good enough to point out the issue.

Re: 802.1X EAP-TLS Error

michaelglosker — Wed, 28 Jun 2023 12:39:57 GMT

I already tried to view the NPS logs but there is no events of success or failure (even tough that i enabled the logging).

When i tried to capture the traffic is saw that my computer send his identity and get EAP Failure.

Re: 802.1X EAP-TLS Error

Aref Alsouqi — Thu, 29 Jun 2023 17:08:42 GMT

Where did you get that capture from? If the NPS is not showing any logs it could be that is not receiving these RADIUS requests?

Re: 802.1X EAP-TLS Error

Nancy Saini — Thu, 29 Jun 2023 17:15:13 GMT

Check if the RADIUS request is reaching the NPS server. Also, check the output of "show authentication session int gig <id> detail" on the Cisco switch.

Re: 802.1X EAP-TLS Error

michaelglosker — Sat, 01 Jul 2023 09:50:28 GMT

The picture was captured with Wireshark from my laptop that tries to authenticate, probably the NPS server not receiving the logs but i am trying to understand why i also checked if there is any block from the FW side and there is no any rule that block the communication.

Re: 802.1X EAP-TLS Error

michaelglosker — Sat, 01 Jul 2023 09:53:55 GMT

Re: 802.1X EAP-TLS Error

MHM Cisco World — Sat, 01 Jul 2023 10:01:13 GMT

Hi can I know exactly your issue

Thanks
MHM

Re: 802.1X EAP-TLS Error

Aref Alsouqi — Sat, 01 Jul 2023 11:11:15 GMT

Try please to drop the keyword "detail" at the end of the "show authentication" command and share the output for review. You can also enable RADIUS authentication debugs on the switch "debug radius authentication" which should you if the comms with the NPS is working. Another thing you can do from the switch would be to show the aaa server status "show aaa servers" and look at the state lines, if it should show "current UP" it means the switch and the NPS can talk to each other. Finally you can enable the epm logging on the switch which would help you finding out any issue with the dot1x flows.

Re: 802.1X EAP-TLS Error

Nancy Saini — Sat, 01 Jul 2023 19:25:26 GMT

Your switch is not initiating any RADIUS request to the NPS server, hence, no log seen on the server. What is the switchport configuration and AAA configuration done on the switch?

Re: 802.1X EAP-TLS Error

MHM Cisco World — Sat, 01 Jul 2023 19:58:11 GMT

You not answer my below Q, so I review your previous comment
NOW
the SW enable 802.1x but the issue it stop at EAP-response Identity
This can from EAP method, the user send method that NOT match the EAP method.
so double check in NPS and user EAP method

Re: 802.1X EAP-TLS Error

michaelglosker — Mon, 03 Jul 2023 06:57:25 GMT

Re: 802.1X EAP-TLS Error

MHM Cisco World — Mon, 03 Jul 2023 07:03:50 GMT

According to what you new share' and as @Nancy Saini mention' your SW never send request to aaa server.

Share config

Re: 802.1X EAP-TLS Error

michaelglosker — Mon, 03 Jul 2023 08:00:38 GMT

Re: 802.1X EAP-TLS Error

MHM Cisco World — Mon, 03 Jul 2023 08:08:27 GMT

you config radius-group in authc/authz
but where is config of server in this group??

Re: 802.1X EAP-TLS Error

michaelglosker — Mon, 03 Jul 2023 08:31:53 GMT

Re: 802.1X EAP-TLS Error

MHM Cisco World — Mon, 03 Jul 2023 08:53:55 GMT

ip radius source-interface VLANx
then ping to server using this VLAN SVI as source, are the ping success ?