Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
0
Helpful
2
Replies

3Com VSA and 802.1x end-station authentication

srogala
Level 1
Level 1

‎10-06-2005 11:26 AM - edited ‎03-10-2019 02:20 PM

I am using the CiscoSecure ACS v3.3 build 11 on Windows to handle authentication of some network devices. I had added in a VSA for our 3Com 4400-series switches which allowed us to authenticate against our Windows AD for administration of the switches. The VSA is below:

---------------------------------

[User Defined Vendor]

Name=3Com

IETF Code=43

VSA 1=3Com-User-Access-Level

[3Com-User-Access-Level]

Type=INTEGER

Profile=OUT

Enums=3Com-User-Access-Level-Values

[3Com-User-Access-Level-Values]

1=Monitor

2=Manager

3=Administrator

------------------------------

This has been working well.

The complication started when I was tasked with implementing 802.1x authentication for the end-nodes on these 4400-series switches (Windows XPsp2 clients). After doing the initial configuration, I was getting a "Bad request from NAS" in the ACS logs. As I feared, the fact that the 4400s, the NASes, were using the Radius (3Com) interface configuration as shown above, this seems to exclude the 802.1x authentication from happening. I moved the 4400 in question out of the radius group using the 3com VSA and into just a IETF Radius VSA and the users were able to authenticate just fine using 802.1x. Of course, it seems to be one or the other, I can't seem to have radius authentication to the switches themselves AND authentication of devices hanging off the switch at the same time. I suspect that if I add the IETF parameters to the VSA above, I might be able to accomplish both, but I don't know what the format would look like. Of course, I can't have the switch in two different AAA Client groups, so one client group needs to be able to do both.

Any ideas?

-Scott

Labels:
0 Helpful
2 Replies 2

didyap
Level 6
Level 6

‎10-13-2005 05:56 AM

The "Bad request from NAS" error indicates one of four things:

1. Invalid key - (do not cut and paste as this cause a key mismatch)

2. Wrong IP in authentication request

3. Wrong protocol specified in Network Configuration for NAS

4. Special characters in Key.

0 Helpful

srogala
Level 1
Level 1
In response to didyap

‎10-13-2005 07:04 AM

Thanks. I figure one of those is probably true, especially since the information being passed as an administrator trying to connect to the switch autenticating against the ACS is going to be different than an 802.1x user trying to authenticate against the ACS. The problem right now is that it's an either/or scenario, and I'm trying to figure out how to make it so that the tacacs+ authentication to the switch AND 802.1x authentication can occur at the same time, which would seem to involve having a VSA that incorporated elements of both.

In short -

1. Configure the ACS to handle the 3Com VSA, then you can authenticate against the switch via tacacs+ but not 802.1x users (get the "Bad request from NAS" error, which I would expect)

2. Configure the ACS to handle the 3com via just straight radius and then 802.1x authentication works, but authentication for administration to the switch doesn't work.

Ideally, both should be able to occur at the same time I would think.

-Scott

0 Helpful
Customers Also Viewed These Support Documents