This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am trying to configure a simple authentication using WinXP(MD5) to ACS v3.3, I have configured my 3550 and ACS according to the documentation but I recieve the following error message on the ACS :Invalid message authenticator in EAP request. Any help would be appreciated.
aaa authentication dot1x default group radius
switchport access vlan 314
switchport mode access
dot1x port-control auto
radius-server host 10.xx.xx.xx auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key secret
My server is set as "CiscoSecure ACS" and the client setup is the address of the switch with a key= secret and authenticate using RADIUS(IETF)
The IETF attributes I have set are:
 Service-typt login
 TunnelType Tag=1 value=vlan
Tunnel-Medium Tag=1 value=802
and on the Windows XP box I set it to use md5 authentication
1. How come you are using the Radius(IETF) instead of the Radius(Cisco IOS)?
2. The attributes you set are for if you plan on using the group to assign a specific vlan to the user in the group. On your switch configuration, you have a vlan already attached.
3. Do you have a user already configured on the ACS 3.3 server?
FWIW, it doesn't matter in this case if you have RADIUS(IETF) or RADIUS(Cisco IOS). Reason being, all the attributes stated here are std RADIUS attributes anyway.
Also, if you want to achieve VLAN-Assignment for a session, then you need to set attributes , , and . The value in  should be the name of your VLAN, or optionally the number. I didn't see that in your note before.
Hope this helps,
I have tried two different computers one with XP and another with 2K and every possible combination but I still recieve this error:
Bad request from NAS
Invalid message authenticator in EAP request.
Using md5 authentication there is not a lot of configuration needed. I feel this problem is with the ACS server.
Change MD5 to PEAP and the ask it to use the Windows login (if you want). I could not get it to work with MD5 either. I think it may have something to do with the 802.1x supplicant client that comes in-built with Windows.
I'd be looking for Certificate problems... you can prove it by unchecking the validate certficate box in the PC's NIC setup (authentication tab). If that works, I'd say it's a cert problem. If you must check the box, you must AT MINIMUM generate a self-signed cert on ACS and install the same cert in the PC's root store.