04-21-2015 02:43 AM - edited 03-10-2019 10:39 PM
Hi everybody
We are experimenting with a dot1x port authentication setup.
The setup is as fallows:
Microsoft 20008r2 NPS
Cisco 3560 compact switch
Cisco 3702i AP
I will be using dynamic vlan assignment. So far it Works fine with pc and mac. However when connecting my Cisco 3702 ap i get an error on the NPS saying:
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
From the Wireless controller i have overriden the global configuration, and added the supplicant username and password to match with a user i have created in AD. I
At the NPS i have set the EAP type to: MIcrosoft: Secured Password (EAP-MSCHAPv2). According to the datasheet on the AP that should be supported.
Here's my switch configuration:
dot1x system-auth-control
aaa new-model
aaa group server radius NPSSERVERS
server-private 10.180.15.231 auth-port 1812 acct-port 1813 key 7 ************
aaa authentication dot1x default group NPSSERVERS
aaa authorization network default group NPSSERVERS
Interfaces:
switchport mode access
authentication event fail action authorize vlan 85
authentication event server dead action authorize vlan 85
authentication event no-response action authorize vlan 85
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
spanning-tree bpduguard enable
spanning-tree guard root
I am not entirely sure if i need to make more settings on the AP, or more on the switch. Any suggestions will be greatly appriciated.
/Andreas
05-28-2015 03:16 AM
In order to perform dot1x auth endpoint needs suppliant and windows and MAC have a default supplicant that comes with OS. AP are supposed for MAB
05-28-2015 06:10 AM
05-28-2015 07:30 AM
The problem is probably due to certificate errors, either the AP doesn't trust the cert you use on your NPS, or the NPS does not trust the cert issuer that the AP uses. In Cisco ISE, which is what most new solution would use, these manufacturer ca certs are already imported for Cisco AP's and IP Phones.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide