cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2665
Views
5
Helpful
21
Replies

ACS authentication with 3750 switch

bws
Level 1
Level 1

Hi all,

i am configured my acs server to act as Tacacs+ AAA Server and configured 3750 SWICTH as AAA client but with dot1x implementation. But when i connect a laptop to this switch dot1x port, it prompts me for username and password and after providing the credentials it keeps on failing to authenticate. This is what i get on switch when user sends credential information.

23:09:21: %TAC+: illegal type=6 for login

23:09:21: TAC+: send AUTHEN/START packet ver=192 id=2079844561

23:09:21: TAC+: Using default tacacs server-group "tacacs+" list.

23:09:21: TAC+: Opening TCP/IP to 10.200.2.2/49 timeout=5

23:09:21: TAC+: Opened TCP/IP handle 0x304E230 to 10.200.2.2/49

23:09:21: TAC+: periodic timer started

23:09:21: TAC+: 10.200.2.2 req=2A32320 Qd id=2079844561 ver=192 handle=0x304E230 expire=5 AUTHEN/START/LOGIN/UNKNOWN queued

23:09:21: TAC+: 10.200.2.2 (2079844561) AUTHEN/START/LOGIN/UNKNOWN queued

23:09:21: TAC+: 10.200.2.2 id=2079844561 wrote 121 of 121 bytes

23:09:21: TAC+: 10.200.2.2 req=2A32320 Qd id=2079844561 ver=192 handle=0x304E230 expire=4 AUTHEN/START/LOGIN/UNKNOWN sent

23:09:21: TAC+: 10.200.2.2 read=12 wanted=12 alloc=12 got=12

23:09:21: TAC+: 10.200.2.2 read=28 wanted=28 alloc=28 got=16

23:09:21: TAC+: 10.200.2.2 received 28 byte reply for 2A32320

23:09:21: TAC+: req=2A32320 Tx id=2079844561 ver=192 handle=0x304E230 expire=4 AUTHEN/START/LOGIN/UNKNOWN processed

23:09:21: TAC+: (2079844561) AUTHEN/START/LOGIN/UNKNOWN processed

23:09:21: TAC+: periodic timer stopped (queue empty)

23:09:21: TAC+: ver=192 id=2079844561 received AUTHEN status = GETPASS

21 Replies 21

MD5 will work as an authentication method.

If you want to use a certificate then you will need a certificate server to obtain the certificates from. Do you have one of these, or can you set them up? Have you worked with certificates before?

Installing a certificate on the ACS is documented in the ACS help section. For clients, just install the certificate in the usual way.

Hi Shaw,

back again,

using md5 login method it gives error "Auth type not supported by External DB"

AND AFTER configuring PEAP support and using PEAP login method from end users machine it gives the following error "EAP-TLS or PEAP authentication failed during SSL handshake"

by the way i haven't install the certificate on client. Do i need to install it on client machine also , if yes, pls let me know how to install it a client machine which is not part of domain. I just need to test it before i implement it.

now where is the probelm. what needs to be sorted out. Pls help!

Hi Shaw,

just to let u know, that i was missing the certificate installation on client side. i have done the certificate installation on client side and know when i try to put the login credentials it generates following error in log:

"12/25/2005 18:20:42 Authen failed DIFC\adil.ibrahim .. 00-10-C6-CD-5F-67 External DB account Restriction .. .. 50102 10.200.2.1 "

i've checked thier is no any kind of time restirction for the mapped group. Pls help.

Thanks in advance

Check if you have the "Dialin Permission" option checked within

External User Databases -> Database Configuration -> Windows Databse -> Configure

If this is checked, then the user needs to have Dialin Permission within the Active Directory Account.

Also check if you have any logs within AD to see why the user authentication failed.

Hi,

Back again....

first of all i would like to thank you for all the help you provided to me ....yeh my acs seems to be working with Active directory

i am able to login my machine after i conf a cert server and install the cert on client machine...it works fine...but know when my login with my domain ID and try to change my domain password it gives me error that MYDOMAIN not available.....where can be the problem?

thanks,

Before we dig into your issue, I think it would be wise for you to read the ACS 802.1x instructions and the papers for the 802.1x Infrastructure. I think microsoft has a paper on the latter that makes it clear as to

1) what 802.1x is?

2) what components it requires (supplicant, CA servers, etc)

3) what it can accomplish.

It seems like from the above posts, you got 802.1x to work, however, please be advised, that the changes you have made have enterprise implications and you may have to rebuild this in order for you to fully deploy what you want to do. Its one thing to get it working with 1 client, another to do it for an enterprise.

That said. From the previous posts, i can surmise that you have PEAP running. This would mean that

a) you have a enterprise CA server

b) your pc that belongs to the AD has a client certificate (not for the userid but for the hostname).

How are your registry keys for your dot1x authentications set? HKLM\software\microsoft\EAPOL\parameters\general\Global.

If you don't see 2 reg key's, look here for an explanation.http://www.verdann.net/8021x/mssupport This dictates whether dot1x authentication only happens when the computer logs into the domain or only when a user logs into the domain or both.

While we wait for more information, I would highly advise to go the latest IOS for the cat3750. I think we are running 12.2.25.SG. It resolved a host of performance problems we saw during our deployment of dot1x. We are talking authentication times coming down from 2 minutes to about 10 - 15 seconds.

Hope this helps. This is the right forum for your questions, and in the end, I hope we get it running the way you want.

by default windows does not have any key under HKLM\software\microsoft\EAPOL\parameters\general\Global.....it just have a string name Default type REG_SZ with no value set to it...do u mean we need to modify this one or need to add a new string or DWORD or binary value.

And also does this has any thing to do with changing dot1x authenticated users unable to change their passwords.

Commenst appreciated in advance