cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2869
Views
0
Helpful
3
Replies

cert based 802.1x authentication with Microsoft NPS - need help

ShainMilan
Level 1
Level 1

authentication We have recently deployed cert based 802.1x authentication with Microsoft NPS for two stack switch groups ( STACK01 / STACK02 )  .  each stack switch group contains 3 switches.   

But we have identified cert based 802.1x is working as expected on stack switch ( STACK01) and STACK02 clients are not authenticating.

I have run some debug commands to identify the issue and found the below logs .and it shows “ EAPOL announcement CLI is not configured on GigabitEthernet2/0/9”   which I’m not sure exactly what it means

Appreciate if someone can help me with this issue

 

this is my current port configuration 

 

switchport access vlan 128
switchport mode access
switchport voice vlan 148
device-tracking
authentication event fail action authorize vlan 640
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 640
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 120
authentication timer restart 30
authentication timer unauthorized 30
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
auto qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 10
end

3 Replies 3

thomas
Cisco Employee
Cisco Employee

You may read ISE Secure Wired Access Prescriptive Deployment Guide for our best practice switch configuration.

It is unknown from your post what switch model or software version you are using.

Also unknown what endpoint OS or supplicant configuration you are using.

If the endpoint is getting the 802.1X challenge, all issues after that are between the endpoint supplicant (802.1X client) and the RADIUS server which is NPS in this case. Most likely an endpoint supplicant configuration issue like not trusting the RADIUS server certificate if I had to guess without knowing any actual details.

See How to Ask The Community for Help for additional details that would help.

 

Hi Thomas

 

Thank you very much for the document you shared and it was very informative. I have gone through it for the past few days and did some investigation into the issue. we found that the Radius request is going to a Radius server with misconfiguration and able to fix the issue by removing the radius server from the group to reconfigure.  but I found some strange behavior on the Radius requests on switch 2.

 

Even we have configured our radius servers as below way, the switch is preferring the PDC01NPS01  instead of PDC06NPS01.   

 

aaa group server radius RAD_SERVERS

 server name PDC06NPS01

 server name PDC06NPS02

 server name PDC01NPS01

 

is there a way we can select weight on one server.

 

 

The switch we are using is WS-C3650-48PD with

 

ROM: IOS-XE ROMMON

BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 3.56, RELEASE SOFTWARE

 

Demystifying RADIUS Server Configurations has some explanations how load-balance can be done on IOS/IOS-XE.