ā03-28-2014 08:52 AM - edited ā03-07-2019 06:54 PM
Hi,
We have purchased a few 2960CPD-8TT-L's which we want to connect to our other 2960 24 and 48-port switches.
We have implemented 802.1x for wireless and wired clients. Our last step is to replace a few remaining desktopswitches.
We do not have ISE and use Windows Network Policy Server (NPS) to authenticate clients using RADIUS. This all works well for clients using PEAP+Secure Password using EAP-MSCHAP v2 (for username-based autentication) and "Smart Card or other certificate" for computerbased authentication.
To authenticate the 2960CPD-8TT-L's we have setup them as supplicant:
dot1x system-auth-control
dot1x credentials <my-name>
username <my username>
password <my password>
!
interface GigabitEthernet0/2
switchport trunk allowed vlan 1,2
switchport mode trunk
dot1x pae supplicant
dot1x credentials <my-name>
!
I have tried to use an eap profile (tried mschapv2 and using pki-trustpoint) but without luck.
The Windows NPS shows us the message "Network Policy Server discarded the request for a user." with the following reason "An internal error occurred. Check the system event log for additional information." (which isn't very helpfull).
Now I'm not sure if I it's required, but i don't really understand how to load our CA Root certificate in the c2960. What I tried:
crypto pki trustpoint <CA-Name>
revocation-check none
certificate chain flash:/root.cer
!
!
crypto pki certificate chain <CA-Name>
I'm curious if anyone has been able to get this to work and would be able to point me out what to do.
Any suggestions are very much appriciated.
Kind regards,
Peter
ā11-27-2014 10:08 AM
Hi Peter, did you ever find an answer to getting supplicant switches authenticating with NPS correctly? I'm currently working on this and have just about hit a brick wall, as I can't figure out what version of EAP the switch is trying to use and it gets bounced on the NPS side. Thanks for any help :)
ā11-30-2014 07:41 AM
"Semi-yes".
The answer consist of two parts though :)
1. Current "workaround" (though this is not a safe / suggested approach) is to use EAP-MD5 since the current IOS images do not seem to include any PEAP methods (which NPS requires for 802.1x based authentication). For this workaround you can apply the following link (that does still work on 2008R2 and I believe also on 2012): http://support.microsoft.com/kb/922574/en-us
2. The actual answer is Cisco putting in PEAP support as an outer method in the IOS image. I still have an open case with Cisco in regards to this point. To be honest it even looks a little bit promising (though you never though if I might hit a brick wall somewhere down the line).
Kind regards,
Peter
ā12-25-2014 01:59 AM
Update: Good news. It seems that the PEAP methods are in the development code, but have never been included in the official releases (though the 2960 platform does support these features).
A bugtrack has been created: https://tools.cisco.com/bugsearch/bug/CSCus24812
Question now is ofcourse, when will release a new IOS version that will include it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide