Hi Rudolf,

Unfortunately I didnt get a chance to look in to this further as I was called on to another project. I will be re-visiting this some time soon so if you come up with a solution I would be most grateful to hear from you,

regards

Richard

This is normal behavior. The port begins amber b/c the port has not been authenticated. You should notice the port in an up/down status, and spanning-tree will not be in a forwarding state either.

The port will turn green when 802.1x has successfully authenticated the port (up/up status, and spanning-tree is in a forwarding state).

Need more info to determine root cause.

FYI, the switch doesn't really have visibility into PEAP+MS-CHAPv2. It transposes whatever the PC is sending it, and re-encapsulates the EAP conversation into RADIUS frames.

Couple of quick things to check:

sho dot1x int

If you see the port in a HELD state, this should mean that 802.1x actually failed (so look on the PC, IAS, and/or backend DB to determine why).

If you see the port in a CONNECTING state, this should mean that 802.1x isn't enabled on the PC.

Further debugging can be performed on the XP supplicant by enabling tracing:

netsh ras set tracing * enable

This enables tracing for all components on the supplicant (namely eap and mschapv2).

Verify tracing logs:

Explore to the C:\WINDOWS\tracing folder.

This folder should then contain the sets of traces for the components invoked from the command above.

Study the RASEAP, RASCHAP, RASTLS files for this context.

Hope this helps.

Hi thanks, i will try this.

Meanwhile i found another solution.I found the problem in the RAS Policies on the IAS Server (Windows 2003 Enterprise). I made my RAS Policies with the wizard for ethernet. If I checked my RAS Policies there was a term like "NAS Port = "Ethernet". I canceled this one and then it worked promptly.

The strange thing is, that my RAS Policies for WLAN with "NAS Port = "802.11" OR "WLAN " work perfectly.

best regards,

Rudolf

Is port authentication supposed to work at the same time as a users logs on to a network ? I am trying to get a user to log on to a system using an rsa token and want the following to happen :

1. user presses ctrl - alt - del on client and enters uname and password.

2. Info is taken by catalyst 2950 running port authentication and passed on to 2003 server.

3. the uname and password is authentacted.

4. port is opened and user is then prompted by ace server for tokencode.

5. tokencode accepted and user has acces to the network.

is this possible, has anyone done this ?

can you have a single authentication for the cisco port and the domain and can this be forwarded to an ace server ?

any advice is much appreciated,

regards

Richard

I had the same problem with the IAS 2003 wizard.

The RAS Policies was "NAS Port= Ethernet", but my swith 3550 sent NAS port= Async. I could see that with a sniffer in the values for RADIUS Attribute 61 (rfc 2865), the value for Ethernet is 15 and for Async is 0.

First i changed my policie swith NAS port= Async and the authentication is OK. After i put the last Ios version on the 3550, then the swith sent the good value for the radius attribute 61, then i changed my policie with NAS port= Ethernet.

Correct. This is CSCec86385.

You should be able to see the Releae Notes indicating the fix.

It was fixed in the following releases:

12.1(20)EA2

12.2(20)SE

Hi!

Ist there the same problem with den Cat 2950? I´using IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE(fc1).

Isn´t this the latest os version?

thanks in advance,

best regards,

rudolf