Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
5
Helpful
1
Replies

Question Re IAS/RADIUS 802.1x Authentiction on SG300 Switches

andrew.james
Level 1
Level 1

‎06-22-2011 02:12 AM - edited ‎03-10-2019 06:10 PM

Good Morning All,

We have just aquired one of these new SG300 series switches which gives us the ability to play around with 802.1x authentication.

We have everything configured correctly for any clients which have 802.1x (eg PC's, IP Phones)

Our problem comes to non 802.1x compliant devices, in this case a printer.  The documentation says the switch should detect there is no 802.1x client, and pass the authentication as itself, with the username.  It does this, but we get a weird error on our ISA server...  Its weird, I am puzzled.  We have some other vendor switches which perform this without causing the below issue, so am I missing something easy?

Help greatly appreciated.

===

User 0014389c24f0 was denied access.

Fully-Qualified-User-Name = nuffieldhospitals.org.uk/Test OU - IT Infrastructure/MAC Address Testing/0014389c24f0

NAS-IP-Address = 10.101.180.250

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = 00-14-38-9C-24-F0

Client-Friendly-Name = FWCORPAMEXHouse

Client-IP-Address = 10.101.180.250

NAS-Port-Type = Ethernet

NAS-Port = 55

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = CISCO_FWCORP_PCMACS

Authentication-Type = EAP

EAP-Type = <undetermined>

Reason-Code = 22

Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

===

Any help greatly appreciated.

Thanks

AJ

Labels:
0 Helpful
1 Reply 1

andamani
Cisco Employee
Cisco Employee

‎06-22-2011 09:29 AM

Hi,

Can you do the following:

Go to IAS > Remote Access Policies > Double click on the policy CISCO_FWCORP_PCMACS .

  1. Click Edit Profile.

  2. On the Authentication tab, click EAP Methods.

  3. In Select EAP providers, click Add.  Select the authentication methods that you want to use, and then click OK.

  4. In Select EAP providers, click the EAP type that you  want to configure, and then click Edit. Depending on  the EAP type selected, one of the following dialog boxes is displayed:

    • If Protected EAP (PEAP) is selected, the Protected  EAP Properties dialog box opens. In Certificate Issued,  select the certificate that the server uses to identify itself to  client computers. To enable PEAP fast reconnect for 802.11 wireless  client computers, click Enable Fast Reconnect.  Secure  password user authentication with EAP-MSCHAPv2 is the default in EAP  Types. To configure EAP-MSCHAPv2 properties, click Edit.  To configure certificate or smart card user authentication click Add.  In Authentication methods, click Smart Card or  other certificate, and then click OK.

    • If Smart Card or other Certificate Properties is  selected, the Smart Card or other Certificate Properties dialog box opens. In Certificate issued to, select the  certificate that the server uses to authenticate to client computers.

  5. In Select EAP providers, click Move Up or Move Down to specify the negotiation order of EAP  methods. The server starts negotiation with the client according to the  order specified in EAP types.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Customers Also Viewed These Support Documents