04-15-2014 06:44 AM - edited 03-10-2019 09:38 PM
I'm trying to get my switch to pass authentication for desktop to NPS(Server 2008R2.)
I do not need to have any port security just need it to authenticate so that the internet filter will pickup on the local user via accounting.
Most configurations I see are relating to configuring switch log in via RADIUS.
what do I need to do to just have the device pass on the authentication?
here is what I have so far:
aaa new-model
aaa session-id common
ip radius source-interface Vlan10
radius-server host ip.of.nps auth-port 1812 acct-port 1813 key cisco
I've added the switch ip of vlan 10 to the nps as a client. Not seeing any activity.
The desktop I'm authenticating is OSX via Login Window 802.1x authentication.
Thanks,
Joe
04-16-2014 02:50 AM
Hi,
the switch act as an AUTHENTICATOR and must be known by NPS ( IP-Address and Key).
aaa new-model
aaa authorization network default group radius ( for the switch)
aaa authentication dot1x default group radius ( for the clients)
04-16-2014 10:29 AM
So here is what I have now:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key $$$$$
dot1x system-auth-control
(config-if)#
dot1x pae authenticator
I don't see things failing but I don't see things working either, I do notice the pack drop showing up. Also I don't see any activity on the NPS Server.
and this is what I'm seeing in the dot1x debug:
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:03.119: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
Apr 16 17:27:03.119: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 16 17:27:03.119: EAPOL pak dump rx
Apr 16 17:27:03.119: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 16 17:27:03.119: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0
Apr 16 17:27:03.119: dot1x-packet(Gi1/0/5): Received an EAPOL frame
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Received pkt saddr =406c.8f2e.6d20 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5):
MECSD-Lib_2960S-1#Sending EAPOL packet to group PAE address
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:03.119: dot1x-registry:registry:dot1x_ether_macaddr called
Apr 16 17:27:03.119: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
Apr 16 17:27:03.119: EAPOL pak dump Tx
Apr 16 17:27:03.119: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Apr 16 17:27:03.119: EAP code: 0x3 id: 0x1 length: 0x0004
Apr 16 17:27:03.119: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xC7000001 (406c.8f2e.6d20)
MECSD-Lib_2960S-1#
Apr 16 17:27:08.115: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:08.115: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
Apr 16 17:27:08.115: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 16 17:27:08.115: EAPOL pak dump rx
Apr 16 17:27:08.115: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 16 17:27:08.115: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0
Apr 16 17:27:08.115: dot1x-packet(Gi1/0/5): Received an EAPOL frame
Apr 16 17:27:08.115: dot1x-ev(Gi1/0/5): Received pkt saddr =406c.8f2e.6d20 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 16 17:27:08.115: dot1x-ev(Gi1/0/5):
MECSD-Lib_2960S-1#Sending EAPOL packet to group PAE address
Apr 16 17:27:08.121: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:08.121: dot1x-registry:registry:dot1x_ether_macaddr called
Apr 16 17:27:08.121: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
Apr 16 17:27:08.121: EAPOL pak dump Tx
Apr 16 17:27:08.121: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Apr 16 17:27:08.121: EAP code: 0x3 id: 0x1 length: 0x0004
Apr 16 17:27:08.121: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xC7000001 (406c.8f2e.6d20)
MECSD-Lib_2960S-1#
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:13.117: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
Apr 16 17:27:13.117: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 16 17:27:13.117: EAPOL pak dump rx
Apr 16 17:27:13.117: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 16 17:27:13.117: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0
Apr 16 17:27:13.117: dot1x-packet(Gi1/0/5): Received an EAPOL frame
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Received pkt saddr =406c.8f2e.6d20 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5):
MECSD-Lib_2960S-1#Sending EAPOL packet to group PAE address
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Role determination not required
Apr 16 17:27:13.117: dot1x-registry:registry:dot1x_ether_macaddr called
Apr 16 17:27:13.117: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
Apr 16 17:27:13.117: EAPOL pak dump Tx
Apr 16 17:27:13.117: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Apr 16 17:27:13.117: EAP code: 0x3 id: 0x1 length: 0x0004
Apr 16 17:27:13.117: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xC7000001 (406c.8f2e.6d20)
04-18-2014 01:24 AM
Hi,
It seems that the client is not configured correctly to send the username to the switch. Make sure the client is configured correctly for 802.1x authentication.
You can check google for the configuration, one of the links you can check is:
http://www.muni.cz/ics/services/ups/files/802.1x_w7_en.pdf
Regards,
Kush
04-18-2014 04:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide