Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
1
Replies

NEAT configuration with RADIUS authentication

vlad09
Level 1
Level 1

‎06-01-2018 12:55 AM - edited ‎03-08-2019 03:12 PM

Hi all,

 

I am trying to implement NEAT authentication against RAIDUS server, which runs on win2008r2. At the begginning Ive tried to configure wired dot1x authentication against RAIDUS on my test switch (2960), which runs very well. In our network we have 50+ switches so I dont want to create separate configurations on radius server for each switch, so I decided to implement NEAT where sw 4510 will act as an Authenticator and the rest of switches (2690s) will be supplicants.

Ive done configuration as its explained in this scenario https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html but I dont know why, but its not working. On the RADIUS server I've inserted IP of 4510 switch and in policy connection req ip of 4510 as well.     on 4510 I am getting those errors:

1203093: Jun  1 09:37:57.847: %AUTHMGR-5-START: Starting 'dot1x' for client (1c17.d3aa.cf99) on Interface Gi2/5 AuditSessionID 0A0101FE0010FBC7514BB1FC
1203094: Jun  1 09:37:58.427: %DOT1X-5-FAIL: Authentication failed for client (1c17.d3aa.cf99) on Interface Gi2/5 AuditSessionID 0A0101FE0010FBC7514BB1FC
1203095: Jun  1 09:37:58.427: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (1c17.d3aa.cf99) on Interface Gi2/5 AuditSessionID 0A0101FE0010FBC7514BB1FC
1203096: Jun  1 09:37:58.427: %AUTHMGR-5-FAIL: Authorization failed for client (1c17.d3aa.cf99) on Interface Gi2/5 AuditSessionID 0A0101FE0010FBC7514BB1FC

 %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/5, changed state to down

(gi2/5 is uplink towards 2960)

 

 

 

Any ideas?

Labels:
0 Helpful
1 Reply 1

vlad09
Level 1
Level 1

‎06-03-2018 10:20 PM

On RADIUS server I am getting this log error

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
    Security ID:            <removed>\switch
    Account Name:            switch
    Account Domain:            <removed>
    Fully Qualified Account Name:    <removed>\switch

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        44-D3-CA-F1-23-94
    Calling Station Identifier:        1C-17-D3-AA-CF-99

NAS:
    NAS IPv4 Address:        10.1.1.254
    NAS IPv6 Address:        -
    NAS Identifier:            -
    NAS Port-Type:            Ethernet
    NAS Port:            50205

RADIUS Client:
    Client Friendly Name:        CISCO-L3
    Client IP Address:            10.1.1.254

Authentication Details:
    Connection Request Policy Name:    Secure Wired (Ethernet) Connections 2
    Network Policy Name:        Authentication supplicant switch
    Authentication Provider:        Windows
    Authentication Server:        <removed>
    Authentication Type:        EAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            22
    Reason:                The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

0 Helpful
Customers Also Viewed These Support Documents