802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

0grobinson · ‎08-15-2004

I wondered if anyone can help or shed any light on the following problem.

I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.

The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.

The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.

Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?

I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.

One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

didyap · ‎08-19-2004

I have tested authentication with 802.1x and EAP-MD5 in cat2950 and it works fine. I am not sure of EAP-MS-CHAPv2.

Please make sure your configuration is correct

ctasher · ‎08-25-2004

Hi, I am new with 802.1x, and was hoping that someone would help with these queries:

1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x

2. My config is as below:

aaa new-model

aaa authentication dot1x default group radius

aaa authenication login default group radius

dot1x system-auth-control

interface f0/1

switchport mode access

dot1x port-control auto

end

I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.

3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.

I even tried using local authenication with 802.1x, this did not work

4. If I have a certificate, will this automatically give me access to the 802.1x port?

5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.

Am I missing anything?

Any advise will be greatly appreciated

Chris

o-ziltener · ‎08-27-2004

Hello

try something like this

raduis-server host non-standard

vanbon · ‎09-02-2004

Hi,

I have done some testing with xp-clients with MS peap ms-chapv2 on a 2950 12.1.20(EA1). This works fine. We used IAS radius server (W2k) for the test.

The only thing that was wrong is the "NAS-PORT-TYPE" that the 2950 sends to the radius server (bug CSCec86385). But in IAS we could adjust our policy to support the wrong port type. Maybe ACS also has a problem with this ?

Regards, Gerard

0grobinson · ‎09-02-2004

Thanks for the reply.

The 2950 is sending NAS-port-type attribute 61 with a value of 15 which is Ethernet.

It could well be the ACS is expecting a value of 0 which is Async, and the this breaks the authentication.

I will see if I can adjust ACS to accept NAS-PORT-TYPE of Ethernet or force the 2950 to send attribute 61 with a value of 0.

shansuresh · ‎09-20-2004

Hi,

Do you have a sample config that I could use to configure the Cat3550s to authenticate the Radius server. As I am having a lot of problem's configuring them.

Thanks

vanbon · ‎09-22-2004

Hi,

Here a piece of our config:

---------------------------------------------------

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

dot1x port-control auto

dot1x timeout quiet-period 10

dot1x guest-vlan 51

spanning-tree portfast

!

radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key secret-password

----------------------------------------------------

Be sure that the switch can ping the radius server.

Regards, Gerard