Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1956
Views
0
Helpful
2
Replies

No Radius-accept-request received on Radius server

MeirsmanRalf
Level 1
Level 1

ā€Ž11-11-2010 03:16 AM - edited ā€Ž03-10-2019 05:33 PM

Hi,

I'm trying to access my network through 802.1X Radius authentication. My PC is connected to a 2950 switch with following configuration:

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host 11.0.0.2 key Ralf

on interface level(connection to PC):

switchport mode access

switchport access vlan 8

dot1x port-control auto

on interface level(connection to Radius server):

switchport mode access

switchport access vlan 8

I enabled 802.1X authentication on my PC via the service 'Wired Autoconfig' and in the tab authentication (one of the tabs of the interface configuration)

I choose PEAP.

Result:

When I trace my PC-interface with Wireshark, I see an EAPOL- EAP-Request and a EAP-Response message. The next message in the flow should be a Radius-Accept-request message but it seems that this message is never sent. Although, when i open a 'debug radius' session on the switch, the logs are indicating that the accept-request message is sent. Strange because I see no message coming in on the Radius-server interface.

The Radius-server has IP-address 11.0.0.2 and my PC 11.0.0.3.

Does anybody see a reason why the Radius-Accept-Request message is not received on my Radius-server interface?

Kind regards,Ralf.

Labels:
0 Helpful
2 Replies 2

Tiago Antunes
Cisco Employee
Cisco Employee

ā€Ž11-11-2010 04:13 AM

Hi,

When using PEAP, the authnetication is not as simple as that.

This is the PEAP authentication process:

http://layer3.files.wordpress.com/2009/08/wireless-security-peap.jpg

Here you can see the switch as the AP.

So, after the first  EAP-Response message, the ACS must reply with an Access-Challenge containing the EAP-TLS start, so the encryption tunnel can be started.

One possible reason for this not to happen is simply because the ACS does not support PEAP and/or does not conatin the server certificate needed to build the TLS tunnel.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

MeirsmanRalf
Level 1
Level 1
In response to Tiago Antunes

ā€Ž11-11-2010 12:28 PM

I found a solution to my problem. I administered an IP-adress for the VLAN-interface on the switch:

int vlan 8

ip address 11.0.0.4 255.255.255.0

Apparentlt the switch needs an IP-address to send the Radius-accept-request from.

Next step is to get a Radius-server running and get the PC authenticated.

0 Helpful
Customers Also Viewed These Support Documents