Deploy 802.1x Cisco 3560CX and Windows 2008R2 NPS

krisarmstrong1 · ‎06-11-2018

Hi,

I am attempting to configure 802.1x on a Cisco 3560CX switch to a Windows 2008R2 NPS server. I will be using both PEAP/MSCHAPv2 and EAP/TLS.

Currently, I have a Cisco 2504 WLAN controller that IS WORKING with the WindowsR2 2008 NPS Servers with both PEAP/MSCHAPv2 and EAP/TLS.

For the life of me. I can't figure out why the Cisco 3560CX is not working. I have tried multiple clients windows 10, and Windows 7 as well as some other devices none work. I believe it's on the switch side but not quite sure what. Posted in the switch configuration.

I removed the certificate and passwords from the config below.

c3560cx#sho run bri
Building configuration...

Current configuration : 6434 bytes
!
! Last configuration change at 02:18:27 MST Mon Jun 11 2018 by Cisco
! NVRAM config last updated at 02:18:24 MST Mon Jun 11 2018 by Cisco
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c3560cx
!
boot-start-marker
boot-end-marker
!

aaa new-model
!
!
aaa authentication login default local enable
aaa authentication dot1x default group radius
aaa authorization exec default local 
!
!
!
!
!
!
aaa session-id common
clock timezone MST -7 0
clock summer-time MST recurring
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
!
!
!
!
ip domain-name minion.lab
ip name-server 8.8.8.8
ip name-server 8.8.4.4

!
!
!
!
!
udld enable

!
!

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template webauth-global-inactive
 inactivity-timer 3600 
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
port-channel load-balance src-dst-ip
!
!
!
!         
!
!
parameter-map type webauth AI_NRH_PMAP
 type authbypass
!
vlan internal allocation policy ascending
!
lldp run
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
 match result-type aaa-timeout
 match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
 match result-type aaa-timeout
 match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
 match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative
!         
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
 match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
 match method dot1x
 match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
 match method dot1x
 match result-type method dot1x method-timeout
!
!
!
!
!
!
!
!
! 
!
!
!
!         
!
!
!
!
!
interface Port-channel1
 description "EtherChannel Uplink Cisco 3560X"
 switchport mode trunk
!
interface Port-channel3
 description "EtherChannel MacBook Pro"
 switchport trunk native vlan 150
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 description Uplink Cisco 3560X
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet1/0/2
 description Uplink Cisco 3560X
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet1/0/3
 description "Macbook Pro"
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/4
 description "Macbook Pro"
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/5
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/6
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/7
 description OneTouch AT G2
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/8
 description OneTouch AT G2
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/9
 description "LinkRunner G2 - Cable Black"
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/10
 description "LinkRunner G2 - Cable Yellow"
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/11
 description Windows 10 Laptop
 switchport access vlan 150
 switchport mode access
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/12
 description Windows 7 Laptop
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!         
interface GigabitEthernet1/0/13
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/14
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/15
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/16
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
 ip address 10.0.1.5 255.255.255.0
!
interface Vlan500
 ip address 10.250.0.111 255.255.252.0
!
interface Vlan2013
 no ip address
 ip helper-address 10.20.12.5 
!
ip default-gateway 10.0.1.1
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
!

!

!
!
radius server Windows2008R2_NPS
 address ipv4 10.20.8.5 auth-port 1812 acct-port 1813
 key password
!
!
line con 0
line vty 0 4
 password Shaebug:2014
 transport input ssh
line vty 5 15
 privilege level 15
 password 
 transport input ssh
!
ntp server time1.google.com
ntp server time3.google.com
ntp server time2.google.com
ntp server time4.google.com
!
end       

c3560cx#

Windows 2008R2 NPS

Diana Karolina Rojas · ‎06-11-2018

Good afternoon!

What kind of logs do you get when you connect a new machine in the switch (please send the output)? Please attach the configuration in a .txt file it's difficult to read it when is copied directly here.

Best Regards,

krisarmstrong1 · ‎06-11-2018

Which logs are you looking for here? Logs on the switch itself or on the NPS server? I don't think the switch is even contacting the NPS server. The reason I say that is there is never an entry in the NPS event log when a wired client attempts to connect. however when a wireless client connects there is a log on the NPS server.

Are you looking for the debug output of the switch and if so which debugs would be of value?

krisarmstrong1 · ‎06-11-2018

Attached are the logs from the switch one thing I'm seeing is

Jun 11 15:51:09.607: dot1x-ev:[Gi1/0/11] Couldn't find the supplicant in the list

The end device is the client our supplicant in this case so what list is it referring to??

mohammed01701 · ‎06-11-2018

Hi!

Did you enabled dot1x on global, imean i don't see command:

dot1x system-auth-control

Can you configure that command post the show command?

show authentication sessions interface GigabitEthernet1/0/11 details

HTH

/Mohammed

krisarmstrong1 · ‎06-11-2018

The above command is not present on my switch but this one is I think its similar perhaps the same??

c3560cx#show dot1x interface gigabitEthernet 1/0/11 details 

Dot1x Info for GigabitEthernet1/0/11
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

Dot1x Authenticator Client List Empty

c3560cx#sh dot1x all details
Sysauthcontrol              Enabled
Dot1x Protocol Version            3

Dot1x Info for GigabitEthernet1/0/11
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

Dot1x Authenticator Client List Empty

c3560cx#show radius server-group all 
Server group radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(10.20.8.5:1812,1813) Transactions:
    Authen: 205 Author: 0       Acct: 0
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE

mohammed01701 · ‎06-11-2018

Hi!

Have you tried to configure this command:

dot1x system-auth-control

/Mohammed

krisarmstrong1 · ‎06-11-2018

Yes it is configured on the switch

krisarmstrong1 · ‎06-11-2018

Well, apparently I was wrong I see event logs in the event viewer everytime a client attempts to connect.

4672, 4624 and 4634 repeatably each time a client attempts to connect

This seems to be regardless of rather its EAP/TLS or PEAP MSChapV2