My server is set as "CiscoSecure ACS" and the client setup is the address of the switch with a key= secret and authenticate using RADIUS(IETF)

The IETF attributes I have set are:

[006] Service-typt login

[064] TunnelType Tag=1 value=vlan

[065]Tunnel-Medium Tag=1 value=802

and on the Windows XP box I set it to use md5 authentication

1. How come you are using the Radius(IETF) instead of the Radius(Cisco IOS)?

2. The attributes you set are for if you plan on using the group to assign a specific vlan to the user in the group. On your switch configuration, you have a vlan already attached.

3. Do you have a user already configured on the ACS 3.3 server?

Frank

FWIW, it doesn't matter in this case if you have RADIUS(IETF) or RADIUS(Cisco IOS). Reason being, all the attributes stated here are std RADIUS attributes anyway.

Also, if you want to achieve VLAN-Assignment for a session, then you need to set attributes [64], [65], and [81]. The value in [81] should be the name of your VLAN, or optionally the number. I didn't see that in your note before.

Hope this helps,

I have tried two different computers one with XP and another with 2K and every possible combination but I still recieve this error:

Bad request from NAS

Invalid message authenticator in EAP request.

Using md5 authentication there is not a lot of configuration needed. I feel this problem is with the ACS server.

Change MD5 to PEAP and the ask it to use the Windows login (if you want). I could not get it to work with MD5 either. I think it may have something to do with the 802.1x supplicant client that comes in-built with Windows.

I'd be looking for Certificate problems... you can prove it by unchecking the validate certficate box in the PC's NIC setup (authentication tab). If that works, I'd say it's a cert problem. If you must check the box, you must AT MINIMUM generate a self-signed cert on ACS and install the same cert in the PC's root store.