Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2966
Views
10
Helpful
5
Replies

Switch refuses EAP Certificate Authentication

zidacjarrett
Level 1
Level 1

‎01-27-2012 12:32 AM

Hi Everyone,

I'm hoping someone will be able to help me out here.

The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server.

The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:

EAP-TLS

EAP-FAST

PEAP (Smart Card)

Smart Card

I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works.

The log file for EAP-FAST on a SG-300 switch is:

    2147483643   2012-Jan-27 00:28:34 Informational   %LINK-I-Up:  gi10, aggregated (1)       

    2147483644   2012-Jan-27 00:28:31 Warning   %LINK-W-Down:  gi10, aggregated (1)       

    2147483645   2012-Jan-27 00:28:31 Informational   %LINK-I-Up:  gi10       

    2147483646   2012-Jan-27 00:28:16 Warning   %LINK-W-Down:  gi10       

I noticed that on this method it doesnt even report a result from the radius server, however the radius server reports an EAP Timeout

The log file for EAP-TLS on a SG-300 switch is:

     2147483642   2012-Jan-27 00:37:00 Warning   %SEC-W-SUPPLICANTUNAUTHORIZED: MAC xx:xx:xx:xx:xx:xx was rejected on port gi10     because Radius server does not respond       

    2147483643   2012-Jan-27 00:36:23 Informational   %LINK-I-Up:  gi10, aggregated (1)       

    2147483644   2012-Jan-27 00:36:20 Warning   %LINK-W-Down:  gi10, aggregated (1)       

    2147483645   2012-Jan-27 00:36:20 Informational   %LINK-I-Up:  gi10       

    2147483646   2012-Jan-27 00:36:02 Warning   %LINK-W-Down:  gi10       

In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.

Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.

Please help me.

Thanks!

zidacjarrett

Labels:
0 Helpful
5 Replies 5

anotherview
Level 1
Level 1

‎09-20-2012 12:27 AM

I have the same problem with SG300-28.
Did you find any issues ?

Thanks.

Best Regard

Jarrett Cadiz
Level 1
Level 1
In response to anotherview

‎09-27-2012 02:35 PM

Hi Dimitri,

We never did find a solution to this problem on the Cisco small business switches. Eventually we upgraded them all to the Cisco Catalyst 3750x and 3560x switches and these problems are not existant on the new switches. It may be some kind of limitation that was not mentioned.

If anyone has an idea why this is happening I would be greatful to hear it.

Thanks,

Jarrett
http://www.jarrettcadiz.com
http://www.cloudchase.net/company/jarrettcadiz

Jarrett http://www.jarrettcadiz.com http://www.cloudchase.net/company/jarrettcadiz

Stefanobi
Level 1
Level 1

‎07-09-2014 06:14 AM

Hi zidacjarrett,

I am trying to fix the same issue, nearly two years after your tried it - still without success.

Even the latest software update for these sg300 didn`t help...

 

Someone else found a solution for this?

- I changed nearly every setting at the Radius server to find a possible work around...

 

Changing to a bigger switches is no option, as these small desktop switches are placed on some tables in the office.

 

Cheers

Stefan

 

 

0 Helpful

Stefanobi
Level 1
Level 1

‎07-14-2014 05:18 AM

Fixed now - without support of Cisco, they were not able to help here... :/

 

General hints as I dont want to spend more time on this...:

- Enable EAP-MD5 on the Windows Server 2008R2 (via registry)

- created a rule to allow EAP-MD5 (SG300) beside PAP (all the rest)

- Hosts with username/password (both MAC address) and password decryption enabled (+special PSO for these settings)

have fun

0 Helpful

luumanioro
Level 1
Level 1
In response to Stefanobi

‎07-22-2014 07:22 AM

Hi Stefanobi do you use in your configuration dynamic vpn assignment to authenticated ports? I have very simillar configuration in my network and port based authentication utilising computer certificates works without any problems except from Vlan assignments. I have two core switches catalyst 3560 and three esw540 access switches, trunk ports between switches are correctly configured, I have also network policies for 802.1x authentication and Vlan assignments, all works fine on 3560 switches and my workstations are authenticated correctly and also assigned to the correct Vlan, based on policy but somehow this doesn't work on my esw540 switches. I can see on my NHS that authentication works only when I specify access Vlan for the specific port otherwise Vlan is not assigned dynamically. hope I described my issue as clear as possible and someone can give me a tip how to make this up and running.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents