05-08-2015 07:22 AM
Update: to add to this, it is also working on a C2950 (12.1(22)EA14) but still not on a C2960G
Hello
I am attempting to set up 802.1x authentication on all of our switches.
I have successfully got EAP-TLS computer and phone authentication working via Cisco SG300 (FW 1.2.9.44), Windows NPS and FreeRadius. (phones authenticate to FreeRadius and Windows computers authenticate to NPS)
However the same computers do not authenticate when plugged into a C2960G (12.2(25)SEE2)
The switch sends the access request and NPS replys, but it looks as though there is either something wrong with the request to negotiate or the switch is just completely ignoring it.
Here is the debug from the switch
RADIUS: AAA Unsupported [161] 19 RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30 [GigabitEthernet0] RADIUS: 2F [/] RADIUS(00000024): Storing nasport 50041 in rad_db RADIUS(00000024): Config NAS IP: 0.0.0.0 RADIUS/ENCODE(00000024): acct_session_id: 15925248 RADIUS(00000024): sending RADIUS/ENCODE: Best Local IP-Address 192.168.1.104 for Radius-Server 192.168.1.24 RADIUS(00000024): Send Access-Request to 192.168.1.24:1645 id 21645/78, len 175 RADIUS: authenticator 17 FA 37 C1 51 19 F1 3E - 51 D1 17 33 9C 58 55 E2 RADIUS: User-Name [1] 32 "host/laptop01.local-domain.com" RADIUS: Service-Type [6] 6 Framed [2] RADIUS: Framed-MTU [12] 6 1500 RADIUS: Called-Station-Id [30] 19 "00-1A-6C-E7-F4-A9" RADIUS: Calling-Station-Id [31] 19 "00-26-B9-CC-74-8B" RADIUS: EAP-Message [79] 37 RADIUS: 02 02 00 23 01 68 6F 73 74 2F 6C 75 6B 6C 61 70 [???#?host/laptop] RADIUS: 36 34 2E 6C 68 61 73 61 6C 69 6D 69 74 65 64 2E [01.local-domain] RADIUS: 6F 72 67 [com] RADIUS: Message-Authenticato[80] 18 RADIUS: 40 2E 67 59 BE 50 45 E4 0A B1 5F EF EC AC AE 55 [@.gY?PE???_????U] RADIUS: NAS-Port [5] 6 50041 RADIUS: NAS-Port-Type [61] 6 Eth [15] RADIUS: NAS-IP-Address [4] 6 192.168.1.104 %LINK-3-UPDOWN: Interface GigabitEthernet0/41, changed state to up RADIUS: No response from (192.168.1.24:1645,1646) for id 21645/78 RADIUS/DECODE: parse response no app start; FAIL RADIUS/DECODE: parse response; FAIL
Here the the EAP trace logs from the NPS server (the radius server 192.168.1.24)
[5860] 05-08 14:52:32:902: EapPeapBegin [5860] 05-08 14:52:32:902: EapPeapBegin - flags(0x2) [5860] 05-08 14:52:32:902: PeapReadUserData dwSize:0x80 [5860] 05-08 14:52:32:902: [5860] 05-08 14:52:32:902: EapTlsBegin(localdomain\laptop01$) [5860] 05-08 14:52:32:902: SetupMachineChangeNotification [5860] 05-08 14:52:32:902: State change to Initial [5860] 05-08 14:52:32:902: EapTlsBegin: Detected PEAP authentication [5860] 05-08 14:52:32:902: MaxTLSMessageLength is now 16384 [5860] 05-08 14:52:32:902: CRYPT_E_NO_REVOCATION_CHECK will not be ignored [5860] 05-08 14:52:32:902: CRYPT_E_REVOCATION_OFFLINE will not be ignored [5860] 05-08 14:52:32:902: The root cert will not be checked for revocation [5860] 05-08 14:52:32:902: The cert will be checked for revocation [5860] 05-08 14:52:32:902: Unable to read TLS version registry key, return code 2 [5860] 05-08 14:52:32:902: EapPeapBegin done [5860] 05-08 14:52:32:902: EapPeapMakeMessage [5860] 05-08 14:52:32:902: EapPeapSMakeMessage, flags(0x405) [5860] 05-08 14:52:32:902: EapPeapSMakeMessage, user prop flags(0x1) [5860] 05-08 14:52:32:902: PEAP:PEAP_STATE_INITIAL [5860] 05-08 14:52:32:902: EapTlsSMakeMessage, state(0) [5860] 05-08 14:52:32:902: EapTlsReset [5860] 05-08 14:52:32:902: State change to Initial [5860] 05-08 14:52:32:902: EapGetCredentials [5860] 05-08 14:52:32:902: Flag is Server and Store is local Machine [5860] 05-08 14:52:32:902: GetCachedCredentials Flags = 0x40e1 [5860] 05-08 14:52:32:902: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1) [5860] 05-08 14:52:32:902: pNode->dwCredFlags = 0x14 [5860] 05-08 14:52:32:902: pNode->dwCredFlags = 0x12 [5860] 05-08 14:52:32:902: GetCachedCredentials: Using Cached Credentials [5860] 05-08 14:52:32:902: GetCachedCredentials: Hash of the cert in the cache is 69 F0 63 1B 54 D9 25 14 2C 89 99 3F 62 76 A6 0C |i.c.T.%.,..?bv..| A3 55 5F AB 00 00 00 00 00 00 00 00 00 00 00 00 |.U_.............| [5860] 05-08 14:52:32:902: Certificate public key length = 1024 bits [5860] 05-08 14:52:32:902: BuildPacket [5860] 05-08 14:52:32:902: << Sending Request (Code: 1) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags: S [5860] 05-08 14:52:32:902: State change to SentStart [5860] 05-08 14:52:32:902: EapPeapSMakeMessage done [5860] 05-08 14:52:32:902: EapPeapMakeMessage done
For comparrison, here is an EAP trace log from when it works with the SG300 switch
[5048] 05-08 13:24:38:565: EapPeapBegin [5048] 05-08 13:24:38:565: EapPeapBegin - flags(0x2) [5048] 05-08 13:24:38:565: PeapReadUserData dwSize:0x80 [5048] 05-08 13:24:38:565: [5048] 05-08 13:24:38:565: EapTlsBegin(domain\laptop01$) [5048] 05-08 13:24:38:565: SetupMachineChangeNotification [5048] 05-08 13:24:38:565: State change to Initial [5048] 05-08 13:24:38:565: EapTlsBegin: Detected PEAP authentication [5048] 05-08 13:24:38:565: MaxTLSMessageLength is now 16384 [5048] 05-08 13:24:38:565: CRYPT_E_NO_REVOCATION_CHECK will not be ignored [5048] 05-08 13:24:38:565: CRYPT_E_REVOCATION_OFFLINE will not be ignored [5048] 05-08 13:24:38:565: The root cert will not be checked for revocation [5048] 05-08 13:24:38:565: The cert will be checked for revocation [5048] 05-08 13:24:38:565: Unable to read TLS version registry key, return code 2 [5048] 05-08 13:24:38:565: EapPeapBegin done [5048] 05-08 13:24:38:565: EapPeapMakeMessage [5048] 05-08 13:24:38:565: EapPeapSMakeMessage, flags(0x405) [5048] 05-08 13:24:38:565: EapPeapSMakeMessage, user prop flags(0x1) [5048] 05-08 13:24:38:565: PEAP:PEAP_STATE_INITIAL [5048] 05-08 13:24:38:565: EapTlsSMakeMessage, state(0) [5048] 05-08 13:24:38:565: EapTlsReset [5048] 05-08 13:24:38:565: State change to Initial [5048] 05-08 13:24:38:565: EapGetCredentials [5048] 05-08 13:24:38:565: Flag is Server and Store is local Machine [5048] 05-08 13:24:38:565: GetCachedCredentials Flags = 0x40e1 [5048] 05-08 13:24:38:565: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1) [5048] 05-08 13:24:38:565: pNode->dwCredFlags = 0x14 [5048] 05-08 13:24:38:565: pNode->dwCredFlags = 0x12 [5048] 05-08 13:24:38:565: GetCachedCredentials: Using Cached Credentials [5048] 05-08 13:24:38:565: GetCachedCredentials: Hash of the cert in the cache is 69 F0 63 1B 54 D9 25 14 2C 89 99 3F 62 76 A6 0C |i.c.T.%.,..?bv..| A3 55 5F AB 00 00 00 00 00 00 00 00 00 00 00 00 |.U_.............| [5048] 05-08 13:24:38:565: Certificate public key length = 1024 bits [5048] 05-08 13:24:38:565: BuildPacket [5048] 05-08 13:24:38:565: << Sending Request (Code: 1) packet: Id: 7, Length: 6, Type: 13, TLS blob length: 0. Flags: S [5048] 05-08 13:24:38:565: State change to SentStart [5048] 05-08 13:24:38:565: EapPeapSMakeMessage done [5048] 05-08 13:24:38:565: EapPeapMakeMessage done [5048] 05-08 13:24:38:565: EapPeapEnd [5048] 05-08 13:24:38:565: EapTlsEnd [5048] 05-08 13:24:38:565: EapTlsEnd(domain\laptop01$) [5048] 05-08 13:24:38:565: EapTlsEnd [5048] 05-08 13:24:38:565: EapPeapEnd done [5048] 05-08 13:24:38:565: EapPeapEnd [5048] 05-08 13:24:38:565: EapTlsEnd [5048] 05-08 13:24:38:565: EapTlsEnd(domain\laptop01$) [5048] 05-08 13:24:38:565: EapTlsEnd [5048] 05-08 13:24:38:565: EapPeapEnd done [5048] 05-08 13:24:38:565: EapPeapEnd [5048] 05-08 13:24:38:565: EapTlsEnd [5048] 05-08 13:24:38:565: EapTlsEnd(domain\laptop01$) [5048] 05-08 13:24:38:565: EapTlsEnd [5048] 05-08 13:24:38:565: EapPeapEnd done [5860] 05-08 13:24:38:580: EapPeapMakeMessage [5860] 05-08 13:24:38:580: EapPeapSMakeMessage, flags(0x405) [5860] 05-08 13:24:38:580: EapPeapSMakeMessage, user prop flags(0x1) [5860] 05-08 13:24:38:580: Cloned PPP_EAP_PACKET packet [5860] 05-08 13:24:38:580: PEAP:PEAP_STATE_TLS_INPROGRESS [5860] 05-08 13:24:38:580: EapTlsSMakeMessage, state(1) [5860] 05-08 13:24:38:580: MakeReplyMessage [5860] 05-08 13:24:38:580: Reallocating input TLS blob buffer [5860] 05-08 13:24:38:580: SecurityContextFunction [5860] 05-08 13:24:38:596: AcceptSecurityContext returned 0x90312 [5860] 05-08 13:24:38:596: State change to SentHello [5860] 05-08 13:24:38:596: BuildPacket [5860] 05-08 13:24:38:596: << Sending Request (Code: 1) packet: Id: 8, Length: 1468, Type: 13, TLS blob length: 1458. Flags: L [5860] 05-08 13:24:38:596: EapPeapSMakeMessage done [5860] 05-08 13:24:38:596: EapPeapMakeMessage done [5048] 05-08 13:24:38:611: EapPeapMakeMessage [5048] 05-08 13:24:38:611: EapPeapSMakeMessage, flags(0x605) [5048] 05-08 13:24:38:611: EapPeapSMakeMessage, user prop flags(0x1) [5048] 05-08 13:24:38:611: Cloned PPP_EAP_PACKET packet [5048] 05-08 13:24:38:611: PEAP:PEAP_STATE_TLS_INPROGRESS [5048] 05-08 13:24:38:611: EapTlsSMakeMessage, state(2) [5048] 05-08 13:24:38:611: MakeReplyMessage [5048] 05-08 13:24:38:611: Reallocating input TLS blob buffer [5048] 05-08 13:24:38:611: SecurityContextFunction [5048] 05-08 13:24:38:611: AcceptSecurityContext returned 0x0 [5048] 05-08 13:24:38:611: PEAP: Negotiated protocol and cipher information (SecPkgContext_ConnectionInfo) dwProtocol = 64 aiCipher = 26126 dwCipherStrength = 128 aiHash = 32772 dwHashStrength = 160 aiExch = 41984 dwExchStrength = 1024 [5048] 05-08 13:24:38:611: AuthenticateUser [5048] 05-08 13:24:38:611: Got no credentials from the client and executing PEAP. This is normal for PEAP. [5048] 05-08 13:24:38:611: CreateMPPEKeyAttributes [5048] 05-08 13:24:38:611: State change to SentFinished [5048] 05-08 13:24:38:611: BuildPacket [5048] 05-08 13:24:38:611: << Sending Request (Code: 1) packet: Id: 9, Length: 69, Type: 13, TLS blob length: 59. Flags: L [5048] 05-08 13:24:38:611: EapPeapSMakeMessage done [5048] 05-08 13:24:38:611: EapPeapMakeMessage done [5860] 05-08 13:24:38:611: EapPeapMakeMessage [5860] 05-08 13:24:38:611: EapPeapSMakeMessage, flags(0x605) [5860] 05-08 13:24:38:611: EapPeapSMakeMessage, user prop flags(0x1) [5860] 05-08 13:24:38:611: Cloned PPP_EAP_PACKET packet [5860] 05-08 13:24:38:611: PEAP:PEAP_STATE_TLS_INPROGRESS [5860] 05-08 13:24:38:611: EapTlsSMakeMessage, state(3) [5860] 05-08 13:24:38:611: Negotiation successful [5860] 05-08 13:24:38:611: IsTLSSessionReconnect [5860] 05-08 13:24:38:611: Full Tls authentication performed [5860] 05-08 13:24:38:611: BuildPacket [5860] 05-08 13:24:38:611: << Sending Success (Code: 3) packet: Id: 9, Length: 4, Type: 0, TLS blob length: 0. Flags: [5860] 05-08 13:24:38:611: AuthResultCode = (0), bCode = (3) [5860] 05-08 13:24:38:611: PeapGetTunnelProperties [5860] 05-08 13:24:38:611: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x660e, CipherStrength=0x80, Hash=0x8004 [5860] 05-08 13:24:38:611: PeapGetTunnelProperties done [5860] 05-08 13:24:38:611: GetTLSSessionCookie [5860] 05-08 13:24:38:611: IsTLSSessionReconnect [5860] 05-08 13:24:38:611: Full Tls authentication performed [5860] 05-08 13:24:38:611: Full authentication [5860] 05-08 13:24:38:611: PeapEncryptTunnelData [5860] 05-08 13:24:38:611: Blob length 37 [5860] 05-08 13:24:38:611: PeapEncryptTunnelData completed with status 0x0 [5860] 05-08 13:24:38:611: EapPeapSMakeMessage done [5860] 05-08 13:24:38:611: EapPeapMakeMessage done [5048] 05-08 13:24:38:627: EapPeapMakeMessage [5048] 05-08 13:24:38:627: EapPeapSMakeMessage, flags(0x605) [5048] 05-08 13:24:38:627: EapPeapSMakeMessage, user prop flags(0x1) [5048] 05-08 13:24:38:627: Cloned PPP_EAP_PACKET packet [5048] 05-08 13:24:38:627: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT [5048] 05-08 13:24:38:627: PeapDecryptTunnelData dwSizeofData = 69, pData = 0xdb1c17c6 [5048] 05-08 13:24:38:627: Blob length 69 [5048] 05-08 13:24:38:627: PeapDecryptTunnelData completed with status 0x0 [5048] 05-08 13:24:38:627: Buffer length is 31 [5048] 05-08 13:24:38:627: PEAP: Sending PEAP capabilities request to client [5048] 05-08 13:24:38:627: PeapEncryptTunnelData [5048] 05-08 13:24:38:627: Blob length 53 [5048] 05-08 13:24:38:627: PeapEncryptTunnelData completed with status 0x0 [5048] 05-08 13:24:38:627: EapPeapSMakeMessage done [5048] 05-08 13:24:38:627: EapPeapMakeMessage done [5860] 05-08 13:24:38:627: EapPeapMakeMessage [5860] 05-08 13:24:38:627: EapPeapSMakeMessage, flags(0x605) [5860] 05-08 13:24:38:627: EapPeapSMakeMessage, user prop flags(0x1) [5860] 05-08 13:24:38:627: Cloned PPP_EAP_PACKET packet [5860] 05-08 13:24:38:627: PEAP:PEAP_STATE_CAPABILITIES_REQ_SENT [5860] 05-08 13:24:38:627: PeapDecryptTunnelData dwSizeofData = 53, pData = 0x9b09c1c6 [5860] 05-08 13:24:38:627: Blob length 53 [5860] 05-08 13:24:38:627: PeapDecryptTunnelData completed with status 0x0 [5860] 05-08 13:24:38:627: Buffer length is 16 [5860] 05-08 13:24:38:627: PEAP: Received PEAP capabilities response from client [5860] 05-08 13:24:38:627: Client is Inner fragmentation Capable [5860] 05-08 