cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
5
Helpful
2
Replies

NEAT authentication problem with IE-3200

j.leinonen
Level 1
Level 1

Hi all,

I have interesting problem which seem to be bug or related to my configs.

I did not find bug with these symptoms.

 

I'm testing NEAT so that I have IE-4000 (IOS Version 15.2(6)E1) as authenticator and IE-3200 (IOS XE Software, Version 17.06.02) as supplicant, once authenticated it allows multiple MAC addresses and then Supplicant swithc is acting as Authenticator for end device supplicants.

 

We are using NPS and we have AD domain configured, where we have "cisco" user.

 

Authenticator IE-4000 config, (some 1x, radius etc config not included):

!

cisp enable

!

dot1x system-auth-control

interface GigabitEthernet1/1
description To_IE3200_Supplicant_Switch
switchport trunk allowed vlan 201,902
switchport mode trunk
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast edge trunk
!

 

Supplicant IE-3200 config, (some 1x, radius etc config not included):

!

service password-encryption

!

eap profile NEAT_PROF
method mschapv2

!
cisp enable

!

dot1x system-auth-control
dot1x credentials NEAT-TEST
username cisco
password 7 05080F1C2243
!
interface GigabitEthernet1/3
description To_Authenticator_IE4000_Switch"
switchport trunk allowed vlan 201,902
switchport mode trunk
dot1x pae supplicant
dot1x credentials NEAT-TEST
dot1x supplicant eap profile NEAT_PROF
!

 

NEAT works ok, when I configure this first. But once I reload the authentication for supplicant switch stops working.

 

But if I take away servive password encryption on supplicant switch it works OK even after after rebooting.

And I can replicate this issue all the time.

Have any one noticed this kind of behavior? Bug?

I

!

no service password-encryption

!

dot1x credentials NEAT-TEST
username cisco
password 0 cisco
!

 

Br Jari

1 Accepted Solution

Accepted Solutions

Albert Mitchell
Cisco Employee
Cisco Employee

hello,

 

maybe this is good news.  IE3200  SW Version 17.8.1 added support for NEAT when operating as a supplicant. it reads as if this is what you are trying to accomplish. 

 

release notes for IE3200  https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3X00/software/17_8/17-8-x-release-notes-iot-switch.html#Cisco_Concept.dita_1c4ea6b8-6903-424d-bf5d-ff9f61f4a477

 

View solution in original post

2 Replies 2

Albert Mitchell
Cisco Employee
Cisco Employee

hello,

 

maybe this is good news.  IE3200  SW Version 17.8.1 added support for NEAT when operating as a supplicant. it reads as if this is what you are trying to accomplish. 

 

release notes for IE3200  https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3X00/software/17_8/17-8-x-release-notes-iot-switch.html#Cisco_Concept.dita_1c4ea6b8-6903-424d-bf5d-ff9f61f4a477

 

Thanks for the info!

I might be stuck on that 17.6.x version, and base on my test NEAT kinda works with that too, even if that 17.8.1 added support for NEAT 

 

But that was weird that service password-encryption enabling on supplicant broke the authentication.

In addition I was planning to test PEAP for supplicant switch so that switch would use certificate for authentication, but I have not found good guide how to configure that. I have trusted cert on switch, but no good guide hot to proceed from there.