04-20-2009 01:26 AM - edited 03-10-2019 04:26 PM
Hi all,
Objectives :
Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2
Supplicant = IP Phone
Authenticator : Switch Extreme 450 E
Authentication Server : ACS SE 1113 4.2.0.124.9
1) We have done the tests with a Windows ACS 4.2.0.124 and everything runs correctly, the supplicant authenticates without any problem.
2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.
3) We have upload UDvs and VSA on the ACS SE and it still not work.
These are the .csv file uploaded :
accountactionsVsa.csv (used for the vendor)
accountAttributes.csv (used for the vendor attributes)
accountProfile.csv (used for the Attributes profile)
accountvalues.csv (used for the Attributes values). This one is not on the attachment files :
1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0
2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0
3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0
4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0
5,4,,,355,,,,,15/04/2009 10:00,,,,0
The message in ACS Failed Attemps logs is : "Bad Request from NAS".
We have verified the authenticator address and the secret key, everything is ok.
With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.
With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.
We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).
Have you already had this kind of problem. How can i Solve it?
Thanks for your replies.
Best regards.
04-20-2009 01:39 AM
Please be aware if you defined a key for the NDG, that key takes precedence over the keys defined for the individual devices in the NDG.
Ensure that the key defined for the NDG matches the secret key of the switch.
Regards,
~JG
04-20-2009 04:01 AM
We do not use NDG but we have done the test with NDG and the secret key was the same as the radius Client Extreme. So no problem of precedences.
04-20-2009 06:19 AM
What do you see in auth.log and remote agent logs. Please go to remote agent system and get logs from cswinagent.
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs
Please change loggin level to full and recreate the issue before getting the logs.
Regards,
~JG
04-20-2009 06:51 AM
I have not implemented Remote Agent since i don't need it.
So i cannot view :\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs
What kind of login level do you mean? Administrative Login? I have the maximum one.
04-20-2009 08:16 AM
Do verify appropriate PEAP or EAP-TLS check boxes are selected under Global Authentication Setup.
In case if the Dot1x supplicant used is a Cisco Supplicant then you need to select cisco LEAP as well under Global Authentication Setup in your ACS SE.
HTH
Ahmed
04-20-2009 08:20 AM
The Supplicant only use EAP MD5 since it is a Ip phone.
EAP MD5 is already checked in Global authentication Setup.
Just for remember :
802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide