01-06-2005 12:14 PM - edited 03-10-2019 01:57 PM
We are using RADIUS IETF in ACS and EAP MD5.
My switch is 2950 whith this commands:
radius-server host a.b.c.d
radius-server key cisco
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
int fa 0/1
dot1x port-control auto
When we try authenticate appears this error: "CS user unknown" in ACS reports.
Has somethings that we forget?
Where I configure the respective VLAN to user when he authenticate?
Thanks
01-07-2005 02:16 AM
As far as the "CS user uknown" issue, this usually means that the user your using to authenticate, doesn't exist in the radius database.
Are the user ID's manually entered or are they externally mapped?
For the VLAN assignment from the radius server, assign the following IETF RADIUS attributes to either the individual user or the groups.
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-Id = VLAN NAME
01-17-2005 09:27 AM
CS User Unknown means that ACS doesn't know about the user. Have you defined the user that uses MD5 either locally in ACS or have you configured integration with a backend identity store?
As for VLAN Assignment, you can configure this as either a per-user or per-group RADIUS Attribute.
Hope this helps.
01-21-2005 10:44 AM
I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-Id = teste
At my network icon apears: Authentication Fail
See some debug message on my switch:
03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
03:09:14: dot1x-ev:Inserted the request on to list of pending requests
03:09:14: dot1x-ev:Found a free slot at slot 0
03:09:14: dot1x-ev:Found a free slot at slot 0
03:09:14: dot1x-ev:Request id = 7 and length = 25
03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
03:09:14: dot1x-ev:Username is SMSTESTE\joe
03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
03:09:34: dot1x-err:EAP packet not recvd
03:09:34: dot1x-ev:going to send to backend on SP, length = 4
03:09:34: dot1x-ev:Received VLAN is No Vlan
03:09:34: dot1x-ev:Enqueued the response to BackEnd
03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
03:09:34: dot1x-ev:Dot1x matching request-response found
03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
03:09:34: dot1x-ev:Received VLAN Id -1
03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
Can you help me?
Thanks,
01-21-2005 11:57 AM
Sure:
Before, when you said ACS told you "CS User Unknown", what user did it tell you was unknown, and was it the exact one you put into Windows? Example: the native supplicant avail in Windows is most likely prepending your MD5 username as
Hope this helps.
01-25-2005 09:52 AM
It's works now only if I create 2 users in ACS, one "username" and other "domain/username". I wanna use only windows database, but it don't works with only windows user.
thanks,
01-27-2005 05:30 AM
as far as I know:
Authentication against windows database (AD) is not supported with EAP MD5. You have to use EAP PEAP, and you have to use certificates from a CA server.
01-31-2005 10:30 AM
kschuster,thanks for your help!
I wanna authenticatite against windows database without nay certificate. It's possible? If you has the steps to make this configuration...
Ob.: The configuration with MD5 works ok, but I nead to create 2 users: one with domain/name an other with name, so I'm think that it's not correct.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide