08-15-2005 10:51 AM - edited 03-10-2019 02:16 PM
I am trying to configure a simple authentication using WinXP(MD5) to ACS v3.3, I have configured my 3550 and ACS according to the documentation but I recieve the following error message on the ACS :Invalid message authenticator in EAP request. Any help would be appreciated.
aaa authentication dot1x default group radius
dot1x system-auth-control
interface FastEthernet0/12
switchport access vlan 314
switchport mode access
dot1x port-control auto
spanning-tree portfast
radius-server host 10.xx.xx.xx auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key secret
08-17-2005 07:54 AM
Your config looks good so far, how does your ACS configs look? Can you post some of that info...
Frank
08-18-2005 05:00 AM
My server is set as "CiscoSecure ACS" and the client setup is the address of the switch with a key= secret and authenticate using RADIUS(IETF)
The IETF attributes I have set are:
[006] Service-typt login
[064] TunnelType Tag=1 value=vlan
[065]Tunnel-Medium Tag=1 value=802
and on the Windows XP box I set it to use md5 authentication
08-19-2005 06:57 AM
1. How come you are using the Radius(IETF) instead of the Radius(Cisco IOS)?
2. The attributes you set are for if you plan on using the group to assign a specific vlan to the user in the group. On your switch configuration, you have a vlan already attached.
3. Do you have a user already configured on the ACS 3.3 server?
Frank
08-19-2005 08:11 AM
FWIW, it doesn't matter in this case if you have RADIUS(IETF) or RADIUS(Cisco IOS). Reason being, all the attributes stated here are std RADIUS attributes anyway.
Also, if you want to achieve VLAN-Assignment for a session, then you need to set attributes [64], [65], and [81]. The value in [81] should be the name of your VLAN, or optionally the number. I didn't see that in your note before.
Hope this helps,
08-19-2005 11:20 AM
I have tried two different computers one with XP and another with 2K and every possible combination but I still recieve this error:
Bad request from NAS
Invalid message authenticator in EAP request.
Using md5 authentication there is not a lot of configuration needed. I feel this problem is with the ACS server.
08-22-2005 12:15 PM
Change MD5 to PEAP and the ask it to use the Windows login (if you want). I could not get it to work with MD5 either. I think it may have something to do with the 802.1x supplicant client that comes in-built with Windows.
09-01-2005 02:59 PM
I'd be looking for Certificate problems... you can prove it by unchecking the validate certficate box in the PC's NIC setup (authentication tab). If that works, I'd say it's a cert problem. If you must check the box, you must AT MINIMUM generate a self-signed cert on ACS and install the same cert in the PC's root store.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide