05-03-2022 05:48 AM
Hi all,
I have interesting problem which seem to be bug or related to my configs.
I did not find bug with these symptoms.
I'm testing NEAT so that I have IE-4000 (IOS Version 15.2(6)E1) as authenticator and IE-3200 (IOS XE Software, Version 17.06.02) as supplicant, once authenticated it allows multiple MAC addresses and then Supplicant swithc is acting as Authenticator for end device supplicants.
We are using NPS and we have AD domain configured, where we have "cisco" user.
Authenticator IE-4000 config, (some 1x, radius etc config not included):
!
cisp enable
!
dot1x system-auth-control
interface GigabitEthernet1/1
description To_IE3200_Supplicant_Switch
switchport trunk allowed vlan 201,902
switchport mode trunk
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast edge trunk
!
Supplicant IE-3200 config, (some 1x, radius etc config not included):
!
service password-encryption
!
eap profile NEAT_PROF
method mschapv2
!
cisp enable
!
dot1x system-auth-control
dot1x credentials NEAT-TEST
username cisco
password 7 05080F1C2243
!
interface GigabitEthernet1/3
description To_Authenticator_IE4000_Switch"
switchport trunk allowed vlan 201,902
switchport mode trunk
dot1x pae supplicant
dot1x credentials NEAT-TEST
dot1x supplicant eap profile NEAT_PROF
!
NEAT works ok, when I configure this first. But once I reload the authentication for supplicant switch stops working.
But if I take away servive password encryption on supplicant switch it works OK even after after rebooting.
And I can replicate this issue all the time.
Have any one noticed this kind of behavior? Bug?
I
!
no service password-encryption
!
dot1x credentials NEAT-TEST
username cisco
password 0 cisco
!
Br Jari
Solved! Go to Solution.
05-03-2022 04:27 PM
hello,
maybe this is good news. IE3200 SW Version 17.8.1 added support for NEAT when operating as a supplicant. it reads as if this is what you are trying to accomplish.
release notes for IE3200 https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3X00/software/17_8/17-8-x-release-notes-iot-switch.html#Cisco_Concept.dita_1c4ea6b8-6903-424d-bf5d-ff9f61f4a477
05-03-2022 04:27 PM
hello,
maybe this is good news. IE3200 SW Version 17.8.1 added support for NEAT when operating as a supplicant. it reads as if this is what you are trying to accomplish.
release notes for IE3200 https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3X00/software/17_8/17-8-x-release-notes-iot-switch.html#Cisco_Concept.dita_1c4ea6b8-6903-424d-bf5d-ff9f61f4a477
05-04-2022 12:06 AM
Thanks for the info!
I might be stuck on that 17.6.x version, and base on my test NEAT kinda works with that too, even if that 17.8.1 added support for NEAT
But that was weird that service password-encryption enabling on supplicant broke the authentication.
In addition I was planning to test PEAP for supplicant switch so that switch would use certificate for authentication, but I have not found good guide how to configure that. I have trusted cert on switch, but no good guide hot to proceed from there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide