802.1x wired authentication with NPS

o_mahieu · ‎10-22-2019

Hello All,

I made a wired configuration with windows AD with automatic VLAN assignment on a 2960 switch and router on a stick .

THere is one DC /DNS/CA server and another NPS/DHCP server.

Switch port authentication and authorization succeeds for the Host and the correct IP-address is obtained from DHCP server.

Als the switch port is assigned to the correct vlan.

The host knows the switch vlan interface (arp -a) and vice versa the switch knows the host (show arp).

Firewall on the windows host is turned off. Still I cannot ping the switch (Request timed out).

The authenticator interface on the switch is configured as host-mode multi-host. THe host is a real host (not a VM).

When i put the host in a manually configured acces port, everything is working fine...

Does anyone have an idea where to look?

Thanks, Olivier

Jaderson Pessoa · ‎10-22-2019

Hello,

Please, share your configuration for we help you better.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jaderson Pessoa · ‎10-22-2019

What is the source ping that you are pinging? Is there route between these networks? Please, share configurations below.

show ip route
show running-configuration
show ip int bri
show arp

Jaderson Pessoa
*** Rate All Helpful Responses ***

o_mahieu · ‎10-22-2019

Routing isn't the problem. Pinging from host to the switch already doesnt work.
The host is directly cabled to the switch and host ip is in same subnet as vlan interface ip.
See previously attached jpg .

Jaderson Pessoa · ‎10-22-2019

ok, without information we cant analyse better your issue.

Jaderson Pessoa
*** Rate All Helpful Responses ***

o_mahieu · ‎10-22-2019

Hello,

Included requested info from switch and router

Jaderson Pessoa · ‎10-22-2019

I found two commands misssing, please check suggestion below;

sw(config)#: radius-server vsa send authentication

interface FastEthernet0/1
switchport mode access
switchport access-vlan 10
authentication event fail action authorize vlan 98
authentication event no-response action authorize vlan 100
authentication host-mode multi-host
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate 4800
mab
dot1x pae authenticator
dot1x timeout quiet-period 30
!

Jaderson Pessoa
*** Rate All Helpful Responses ***

o_mahieu · ‎10-22-2019

No success...
Tried with adding "radius-server vsa send authentication"
Host is on port fa0/3, not fa0/1; vlan is automatically assigned through NPS and DHCP. THis is also working.

Jaderson Pessoa · ‎10-22-2019

Ok, if possible, try it.

From

authentication host-mode multi-host

To

authentication host-mode single-host

Jaderson Pessoa
*** Rate All Helpful Responses ***

o_mahieu · ‎10-22-2019

sorry, no success

Jaderson Pessoa · ‎10-22-2019

Show Dot1x interface FastEthernet0/3 detail
Which vlan Policy was configured after authenticated?

on your previously image, doesnt show it.

Jaderson Pessoa
*** Rate All Helpful Responses ***

o_mahieu · ‎10-22-2019

See annex. Int fa0/3 is also vlan 10.

Host is 192.168.10.51

Jpeg is also in first post

Jaderson Pessoa · ‎10-22-2019

Does your ping is with source vlan 10 work? ping 192.168.10.51 source vlan 10

Jaderson Pessoa
*** Rate All Helpful Responses ***

o_mahieu · ‎10-23-2019

No it doesnt. I put a packet filter on:
First EAP authentication is successful. And client gets IP from DHCP server.
When I send a ping from switch to host: ping arrives at host, host replies, but icmp packet doesnt arrive at switch.
I configured aaa authorization network default group radius...