I'm hoping someone will be able to help me out here.
The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server.
The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:
PEAP (Smart Card)
I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works.
The log file for EAP-FAST on a SG-300 switch is:
2147483643 2012-Jan-27 00:28:34 Informational %LINK-I-Up: gi10, aggregated (1)
2147483644 2012-Jan-27 00:28:31 Warning %LINK-W-Down: gi10, aggregated (1)
2147483645 2012-Jan-27 00:28:31 Informational %LINK-I-Up: gi10
2147483646 2012-Jan-27 00:28:16 Warning %LINK-W-Down: gi10
I noticed that on this method it doesnt even report a result from the radius server, however the radius server reports an EAP Timeout
The log file for EAP-TLS on a SG-300 switch is:
2147483642 2012-Jan-27 00:37:00 Warning %SEC-W-SUPPLICANTUNAUTHORIZED: MAC xx:xx:xx:xx:xx:xx was rejected on port gi10 because Radius server does not respond
2147483643 2012-Jan-27 00:36:23 Informational %LINK-I-Up: gi10, aggregated (1)
2147483644 2012-Jan-27 00:36:20 Warning %LINK-W-Down: gi10, aggregated (1)
2147483645 2012-Jan-27 00:36:20 Informational %LINK-I-Up: gi10
2147483646 2012-Jan-27 00:36:02 Warning %LINK-W-Down: gi10
In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.
Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.
Please help me.
We never did find a solution to this problem on the Cisco small business switches. Eventually we upgraded them all to the Cisco Catalyst 3750x and 3560x switches and these problems are not existant on the new switches. It may be some kind of limitation that was not mentioned.
If anyone has an idea why this is happening I would be greatful to hear it.
I am trying to fix the same issue, nearly two years after your tried it - still without success.
Even the latest software update for these sg300 didn`t help...
Someone else found a solution for this?
- I changed nearly every setting at the Radius server to find a possible work around...
Changing to a bigger switches is no option, as these small desktop switches are placed on some tables in the office.
Fixed now - without support of Cisco, they were not able to help here... :/
General hints as I dont want to spend more time on this...:
- Enable EAP-MD5 on the Windows Server 2008R2 (via registry)
- created a rule to allow EAP-MD5 (SG300) beside PAP (all the rest)
- Hosts with username/password (both MAC address) and password decryption enabled (+special PSO for these settings)