13:24:38:643: [5860] 05-08 13:24:38:643: EapTlsBegin(domain\laptop01$) [5860] 05-08 13:24:38:643: SetupMachineChangeNotification [5860] 05-08 13:24:38:643: State change to Initial [5860] 05-08 13:24:38:643: EapTlsBegin: Detected PEAP authentication [5860] 05-08 13:24:38:643: MaxTLSMessageLength is now 16384 [5860] 05-08 13:24:38:643: CRYPT_E_NO_REVOCATION_CHECK will not be ignored [5860] 05-08 13:24:38:643: CRYPT_E_REVOCATION_OFFLINE will not be ignored [5860] 05-08 13:24:38:643: The root cert will not be checked for revocation [5860] 05-08 13:24:38:643: The cert will be checked for revocation [5860] 05-08 13:24:38:643: Unable to read TLS version registry key, return code 2 [5860] 05-08 13:24:38:643: [5860] 05-08 13:24:38:643: EapTlsMakeMessage(domain\laptop01$) [5860] 05-08 13:24:38:643: EapTlsSMakeMessage, state(0) [5860] 05-08 13:24:38:643: EapTlsReset [5860] 05-08 13:24:38:643: State change to Initial [5860] 05-08 13:24:38:643: EapGetCredentials [5860] 05-08 13:24:38:643: Flag is Server and Store is local Machine [5860] 05-08 13:24:38:643: GetCachedCredentials Flags = 0x10061 [5860] 05-08 13:24:38:643: FindNodeInCachedCredList, flags(0x10061), default cached creds(0), check thread token(1) [5860] 05-08 13:24:38:643: pNode->dwCredFlags = 0x14 [5860] 05-08 13:24:38:643: GetCachedCredentials: Using Cached Credentials [5860] 05-08 13:24:38:643: GetCachedCredentials: Hash of the cert in the cache is 69 F0 63 1B 54 D9 25 14 2C 89 99 3F 62 76 A6 0C |i.c.T.%.,..?bv..| A3 55 5F AB 00 00 00 00 00 00 00 00 00 00 00 00 |.U_.............| [5860] 05-08 13:24:38:643: Certificate public key length = 1024 bits [5860] 05-08 13:24:38:643: BuildPacket [5860] 05-08 13:24:38:643: << Sending Request (Code: 1) packet: Id: 12, Length: 6, Type: 13, TLS blob length: 0. Flags: S [5860] 05-08 13:24:38:643: State change to SentStart [5860] 05-08 13:24:38:643: PeapEncryptTunnelData [5860] 05-08 13:24:38:643: Blob length 37 [5860] 05-08 13:24:38:643: PeapEncryptTunnelData completed with status 0x0 [5860] 05-08 13:24:38:643: EapPeapSMakeMessage done [5860] 05-08 13:24:38:643: EapPeapMakeMessage done [5048] 05-08 13:24:38:643: EapPeapMakeMessage [5048] 05-08 13:24:38:643: EapPeapSMakeMessage, flags(0x605) [5048] 05-08 13:24:38:643: EapPeapSMakeMessage, user prop flags(0x1) [5048] 05-08 13:24:38:643: Cloned PPP_EAP_PACKET packet [5048] 05-08 13:24:38:643: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS [5048] 05-08 13:24:38:643: PeapDecryptTunnelData dwSizeofData = 165, pData = 0xfea4a436 [5048] 05-08 13:24:38:643: Blob length 165 [5048] 05-08 13:24:38:643: PeapDecryptTunnelData completed with status 0x0 [5048] 05-08 13:24:38:643: Buffer length is 135 [5048] 05-08 13:24:38:643: [5048] 05-08 13:24:38:643: EapTlsMakeMessage(domain\laptop01$) [5048] 05-08 13:24:38:643: >> Received Response (Code: 2) packet: Id: 12, Length: 139, Type: 13, TLS blob length: 129. Flags: L [5048] 05-08 13:24:38:643: EapTlsSMakeMessage, state(1) [5048] 05-08 13:24:38:643: MakeReplyMessage [5048] 05-08 13:24:38:643: Reallocating input TLS blob buffer [5048] 05-08 13:24:38:643: SecurityContextFunction [5048] 05-08 13:24:38:643: AcceptSecurityContext returned 0x90312 [5048] 05-08 13:24:38:643: State change to SentHello [5048] 05-08 13:24:38:643: BuildPacket [5048] 05-08 13:24:38:643: << Sending Request (Code: 1) packet: Id: 13, Length: 155, Type: 13, TLS blob length: 145. Flags: L [5048] 05-08 13:24:38:643: PeapEncryptTunnelData [5048] 05-08 13:24:38:643: Blob length 181 [5048] 05-08 13:24:38:643: PeapEncryptTunnelData completed with status 0x0 [5048] 05-08 13:24:38:643: EapPeapSMakeMessage done [5048] 05-08 13:24:38:643: EapPeapMakeMessage done [5860] 05-08 13:24:38:658: EapPeapMakeMessage [5860] 05-08 13:24:38:658: EapPeapSMakeMessage, flags(0x605) [5860] 05-08 13:24:38:658: EapPeapSMakeMessage, user prop flags(0x1) [5860] 05-08 13:24:38:658: Cloned PPP_EAP_PACKET packet [5860] 05-08 13:24:38:658: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS [5860] 05-08 13:24:38:658: PeapDecryptTunnelData dwSizeofData = 101, pData = 0xcce918d6 [5860] 05-08 13:24:38:658: Blob length 101 [5860] 05-08 13:24:38:658: PeapDecryptTunnelData completed with status 0x0 [5860] 05-08 13:24:38:658: Buffer length is 65 [5860] 05-08 13:24:38:658: [5860] 05-08 13:24:38:658: EapTlsMakeMessage(domain\laptop01$) [5860] 05-08 13:24:38:658: >> Received Response (Code: 2) packet: Id: 13, Length: 69, Type: 13, TLS blob length: 59. Flags: L [5860] 05-08 13:24:38:658: EapTlsSMakeMessage, state(2) [5860] 05-08 13:24:38:658: MakeReplyMessage [5860] 05-08 13:24:38:658: SecurityContextFunction [5860] 05-08 13:24:38:658: AcceptSecurityContext returned 0x0 [5860] 05-08 13:24:38:658: EAPTLS: Negotiated protocol and cipher information (SecPkgContext_ConnectionInfo) dwProtocol = 64 aiCipher = 26126 dwCipherStrength = 128 aiHash = 32772 dwHashStrength = 160 aiExch = 41984 dwExchStrength = 1024 [5860] 05-08 13:24:38:658: AuthenticateUser [5860] 05-08 13:24:38:658: DwGetEKUUsage [5860] 05-08 13:24:38:658: GetEKUUsage [5860] 05-08 13:24:38:658: Number of EKUs on the cert are 2 [5860] 05-08 13:24:38:658: FCheckPolicy [5860] 05-08 13:24:38:658: FCheckPolicy done. [5860] 05-08 13:24:38:658: FCheckUsage: All-Purpose: 1 [5860] 05-08 13:24:38:658: CheckUserName [5860] 05-08 13:24:38:658: CreateOIDAttributes [5860] 05-08 13:24:38:658: CreateMPPEKeyAttributes [5860] 05-08 13:24:38:658: State change to SentFinished [5860] 05-08 13:24:38:658: Negotiation successful [5860] 05-08 13:24:38:658: IsTLSSessionReconnect [5860] 05-08 13:24:38:658: TlsReconnect performed [5860] 05-08 13:24:38:658: BuildPacket [5860] 05-08 13:24:38:658: << Sending Success (Code: 3) packet: Id: 14, Length: 4, Type: 0, TLS blob length: 0. Flags: [5860] 05-08 13:24:38:658: AuthResultCode = (0), bCode = (3) [5860] 05-08 13:24:38:658: PeapSetTypeUserAttributes [5860] 05-08 13:24:38:658: RasAuthAttributeConcat [5860] 05-08 13:24:38:658: Peap passing Inner Method attributes [5860] 05-08 13:24:38:658: EapPeapSMakeMessage done [5860] 05-08 13:24:38:658: EapPeapMakeMessage done [5860] 05-08 13:24:38:658: EapPeapMakeMessage [5860] 05-08 13:24:38:658: EapPeapSMakeMessage, flags(0x605) [5860] 05-08 13:24:38:658: EapPeapSMakeMessage, user prop flags(0x1) [5860] 05-08 13:24:38:658: PEAP:PEAP_STATE_WAIT_FOR_SERVER_TLV [5860] 05-08 13:24:38:658: CreateEAPTLVPacket [5860] 05-08 13:24:38:658: TLV contents: 80 03 00 02 00 01 00 00 00 00 00 00 00 00 00 00 |................