cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

318
Views
0
Helpful
7
Replies
Highlighted
Participant

Wired 802.1x Authentication

I am trying to configure a simple authentication using WinXP(MD5) to ACS v3.3, I have configured my 3550 and ACS according to the documentation but I recieve the following error message on the ACS :Invalid message authenticator in EAP request. Any help would be appreciated.

aaa authentication dot1x default group radius

dot1x system-auth-control

interface FastEthernet0/12

switchport access vlan 314

switchport mode access

dot1x port-control auto

spanning-tree portfast

radius-server host 10.xx.xx.xx auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key secret

7 REPLIES 7
Highlighted
Beginner

Re: Wired 802.1x Authentication

Your config looks good so far, how does your ACS configs look? Can you post some of that info...

Frank

Highlighted
Participant

Re: Wired 802.1x Authentication

My server is set as "CiscoSecure ACS" and the client setup is the address of the switch with a key= secret and authenticate using RADIUS(IETF)

The IETF attributes I have set are:

[006] Service-typt login

[064] TunnelType Tag=1 value=vlan

[065]Tunnel-Medium Tag=1 value=802

and on the Windows XP box I set it to use md5 authentication

Highlighted
Beginner

Re: Wired 802.1x Authentication

1. How come you are using the Radius(IETF) instead of the Radius(Cisco IOS)?

2. The attributes you set are for if you plan on using the group to assign a specific vlan to the user in the group. On your switch configuration, you have a vlan already attached.

3. Do you have a user already configured on the ACS 3.3 server?

Frank

Highlighted
Cisco Employee

Re: Wired 802.1x Authentication

FWIW, it doesn't matter in this case if you have RADIUS(IETF) or RADIUS(Cisco IOS). Reason being, all the attributes stated here are std RADIUS attributes anyway.

Also, if you want to achieve VLAN-Assignment for a session, then you need to set attributes [64], [65], and [81]. The value in [81] should be the name of your VLAN, or optionally the number. I didn't see that in your note before.

Hope this helps,

Highlighted
Participant

Re: Wired 802.1x Authentication

I have tried two different computers one with XP and another with 2K and every possible combination but I still recieve this error:

Bad request from NAS

Invalid message authenticator in EAP request.

Using md5 authentication there is not a lot of configuration needed. I feel this problem is with the ACS server.

Highlighted
Participant

Re: Wired 802.1x Authentication

Change MD5 to PEAP and the ask it to use the Windows login (if you want). I could not get it to work with MD5 either. I think it may have something to do with the 802.1x supplicant client that comes in-built with Windows.

Beginner

Re: Wired 802.1x Authentication

I'd be looking for Certificate problems... you can prove it by unchecking the validate certficate box in the PC's NIC setup (authentication tab). If that works, I'd say it's a cert problem. If you must check the box, you must AT MINIMUM generate a self-signed cert on ACS and install the same cert in the PC's root store.