Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
3
Replies

Dot1x authentication for cisco AP

Andreas Larsen
Level 1
Level 1

‎04-21-2015 02:43 AM - edited ‎03-10-2019 10:39 PM

Hi everybody

 

We are experimenting with a dot1x port authentication setup.

The setup is as fallows:

Microsoft 20008r2 NPS

Cisco 3560 compact switch

Cisco 3702i AP

 

I will be using dynamic vlan assignment. So far it Works fine with pc and mac. However when connecting my Cisco 3702 ap i get an error on the NPS saying:

 

Reason Code: 22

Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

From the Wireless controller i have overriden the global configuration, and added the supplicant username and password to match with a user i have created in AD. I

 

At the NPS i have set the EAP type to: MIcrosoft: Secured Password (EAP-MSCHAPv2). According to the datasheet on the AP that should be supported.

 

Here's my switch configuration:

 

dot1x system-auth-control

aaa new-model
aaa group server radius NPSSERVERS
 server-private 10.180.15.231 auth-port 1812 acct-port 1813 key 7 ************
aaa authentication dot1x default group NPSSERVERS
aaa authorization network default group NPSSERVERS
 

 

Interfaces:

switchport mode access
 authentication event fail action authorize vlan 85
 authentication event server dead action authorize vlan 85
 authentication event no-response action authorize vlan 85
 authentication event server alive action reinitialize
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree bpduguard enable
 spanning-tree guard root

 

I am not entirely sure if i need to make more settings on the AP, or more on the switch. Any suggestions will be greatly appriciated.

 

/Andreas
 

 

 

 

Labels:
0 Helpful
3 Replies 3

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎05-28-2015 03:16 AM

In order to perform dot1x auth endpoint needs suppliant and windows and MAC have a default supplicant that comes with OS. AP are supposed for MAB

0 Helpful

Andreas Larsen
Level 1
Level 1
In response to Venkatesh Attuluri

‎05-28-2015 06:10 AM

So when the data sheet for the AP reads fallowing, it refers to its abilities as an authenticator, and not a supplicant, correct? I guess dot1x might no be such a great solution for wired network afterall. 
 
  Extensible Authentication Protocol (EAP) types:
   EAP-Transport Layer Security (TLS)
   EAP-Tunneled TLS (TTLS) or Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2)
   Protected EAP (PEAP) v0 or EAP-MSCHAPv2
   EAP-Flexible Authentication via Secure Tunneling (FAST)
   PEAP v1 or EAP-Generic Token Card (GTC)
   EAP-Subscriber Identity Module (SIM)
0 Helpful

jan.nielsen
Level 7
Level 7
In response to Andreas Larsen

‎05-28-2015 07:30 AM

The problem is probably due to certificate errors, either the AP doesn't trust the cert you use on your NPS, or the NPS does not trust the cert issuer that the AP uses. In Cisco ISE, which is what most new solution would use, these manufacturer ca certs are already imported for Cisco AP's and IP Phones.

0 Helpful
Customers Also Viewed These Support Documents