09-21-2010 06:18 PM - edited 03-10-2019 05:25 PM
I am part of a diverse team that is in the process of implementing a VoIP solution within our organisation, which will see approximately 3000 new telephones deployed to the desktop accross a Geographically dispersed network. One of the criteria that has been chosen as part of the solution is the use of Dot1x for the Authorisation and Authentication (A & A) of hosts connected to the network. I am having some difficultly getting it to work and I was wondering if there is a simple whitepaper or solutions document somewhere that will assist in the implementation.
I should point out a few of the hurdles that I face as I don't belieive the solution will necessarily be straight forward. So here goes:-
I have found a number of documents on the A & A of Windows based hosts to the Radius Server but can't seem to find much information regarding CISCO VoIP phones, in particular how to set up the VoIP Phone as a user in ACS.
Any assistance or guidance on this matter will be appreciated
09-23-2010 09:02 AM
09-23-2010 03:46 PM
Thanks for the reply,
I have tied to use the information within the document you recommended without success. I have activated the debug options for both Dot1x events and Radius with some interesting results. The messages received on the console indicate that the Authentciation request is being received by the switch and relayed to the ACS Servers but then the request times out. Looking at the ACS Server logs indicates that the request is never reaching the Radius Server as there is no entry for failed attempts or even radius accounting. I am at a loss as to why this might be happening as I am able to ping the server from the switch and I don't believe that the UDP prots are being blocked in any way although I am yet to fully investigate this fact.
I am wondering if there are any configuration setting on the actual Windows Server that I may have overlooked when initially installing and configuring ACS?
James
09-23-2010 09:38 PM
So, we need figure out if the radius packet sent from switch has reached ACS box.
1. Install a wireshark on ACS box and do a capture to see if you can see the incoming radius packet.
2. If not, you need find out where it is blocked
3. If yes, change logging level on ACS to full, then try the authentication again, then capture your package.cab file from ACS, upload it here.
I would suggest you to open a TAC case, in that way, you can get a fast support.
09-23-2010 10:23 PM
This is all very frustrating as I belive that the Dot1x Authentication should be pretty straight forward. Although I am no expert on all of this I am lost as to why it won't work.
To date I have:-
The thing is that I don't think that I am even getting to the point where I need any of these setting, as the server is not responding to the switch when it sends out the authentication request. I am now getting entries in the failed Attempts Log and the error is "Invalid message authenticator in EAP request" I am not quite sure exactly what this means but it indicates to me that ACS does not recognise the switch as an authenticator.
james
09-23-2010 10:52 PM
In general, "Invalid message authenticator in EAP request" indicates a mismatch shared key.
Can you try to reconfigure a different key saying "cisco1234" on both switch and ACS box?
you can verify your connectivity from switch to ACS by using "test aaa" command.
09-28-2010 10:08 PM
I have now checked all of my settings and can confirm that the shared secrets are the same on both the ACS4.2 Server and the CISCO 6509 switch.
I have used Wire Shark to do some packet captures and can confirm that the Radius request is being forwarded to the Server but that the server is NOT reaponding to the request. What I have noticed is that when I use the "NETSTAT" command on the server, port 1645 and 1646 do not seem to be in the listening state which is what I would expect. This is not a difinative indication that something is wrong as Windows sometimes doesn't display all ports that are configured and active.
I was wondering though, does the Switch need to be configured for TACACS+ Authentication to the ACS server before it will work with the ACS Radius Server? I appreciate that these are 2 different services for different requirements but I though that there might be some dependancy that I am unawre of
I am now a a total loss as to what the problem is and am now going to rasie a TAC case with CISCO.
09-29-2010 09:32 AM
Your ACS is probably listening on port 1812/1813.
You need check related the server configuration in "network configuration" to see which port they are listening.
If it is 1812/1813, you need change your switch configuration to point to the right port #.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: