01-07-2021 10:54 AM - edited 01-07-2021 11:06 AM
So I set the Windows server as an authenticator, and configure the switch to authenticate windows 7 Pc (supplicant). At this point, I am pretty sure that the configuration on Windows 7 and windows server is fine, and the problem is with the switch.
Switch commands:
aaa new-model
!
aaa group server radius RADIUS_SERVERS
server-private 192.168.1.178 auth-port 1812 acct-port 1813 key BisBradius
!
aaa authentication login default group RADIUS_SERVERS local
aaa authentication dot1x default group RADIUS_SERVERS
aaa authorization console
aaa authorization exec default group RADIUS_SERVERS local if-authenticated
!
interface Ethernet0/0 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky switchport port-security mac-address sticky 5000.000c.0000 switchport port-security authentication port-control auto dot1x pae authenticator
Here is "show version":
Cisco IOS Software, Linux Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.2(201708 09:194209) [dstivers-aug9_2017-high_iron_cts 101] Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Wed 09-Aug-17 13:49 by xxxxxxxx ROM: Bootstrap program is Linux IT uptime is 58 minutes System returned to ROM by reload at 0 System image file is "unix:/opt/unetlab/addons/iol/bin/i86bi_linux_l2-ipbasek9-ms.high_iron" Last reload reason: Unknown reason This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Linux Unix (Intel-x86) processor with 943604K bytes of memory. Processor board ID 67109504 8 Ethernet interfaces 1 Virtual Ethernet interface 1024K bytes of NVRAM. Configuration register is 0x0
AAA authentication debug output:
*Jan 7 18:50:02.008: AAA/AUTHEN/8021X (00000000): Pick method list 'default' *Jan 7 18:50:02.008: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified *Jan 7 18:50:02.027: AAA/AUTHEN/8021X (00000000): Pick method list 'default' *Jan 7 18:50:02.027: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified IT# *Jan 7 18:50:02.047: %DOT1X-5-FAIL: Authentication failed for client (5000.000c.0000) on Interface Et0/0 AuditSessionID 000000000000000C0008A341
Show run:
hostname IT ! boot-start-marker boot-end-marker ! ! ! username admin privilege 15 secret 5 $1$xmmj$Ew/SMe3JG5JarDa0SiGBA0 username saad privilege 15 secret 5 $1$iNBr$o3mr8E9tn7x2Zccmmq2ce. aaa new-model ! ! aaa group server radius RADIUS_SERVERS server-private 192.168.1.178 auth-port 1812 acct-port 1813 key BisBradius ! aaa authentication login default group RADIUS_SERVERS local aaa authentication dot1x default group RADIUS_SERVERS aaa authorization console aaa authorization exec default group RADIUS_SERVERS local if-authenticated ! ! ! ! ! ! aaa session-id common clock timezone EET 2 0 ! ! ! ! ! ipv6 multicast rpf use-bgp no ipv6 cef ! ! ! ! ! ! ! ip cef no ip igmp snooping ! ! dot1x system-auth-control ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 switchport access vlan 10 switchport mode access switchport port-security mac-address sticky switchport port-security mac-address sticky 5000.000c.0000 switchport port-security authentication port-control auto dot1x pae authenticator ! interface Ethernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 88 switchport mode trunk ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet1/0 ! interface Ethernet1/1 switchport trunk encapsulation dot1q switchport trunk native vlan 88 switchport mode trunk ! interface Ethernet1/2 ! interface Ethernet1/3 ! interface Vlan88 ip address 192.168.88.6 255.255.255.0 ! ip default-gateway 192.168.88.1 ip forward-protocol nd ! no ip http server ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ! ip route 0.0.0.0 0.0.0.0 192.168.88.1 ! ! ! ! ! ! ! control-plane ! ! line con 0 logging synchronous line aux 0 line vty 0 4 ! ! ! end
01-07-2021 02:52 PM
radius server and pc use different auth protocol,
what the auth protocol you use PEAP,....?
01-07-2021 03:30 PM
The Windows Supplicant can be configured with various EAP methods - it doesn't matter to the switch (Authenticator) - the main thing is that the Authenticating Server (Windows (NPS?) ... which @user_net incorrectly referred to as the 'Authenticator' - it's actually the Authenticating Server).
EAP-PEAP or EAP-TLS are valid methods on the Windows 7 client to talk to the switch. Windows requires the Wired Service to be enabled, before the wired supplicant configuration tab becomes visible. Supplicant configuration is also discussed all over the internet - just need to search for examples.
01-07-2021 02:58 PM
Wired 802.1X configurations are always full of moving parts (and dependent on whether it's classic config or IBNS 1.0/2.0) - I'd say look at the Wired Prescriptive Guide - example of a typical config - perhaps you're missing the aaa authorization network statement?
have a peek through the commands below ... admittedly, it's not complete but there might be some nuggets in there - I have a template that I tend to re-use ...
aaa authentication dot1x default group RADIUS_SERVERS aaa authorization network default group RADIUS_SERVERS aaa accounting identity default start-stop group RADIUS_SERVERS aaa accounting update newinfo periodic 2880 radius-server dead-criteria time 10 tries 3 radius-server deadtime 15
dot1x critical eapol
radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail mac-only
device-tracking policy IPDT_POLICY
tracking enable
aaa server radius dynamic-author client 192.168.1.178 server-key BisBradius
dot1x system-auth-control
## Start with IBNS 1.0 Config
## =================================
interface GigabitEthernet1/0/1
description ** Endpoints and Users **
switchport access vlan 1406
switchport voice vlan 1437
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide