cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2079
Views
0
Helpful
3
Replies

Cisco 802.1x NEAT with MS Win2008 R2 NPS

Erich Schommarz
Level 1
Level 1

Dear Community

We have a customer who wants to use NEAT 802.1x Authentication for meetin rooms. The prefered radius server of the customer would be Microsoft NPS. Since two days I'm trying to realize the solution with NEAT and Win2008 R2 without success.

My question to the community. Has anybody implemented NEAT with Microsoft radius server? If yes, what kind of authentication method have you used in the radius server of microsoft. EAP-MSCHAPv2 or MD5.

Thanks for any feedback / experience of if this scenario is possible or not.

Greetings Erich

3 Replies 3

jamesw811
Level 1
Level 1

We're having the same trouble - response from NPS is "The client could not be authenticated because the EAP type cannot be processed by the server."

Anybody had any luck in the last 12 months?

Hi James

For our problem we haven't found a solution. Have sold now ACS Server to the customer. It's more expensive but the reporting functioniality is very cool, about 10x better then the logs in Windows. Also if you use Cisco NW devices you have everything from the same supplier and if you need support you probably found quicker a solution than with a mix environment.

For the above problem we probably could open a case. But how big is the chance that Cisco says it's the error from Microsoft and vice versa.

But maybe you are lucky and somebody has found in the meantime a solution.

Erich

mzik
Level 1
Level 1

I am trying to configure the same. A NEAT supplicant is configured on a Catalyst 2960-CG switch, authenticator on Cat 2960 and Cat 3750G switches (tested both). RADIUS server is MS Windows 2008 R2 NPS.

The supplicant is configured for MSCHAPv2 authencation  method. The NPS is configured for "Microsoft: Secured password (EAP-MSCHAP v2)" (please bear in mind that "Microsoft: Protected EAP (PEAP)" with inner "Secured password (EAP-MSCHAP v2)" is something else and causes the error message reported by jamesw811).

I am getting the following error message in the NPS log:

------ NPS log ------------
Network Policy Server discarded the request for a user.
 
...removed...
 
Authentication Details:
Proxy Policy Name: Wired Connections
Network Policy Name: Wired 802.1x NEAT Switches TEST
Authentication Provider: Windows 
Authentication Server: ...removed...
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
---------------------------
 
System event log contains no additional information. Anyone experiencing the same problem?
 
Mirek
 

Supplicant:
switch: WS-C2960CG-8TC-L
sw: c2960c405ex-universalk9-mz.122-55.EX3, c2960c405ex-universalk9-mz.122-55.EX2

config:
cisp enable
eap profile EAPPRO
 method mschapv2
!
dot1x system-auth-control
dot1x credentials TESTUSER
 username TESTUSER
 password 7 ...removed...
!
dot1x supplicant force-multicast
!
interface GigabitEthernet0/10
 description NEAT Authenticator switch uplink port
 switchport mode trunk
 ip arp inspection trust
 dot1x pae supplicant
 dot1x credentials TESTUSER
 dot1x supplicant eap profile EAPPRO
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 ip dhcp snooping trust
!

Authenticator:
switch: WS-C3750G-24TS-1U
sw: c3750-ipbase-mz.122-35.SE5, c3750-ipbasek9-mz.122-55.SE9
switch: WS-C2960-24TT-L
sw: c2960-lanbasek9-mz.122-58.SE2

config:
!
aaa new-model
!
aaa authentication login admacc local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
cisp enable
dot1x system-auth-control
!
interface GigabitEthernet1/0/3
 description dot1x port for NEAT Suplicant switch
 switchport mode access
 ip arp inspection trust
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 6
 storm-control broadcast level 0.30
 storm-control multicast level 0.30
 storm-control action shutdown
 spanning-tree portfast
 ip dhcp snooping trust
!
radius-server host ...removed... auth-port 1812 acct-port 1813 key 7 ...removed...

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: