Solved: 802.1x Failed Authentication with WS-C3750G-24T

jgtheodor · ‎03-13-2013

Hi,

I have already set up a lab comprising of 1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.

1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.

2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.

If anyone could check it and suggest anything it could be appreciated!!!

Thank you in advance!

Josef Fuehrer · ‎03-15-2013

Hi,

either interface or system jumbo mtu on your switch seems to be set to 9000 bytes:

Mar 6 15:50:11.822: RADIUS: Framed-MTU [12] 6 9000

Try to include the Framed-MTU attribute (Settings > RADIUS Attributes > Standard > Add...) in your NPS policy and set the value to 1500.

Regards,

Josef

View solution in original post

Amjad Abdullah · ‎03-13-2013

Hi,

It seems your supplicant is not sending the username!!

you can see for example:

dot1x_auth_bend Gi2/0/24: during state auth_bend_request, got event 12(eapTimeout)

and

User-Name [1] 14 "UNRESPONSIVE"

Try to check from supplicant and cable side. Make sure to configure user auth only while testing. Do not use machine auth for testing until you get user-auth working fine.

The logs on the radius server should confirm this.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

maldehne · ‎03-13-2013

Keep this one in mind:

http://support.microsoft.com/kb/953650

--------------------------------------------------------------

Please make sure to rate correct answers

jgtheodor · ‎03-13-2013

Thank you for your responses.

However I tried to change the supplicant configuration for User Authentication Mode only but I had the same results.

Please keep in mind that with the same supplicant either in User/MachineorUser/Machine authentication mode when I use as authenticator the 2950 switch everything is working fine. When I use the 3750 stack I am experiencing the results I have already described above. I am trying to figure out what is going on from the logs of NPM and it seems that for a reason I cannot find out the authentication is failed. However I can see that NPM server receives the right credentials from the supplicant.

Josef Fuehrer · ‎03-15-2013

Hi,

either interface or system jumbo mtu on your switch seems to be set to 9000 bytes:

Mar 6 15:50:11.822: RADIUS: Framed-MTU [12] 6 9000

Try to include the Framed-MTU attribute (Settings > RADIUS Attributes > Standard > Add...) in your NPS policy and set the value to 1500.

Regards,

Josef

jgtheodor · ‎03-19-2013

Hi Josef,

You are absolutely right!!! Well done pal. Check below the output from my lab stack switch:

************************************************************************

SW-LAB#sh system mtu

System MTU size is 1504 bytes
System Jumbo MTU size is 9000 bytes
System Alternate MTU size is 1504 bytes
Routing MTU size is 1500 bytes
SW-LAB#

************************************************************************

I follow your instructions and set the Framed-MTU attribute to 1500 in relevant NPS policy and everything now is working fine as expected. Just for clarification, could you please let me know why does this happen? What I mean is why I have to configure the NPS Server to send this attribute back to the Radius client to complete the authentication. If I configure the system MTU or Jumpo MTU to 1500 do you believe that I will have the same results?

Thank you in advance!

Josef Fuehrer · ‎03-20-2013

Hi,

basically what happens is that the maximum EAP packet size for communication between client and RADIUS server is negotiated. Therefore, in your case the switch notifies NPS that the client is capable of handling packets up to 9000 bytes in size.

EAP messages, especially those containing the server certificate, are usually bigger than 1500 bytes and arrive at the switch in multiple fragments:

Mar 6 15:50:11.881: RADIUS(0000002C): Received from id 1645/41

Mar 6 15:50:11.881: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+253+253+253+253+20, total 2044 bytes

Having learned that 2044 bytes is acceptable for the client, the switch forwards the full message in one chunk, but since your client is likely to have set the interface MTU to 1500, the packet is oversized and never reaches its destination.

And yes, I think changing the System Jumbo MTU to 1500 bytes would lead to the same result. If my memory serves me right, a new setting takes effect only after a reboot, so I'd suggest giving it a go in your lab first.

Best regards,

Josef

Amjad Abdullah · ‎03-19-2013

Well done Josef. +5.

Rating useful replies is more useful than saying "Thank you"