Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7205
Views
0
Helpful
7
Replies

802.1x fails to authenticate

Go to solution
blackswans
Level 1
Level 1

‎11-14-2012 04:21 AM - edited ‎03-10-2019 07:47 PM

Hi,


 


I have a user named "testuser" and trying to authenticate from the xp computer but fails to authenticate. The ACS logs says that authentication failed, the user is in the local database but why it fails to authenticate?


 


I have cisco switch :


WS-C2960G-48TC-L   12.2(52)SE            C2960-LANBASEK9-M


 


*Mar  8 04:03:55.030: AAA/BIND(00000029): Bind i/f 


*Mar  8 04:03:55.173: %AUTHMGR-5-START: Starting 'dot1x' for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428


*Mar  8 04:03:57.010: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up


*Mar  8 04:03:58.016: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up


*Mar  8 04:04:05.482: %DOT1X-5-FAIL: Authentication failed for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428


*Mar  8 04:04:05.482: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428


*Mar  8 04:04:15.834: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down


 


 






















Authen failed

testuser

Group 66

78-2B-CB-C9-A0-27

(Default)

EAP-TLS or PEAP authentication failed during SSL handshake

..

..

50002

x.x.x.x

..

..

25

MS-PEAP

..




<BR mozdirty type="_moz"></P>

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kcnajaf
Level 7
Level 7
In response to blackswans

‎11-14-2012 05:06 AM

Hi,

Sorry my mistake. I was assuming you where using 802.1x for wireless authetication. As metioned on ACS, LEAP will work only for wireless radius authetication.

Also windows XP natively only support PEAP and Token based authetication.

So next think you could try is using self generated ceritficate on ACS for PEAP authentication.

The below link will guide you how to install self signed ceritficate on ACS.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Hope that helps.

Regards

Najaf

View solution in original post

0 Helpful
7 Replies 7

Go to solution
kcnajaf
Level 7
Level 7

‎11-14-2012 04:37 AM

Hi,

Looks like you have PEAP authetication is enabled on Global Autehtication Setup. You need to have ceritifcates installed in ACS for PEAP to work.

Ulternatly for testing you could uncheck PEAP and enable just LEAP on the Global Authetication Setup and give a try.

Regards

Najaf

0 Helpful

Go to solution
blackswans
Level 1
Level 1
In response to kcnajaf

‎11-14-2012 04:53 AM

It is checked but PEAP is not unchecked. But it also says LEAP is for aironet only will it still work if I uncheck the PEAP?

Thanks

LEAP
Allow LEAP (For Aironet only)
0 Helpful

Go to solution
kcnajaf
Level 7
Level 7
In response to blackswans

‎11-14-2012 05:06 AM

Hi,

Sorry my mistake. I was assuming you where using 802.1x for wireless authetication. As metioned on ACS, LEAP will work only for wireless radius authetication.

Also windows XP natively only support PEAP and Token based authetication.

So next think you could try is using self generated ceritficate on ACS for PEAP authentication.

The below link will guide you how to install self signed ceritficate on ACS.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Hope that helps.

Regards

Najaf

0 Helpful

Go to solution
blackswans
Level 1
Level 1
In response to kcnajaf

‎11-14-2012 11:27 PM

Hi,

My configuration is now working but I use the ACS for tacacs authentication for network devices but I do not want these group to be used in tacacs. I do not want these users login to network devices, how can this be achived?

Thanks

0 Helpful

Go to solution
kcnajaf
Level 7
Level 7
In response to blackswans

‎11-16-2012 03:01 AM

Hi,

Sorry i didnt understand what you are saying here? Apologies for that....Did it mean the issues are resolved noe and you are not able to view failed logs on the ACS?

Coming back to the second part of restircting users, which version of ACS are you using? Are you using both radius and tacacs authetication on the same ACS?

Regards

Najaf

0 Helpful

Go to solution
blackswans
Level 1
Level 1
In response to kcnajaf

‎11-19-2012 05:02 AM

Hi

Yes the problem is resolved but another problem is started. I'm using the same ACS for network devices tacas authentication. I created a local user in another group for 802.1x and that user can login to network devices. I do not want these group to login to network devices.

Group 1 - for tacacs (can login to network devices)

Group 2 - for 802.1x (radius, they should not login to network devices, only for 802.1x)

Thanks.

0 Helpful

Go to solution
Dmitry Serebryakov
Level 1
Level 1

‎11-15-2012 12:42 AM

Hi.

In your case you should look at the Radius server logs. Authentication error comes from radius. So where you can see additional info.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents