12-26-2007 03:29 AM - edited 03-05-2019 08:09 PM
Hi,
when we do 802.1x port based configuration, is there any specific authentication settings required on windows client pc.
regards
gopi
12-26-2007 04:47 AM
Generally the EAP type is used as MD-5 Challenge under network properties --> advanced
Narayan
12-27-2007 02:18 AM
Hi,
I am trying to enable 802.1x authentication in our lan.... i have document talking about .1x config on the switches, but i was wondering what to be configured on acs server... can u help me on this
gopi
12-28-2007 12:43 AM
Have a look at this link (Dynamic VLAN Assignment for 802.1x and ACS)
HTH
Narayan
12-28-2007 02:04 AM
.1x Port based configuration can be used for various purposes.One of the well known use is 80.1x port based authentication.
12-28-2007 03:17 AM
L2 switch dot1x config
----------------------
hostname L2SWITCH
!
!
aaa new-model
aaa authentication dot1x default group radius
!
aaa session-id common
ip subnet-zero
!
!
!
!
dot1x system-auth-control
no file verify auto
--More-- spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 40
dot1x auth-fail vlan 50
!
interface FastEthernet0/3
switchport access vlan 20
!
interface FastEthernet0/4
--More-- !
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
--More-- interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
--More-- no ip address
no ip route-cache
!
interface Vlan10
ip address 10.10.10.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.1
ip http server
radius-server host 30.30.30.2 auth-port 1645 acct-port 1646 key cisco
!
control-plane
!
!
line con 0
line vty 5 15
!
end
***************************************************************
debug radius authentication
***************************************************************
1d03h: RADIUS(00000005): sending
1d03h: RADIUS/ENCODE: Best Local IP-Address 10.10.10.2 for Radius-Server 30.30.3
0.2
1d03h: RADIUS(00000005): Send Access-Request to 30.30.30.2:1645 id 21645/26, len
138
1d03h: RADIUS: authenticator 1D FC CB D1 72 D8 4C B1 - D2 D3 82 15 4C E0 58 31
1d03h: RADIUS: User-Name [1] 14 "0018fe6705bb"
1d03h: RADIUS: User-Password [2] 18 *
1d03h: RADIUS: Service-Type [6] 6 Call Check [10]
1d03h: RADIUS: Framed-MTU [12] 6 1500
1d03h: RADIUS: Called-Station-Id [30] 19 "00-19-30-EE-C0-02"
1d03h: RADIUS: Calling-Station-Id [31] 19 "00-18-FE-67-05-BB"
1d03h: RADIUS: Message-Authenticato[80] 18
1d03h: RADIUS: CC 09 BD 5A 1D 14 5B 85 9C 2D 76 51 49 F0 EB 2D [???Z??[??-vQI
??-]
1d03h: RADIUS: NAS-Port [5] 6 50002
1d03h: RADIUS: NAS-Port-Type [61] 6 Eth [15]
1d03h: RADIUS: NAS-IP-Address [4] 6 10.10.10.2
1d03h: RADIUS: Retransmit to (30.30.30.2:1645,1646) for id 21645/26
1d03h: RADIUS: Retransmit to (30.30.30.2:1645,1646) for id 21645/26
1d03h: RADIUS: Retransmit to (30.30.30.2:1645,1646) for id 21645/26
1d03h: RADIUS: No response from (30.30.30.2:1645,1646) for id 21645/26
1d03h: RADIUS/DECODE: parse response no app start; FAIL
1d03h: RADIUS/DECODE: parse response; FAIL
**************************************************************
On ACS
--------------
I have created a user name / password with pc mac address "0018fe6705bb". I have also configured a network profile with "Allow Agentless Request Processing" option and the same profile is mapped to the group to which the above mentioned user name is mapped
Problem:
User is not getting authenticated. On Acs am getting hit and log error as Auth failed
hope somebody could help me on this issue
12-28-2007 09:11 AM
Your radius server at 30.30.30.2 is not responding to the client at 10.10.10.2. Look for access lists on the router between the 2 networks which prevent radius communications. Alternatively move your radius server to the 10.10.10 network.
R
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide