Cisco Switch as RADIUS Client without NAC

jwillis · ‎04-15-2014

I'm trying to get my switch to pass authentication for desktop to NPS(Server 2008R2.)

I do not need to have any port security just need it to authenticate so that the internet filter will pickup on the local user via accounting.

Most configurations I see are relating to configuring switch log in via RADIUS.

what do I need to do to just have the device pass on the authentication?

here is what I have so far:

aaa new-model
aaa session-id common

ip radius source-interface Vlan10
radius-server host ip.of.nps auth-port 1812 acct-port 1813 key cisco

I've added the switch ip of vlan 10 to the nps as a client. Not seeing any activity.

The desktop I'm authenticating is OSX via Login Window 802.1x authentication.

Thanks,

Joe

hdussa · ‎04-16-2014

Hi,

the switch act as an AUTHENTICATOR and must be known by NPS ( IP-Address and Key).

aaa new-model

aaa authorization network default group radius ( for the switch)

aaa authentication dot1x default group radius ( for the clients)

jwillis · ‎04-16-2014

So here is what I have now:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key $$$$$
dot1x system-auth-control
(config-if)#
dot1x pae authenticator

I don't see things failing but I don't see things working either, I do notice the pack drop showing up. Also I don't see any activity on the NPS Server.

and this is what I'm seeing in the dot1x debug:

Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:03.119: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
Apr 16 17:27:03.119: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 16 17:27:03.119: EAPOL pak dump rx
Apr 16 17:27:03.119: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 16 17:27:03.119: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0

Apr 16 17:27:03.119: dot1x-packet(Gi1/0/5): Received an EAPOL frame
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Received pkt saddr =406c.8f2e.6d20 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5):
MECSD-Lib_2960S-1#Sending EAPOL packet to group PAE address
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:03.119: dot1x-registry:registry:dot1x_ether_macaddr called
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
Apr 16 17:27:03.119: EAPOL pak dump Tx
Apr 16 17:27:03.119: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Apr 16 17:27:03.119: EAP code: 0x3 id: 0x1 length: 0x0004
Apr 16 17:27:03.119: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xC7000001 (406c.8f2e.6d20)
MECSD-Lib_2960S-1#
Apr 16 17:27:08.115: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:08.115: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
Apr 16 17:27:08.115: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 16 17:27:08.115: EAPOL pak dump rx
Apr 16 17:27:08.115: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 16 17:27:08.115: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0

Apr 16 17:27:08.115: dot1x-packet(Gi1/0/5): Received an EAPOL frame
Apr 16 17:27:08.115: dot1x-ev(Gi1/0/5): Received pkt saddr =406c.8f2e.6d20 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 16 17:27:08.115: dot1x-ev(Gi1/0/5):
MECSD-Lib_2960S-1#Sending EAPOL packet to group PAE address
Apr 16 17:27:08.121: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:08.121: dot1x-registry:registry:dot1x_ether_macaddr called
Apr 16 17:27:08.121: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
Apr 16 17:27:08.121: EAPOL pak dump Tx
Apr 16 17:27:08.121: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Apr 16 17:27:08.121: EAP code: 0x3 id: 0x1 length: 0x0004
Apr 16 17:27:08.121: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xC7000001 (406c.8f2e.6d20)
MECSD-Lib_2960S-1#
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:13.117: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
Apr 16 17:27:13.117: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 16 17:27:13.117: EAPOL pak dump rx
Apr 16 17:27:13.117: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 16 17:27:13.117: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0

Apr 16 17:27:13.117: dot1x-packet(Gi1/0/5): Received an EAPOL frame
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Received pkt saddr =406c.8f2e.6d20 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5):
MECSD-Lib_2960S-1#Sending EAPOL packet to group PAE address
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:13.117: dot1x-registry:registry:dot1x_ether_macaddr called
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
Apr 16 17:27:13.117: EAPOL pak dump Tx
Apr 16 17:27:13.117: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Apr 16 17:27:13.117: EAP code: 0x3 id: 0x1 length: 0x0004
Apr 16 17:27:13.117: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xC7000001 (406c.8f2e.6d20)

kushsriva · ‎04-18-2014

Hi,

It seems that the client is not configured correctly to send the username to the switch. Make sure the client is configured correctly for 802.1x authentication.

You can check google for the configuration, one of the links you can check is:

http://www.muni.cz/ics/services/ups/files/802.1x_w7_en.pdf

Regards,

Kush

Venkatesh Attuluri · ‎04-18-2014

please check the attached doc