| [5860] 05-08 13:24:38:658: Found a status TLV [5860] 05-08 13:24:38:658: Client returned Success TLV [5860] 05-08 13:24:38:658: Creating Cryptobinding TLV [5860] 05-08 13:24:38:658: Adding Cryptobinding TLV [5860] 05-08 13:24:38:658: CreateCryptoBindingTLV [5860] 05-08 13:24:38:658: HmacSha1 [5860] 05-08 13:24:38:658: HmacSha1 [5860] 05-08 13:24:38:658: HmacSha1 [5860] 05-08 13:24:38:658: HmacSha1 [5860] 05-08 13:24:38:658: PeapEncryptTunnelData [5860] 05-08 13:24:38:658: Blob length 101 [5860] 05-08 13:24:38:658: PeapEncryptTunnelData completed with status 0x0 [5860] 05-08 13:24:38:658: EapPeapSMakeMessage done [5860] 05-08 13:24:38:658: EapPeapMakeMessage done [5048] 05-08 13:24:38:674: EapPeapMakeMessage [5048] 05-08 13:24:38:674: EapPeapSMakeMessage, flags(0x605) [5048] 05-08 13:24:38:674: EapPeapSMakeMessage, user prop flags(0x1) [5048] 05-08 13:24:38:674: Cloned PPP_EAP_PACKET packet [5048] 05-08 13:24:38:674: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND [5048] 05-08 13:24:38:674: PeapDecryptTunnelData dwSizeofData = 101, pData = 0xbd8c6ea6 [5048] 05-08 13:24:38:674: Blob length 101 [5048] 05-08 13:24:38:674: PeapDecryptTunnelData completed with status 0x0 [5048] 05-08 13:24:38:674: Buffer length is 71 [5048] 05-08 13:24:38:674: IsEapTLVInsidePEAP [5048] 05-08 13:24:38:674: CheckForUnsupportedMandatoryTLV [5048] 05-08 13:24:38:674: GetPEAPTLVStatusMessageValueServer [5048] 05-08 13:24:38:674: Found a result TLV 1 [5048] 05-08 13:24:38:674: GetTLV [5048] 05-08 13:24:38:674: CreateCryptoBindingTLV [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: HmacSha1 [5048] 05-08 13:24:38:674: PeapCreateCookie [5048] 05-08 13:24:38:674: SetTLSSessionCookie [5048] 05-08 13:24:38:674: Session cookie set successfully [5048] 05-08 13:24:38:674: SetTLSFastReconnect [5048] 05-08 13:24:38:674: IsTLSSessionReconnect [5048] 05-08 13:24:38:674: Full Tls authentication performed [5048] 05-08 13:24:38:674: Error enabling Fast Reconnects : 0x80090302 [5048] 05-08 13:24:38:674: PeapAddContextAttributes [5048] 05-08 13:24:38:674: RasAuthAttributeConcat [5048] 05-08 13:24:38:674: EapPeapSMakeMessage done [5048] 05-08 13:24:38:674: EapPeapMakeMessage done
I am at a loss here, I cannot understand why it is working with the SG300 but the C2960 is failing to negotiate.
05-11-2015 09:39 AM
Hello Dehkordy,
Could you please let me know wish command you used to configure redius with 2960? and I like to know wish switch act as access and with switch is distribution switch? did you configure SG300 in L3 mode? or it is by default L2?
Thanks,
05-12-2015 02:19 AM
Upgrading ios to 122-55.SE10 fixed the issue.
commands i have used are....
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
interface
authentication port-control auto
dot1x pae authenticator
As mentioned it is fixed with the latest IOS, do I am not sure what has changed between the two versions.
05-18-2015 01:27 AM
05-18-2015 01:27 AM
No, I had my radius server in the config (see debug log, it is contacting radius IP)
The resolution was upgrading the IOS version, not config related.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide