No Radius-accept-request received on Radius server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2010 03:16 AM - edited 03-10-2019 05:33 PM
Hi,
I'm trying to access my network through 802.1X Radius authentication. My PC is connected to a 2950 switch with following configuration:
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 11.0.0.2 key Ralf
on interface level(connection to PC):
switchport mode access
switchport access vlan 8
dot1x port-control auto
on interface level(connection to Radius server):
switchport mode access
switchport access vlan 8
I enabled 802.1X authentication on my PC via the service 'Wired Autoconfig' and in the tab authentication (one of the tabs of the interface configuration)
I choose PEAP.
Result:
When I trace my PC-interface with Wireshark, I see an EAPOL- EAP-Request and a EAP-Response message. The next message in the flow should be a Radius-Accept-request message but it seems that this message is never sent. Although, when i open a 'debug radius' session on the switch, the logs are indicating that the accept-request message is sent. Strange because I see no message coming in on the Radius-server interface.
The Radius-server has IP-address 11.0.0.2 and my PC 11.0.0.3.
Does anybody see a reason why the Radius-Accept-Request message is not received on my Radius-server interface?
Kind regards,Ralf.
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2010 04:13 AM
Hi,
When using PEAP, the authnetication is not as simple as that.
This is the PEAP authentication process:
Here you can see the switch as the AP.
So, after the first EAP-Response message, the ACS must reply with an Access-Challenge containing the EAP-TLS start, so the encryption tunnel can be started.
One possible reason for this not to happen is simply because the ACS does not support PEAP and/or does not conatin the server certificate needed to build the TLS tunnel.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2010 12:28 PM
I found a solution to my problem. I administered an IP-adress for the VLAN-interface on the switch:
int vlan 8
ip address 11.0.0.4 255.255.255.0
Apparentlt the switch needs an IP-address to send the Radius-accept-request from.
Next step is to get a Radius-server running and get the PC authenticated.
