03-10-2011 11:42 PM - edited 03-09-2019 11:26 PM
Dear Community
We have a customer who wants to use NEAT 802.1x Authentication for meetin rooms. The prefered radius server of the customer would be Microsoft NPS. Since two days I'm trying to realize the solution with NEAT and Win2008 R2 without success.
My question to the community. Has anybody implemented NEAT with Microsoft radius server? If yes, what kind of authentication method have you used in the radius server of microsoft. EAP-MSCHAPv2 or MD5.
Thanks for any feedback / experience of if this scenario is possible or not.
Greetings Erich
05-07-2012 10:48 PM
We're having the same trouble - response from NPS is "The client could not be authenticated because the EAP type cannot be processed by the server."
Anybody had any luck in the last 12 months?
05-07-2012 11:30 PM
Hi James
For our problem we haven't found a solution. Have sold now ACS Server to the customer. It's more expensive but the reporting functioniality is very cool, about 10x better then the logs in Windows. Also if you use Cisco NW devices you have everything from the same supplier and if you need support you probably found quicker a solution than with a mix environment.
For the above problem we probably could open a case. But how big is the chance that Cisco says it's the error from Microsoft and vice versa.
But maybe you are lucky and somebody has found in the meantime a solution.
Erich
08-18-2014 08:06 AM
I am trying to configure the same. A NEAT supplicant is configured on a Catalyst 2960-CG switch, authenticator on Cat 2960 and Cat 3750G switches (tested both). RADIUS server is MS Windows 2008 R2 NPS.
The supplicant is configured for MSCHAPv2 authencation method. The NPS is configured for "Microsoft: Secured password (EAP-MSCHAP v2)" (please bear in mind that "Microsoft: Protected EAP (PEAP)" with inner "Secured password (EAP-MSCHAP v2)" is something else and causes the error message reported by jamesw811).
I am getting the following error message in the NPS log:
Supplicant:
switch: WS-C2960CG-8TC-L
sw: c2960c405ex-universalk9-mz.122-55.EX3, c2960c405ex-universalk9-mz.122-55.EX2
config:
cisp enable
eap profile EAPPRO
method mschapv2
!
dot1x system-auth-control
dot1x credentials TESTUSER
username TESTUSER
password 7 ...removed...
!
dot1x supplicant force-multicast
!
interface GigabitEthernet0/10
description NEAT Authenticator switch uplink port
switchport mode trunk
ip arp inspection trust
dot1x pae supplicant
dot1x credentials TESTUSER
dot1x supplicant eap profile EAPPRO
storm-control broadcast level 0.50
storm-control multicast level 0.50
ip dhcp snooping trust
!
Authenticator:
switch: WS-C3750G-24TS-1U
sw: c3750-ipbase-mz.122-35.SE5, c3750-ipbasek9-mz.122-55.SE9
switch: WS-C2960-24TT-L
sw: c2960-lanbasek9-mz.122-58.SE2
config:
!
aaa new-model
!
aaa authentication login admacc local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
cisp enable
dot1x system-auth-control
!
interface GigabitEthernet1/0/3
description dot1x port for NEAT Suplicant switch
switchport mode access
ip arp inspection trust
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 6
storm-control broadcast level 0.30
storm-control multicast level 0.30
storm-control action shutdown
spanning-tree portfast
ip dhcp snooping trust
!
radius-server host ...removed... auth-port 1812 acct-port 1813 key 7 ...removed...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: