Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4271
Views
6
Helpful
21
Replies

802.1X EAP-TLS Error

michaelglosker
Level 1
Level 1

‎06-27-2023 05:37 AM

 

Over the past few weeks, I have been working on configuring 802.1x port-based authentication between my Cisco switch (RADIUS Client) and the NPS Server (My DC) using EAP-TLS authentication.

After completing the configuration on both sides following the tutorial provided in this link: Tutorial Link, I noticed that the status of my Ethernet port changed to "Authentication failed." To investigate further, I captured the EAP packets using Wireshark and observed that my computer responded with the identity but received a failure response with "EAP Code Failure 4."

Now, I'm trying to determine which side might be causing the error - the switch or the NPS server. I have referred to several guides, and it seems that the configuration on the NPS server was done correctly, and the CA certificate was imported to the client.

For reference, here is the configuration from the NPS and endpoint side: Configuration Link

Any insights or guidance on resolving this issue would be greatly appreciated.

Best regards,

Michael

Securing RADIUS with EAP-TLS (Wired WPA2- Enterprise) [Windows Server 2019]
Securing RADIUS with EAP-TLS (Wired WPA2- Enterprise) [Windows Server 2019]
youtube.com/watch?v=CzmFhCuUj6w
IMPORTANT NOTE: At 14:47 we want to set the authentication method to "RADIUS, None" not "None". This uses RADIUS authentication and keeps the port authenticated even if the RADIUS server is not available. Brandon Harp was kind enough to point out my misunderstanding here. Thanks Brandon! I put ...
Labels:
21 Replies 21

M02@rt37
VIP
VIP

‎06-27-2023 05:49 AM

Hello @michaelglosker,

Do you check that you have a policy taht matches the conditions for the AUTH. request form the Cisco Switch. Constraints....Conditions....that might prevent successful AUTH.

Also, take a closer look at the Wireshark capture of the EAP packets exchanged between the client abd the NPS server. Analyze the packet flow to identify ant abnormalities/errors in the EAP messages exchanged.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Aref Alsouqi
VIP
VIP

‎06-27-2023 08:54 AM

Code failure 4 would mean access rejected which would suggest there is no policy match on the NPS. Could you please share the NPS policies and the endpoints NIC settings for review?

0 Helpful

michaelglosker
Level 1
Level 1
In response to Aref Alsouqi

‎06-27-2023 11:28 PM

Here is my post including NIC Setting and the NPS policy.

https://learn.microsoft.com/en-us/answers/questions/1318668/eap-tls-authentication-failed

0 Helpful

Aref Alsouqi
VIP
VIP
In response to michaelglosker

‎06-28-2023 03:32 AM

It could be the order of the policies, it could be the policy is not enabled, I think the best place to look at to trying to find out the root cause of this would be the NPS logs on the server, usually the are good enough to point out the issue.

0 Helpful

michaelglosker
Level 1
Level 1
In response to Aref Alsouqi

‎06-28-2023 05:39 AM

I already tried to view the NPS logs but there is no events of success or failure (even tough that i enabled the logging).

When i tried to capture the traffic is saw that my computer send his identity and get EAP Failure.

michaelglosker_0-1687955742555.png

 

 

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to michaelglosker

‎06-29-2023 10:08 AM

Where did you get that capture from? If the NPS is not showing any logs it could be that is not receiving these RADIUS requests?

0 Helpful

michaelglosker
Level 1
Level 1
In response to Aref Alsouqi

‎07-01-2023 02:50 AM

The picture was captured with Wireshark from my laptop that tries to authenticate, probably the NPS server not receiving the logs but i am trying to understand why i also checked if there is any block from the FW side and there is no any rule that block the communication.

0 Helpful

MHM Cisco World
VIP
VIP
In response to michaelglosker

‎07-01-2023 12:58 PM

You not answer my below Q, so I review your previous comment 
NOW 
the SW enable 802.1x but the issue it stop at EAP-response Identity 
This can from EAP method, the user send method that NOT match the EAP method.
so double check in NPS and user EAP method 

 Screenshot (39).png

Nancy Saini
Cisco Employee
Cisco Employee

‎06-29-2023 10:15 AM

Check if the RADIUS request is reaching the NPS server. Also, check the output of "show authentication session int gig <id> detail" on the Cisco switch.

0 Helpful

MHM Cisco World
VIP
VIP
In response to michaelglosker

‎07-01-2023 03:01 AM

Hi can I know exactly your issue

Thanks 
MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to michaelglosker

‎07-01-2023 04:11 AM

Try please to drop the keyword "detail" at the end of the "show authentication" command and share the output for review. You can also enable RADIUS authentication debugs on the switch "debug radius authentication" which should you if the comms with the NPS is working. Another thing you can do from the switch would be to show the aaa server status "show aaa servers" and look at the state lines, if it should show "current UP" it means the switch and the NPS can talk to each other. Finally you can enable the epm logging on the switch which would help you finding out any issue with the dot1x flows. 

0 Helpful

michaelglosker
Level 1
Level 1
In response to Aref Alsouqi

‎07-02-2023 11:57 PM

michaelglosker_0-1688367365524.png

michaelglosker_1-1688367428528.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to michaelglosker

‎07-03-2023 12:03 AM

According to what you new share' and as @Nancy Saini mention' your SW never send request to aaa server.

Share config 

0 Helpful
Customers Also Viewed These Support Documents