cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3608
Views
0
Helpful
3
Replies

SG200-8 802.1x fails

Boris Bahes
Level 1
Level 1

Hi!

I'm testing new switch sg200-08 (firmware: SG200-08x_FW_1.0.6.2.stk) for 802.1x with RADIUS authentication.

For RADIUS server I use Microsoft 2012 NPS. For client I use Windows 7.

So far I have been unable to authenticate to RADIUS. So maybe I'm doing something wrong...

First thing I noticed is that documentation (200 Series 8-port Smart Switches Administration Guide - Page 136) says:

Key String—A shared secret text string used for authenticating and

encrypting all RADIUS communications between the switch and the RADIUS

server. This secret must match the secret configured on the RADIUS server.

The secret key can be edited by deleting the entry and recreating the entry

with the desired secret key. This must be an ASCII alphanumeric value

between 32 to 176 characters.

Now this is a problem (I guess)...since in interface of switch I can't enter value larger that 16 characters....

On the switch log I allways get this message when I try authenticate with Windows 7 client:

85 2013-04-23  07:59:31 Notice DOT1X[dot1xTask] dot1x_radius.c(246)  951 %% Failed to  authenticate on lIntIfNum [32] - Radius Request Timed Out.
84 2013-04-23  07:59:31 Notice DOT1X[dot1xTask] dot1x_sm.c(1277)  950 %%  dot1xBamMachine Dot1x authentication failed on intf 3, for user 'bbahes'. 

On the server side I get three same messages in Security log:

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          23.4.2013. 7:56:42

Event ID:      6274

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      KLSERVER

Description:

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID:                              NULL SID

Account Name:                              bbahes

Account Domain:                              -

Fully Qualified Account Name:          -

Client Machine:

Security ID:                              NULL SID

Account Name:                              -

Fully Qualified Account Name:          -

OS-Version:                              -

Called Station Identifier:                    84-78-ac-a5-83-11

Calling Station Identifier:                    d4:3d:7e:57:f5:4f

NAS:

NAS IPv4 Address:                    192.168.125.54

NAS IPv6 Address:                    -

NAS Identifier:                              84-78-ac-a5-83-10

NAS Port-Type:                              Ethernet

NAS Port:                              3

RADIUS Client:

Client Friendly Name:                    NEXUS3

Client IP Address:                              192.168.125.54

Authentication Details:

Connection Request Policy Name:          Secure Wired (Ethernet) Connections

Network Policy Name:                    -

Authentication Provider:                    Windows

Authentication Server:                    KLSERVER

Authentication Type:                    -

EAP Type:                              -

Account Session Identifier:                    -

Reason Code:                              96

Reason:                                        Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>6274</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>12552</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2013-04-23T05:56:42.268504600Z" />

    <EventRecordID>1012</EventRecordID>

    <Correlation />

    <Execution ProcessID="528" ThreadID="2720" />

    <Channel>Security</Channel>

    <Computer>KLSERVER</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="SubjectUserSid">S-1-0-0</Data>

    <Data Name="SubjectUserName">bbahes</Data>

    <Data Name="SubjectDomainName">-</Data>

    <Data Name="FullyQualifiedSubjectUserName">-</Data>

    <Data Name="SubjectMachineSID">S-1-0-0</Data>

    <Data Name="SubjectMachineName">-</Data>

    <Data Name="FullyQualifiedSubjectMachineName">-</Data>

    <Data Name="MachineInventory">-</Data>

    <Data Name="CalledStationID">84-78-ac-a5-83-11</Data>

    <Data Name="CallingStationID">d4:3d:7e:57:f5:4f</Data>

    <Data Name="NASIPv4Address">192.168.125.54</Data>

    <Data Name="NASIPv6Address">-</Data>

    <Data Name="NASIdentifier">84-78-ac-a5-83-10</Data>

    <Data Name="NASPortType">Ethernet</Data>

    <Data Name="NASPort">3</Data>

    <Data Name="ClientName">NEXUS3</Data>

    <Data Name="ClientIPAddress">192.168.125.54</Data>

    <Data Name="ProxyPolicyName">Secure Wired (Ethernet) Connections</Data>

    <Data Name="NetworkPolicyName">-</Data>

    <Data Name="AuthenticationProvider">Windows</Data>

    <Data Name="AuthenticationServer">KLSERVER</Data>

    <Data Name="AuthenticationType">-</Data>

    <Data Name="EAPType">-</Data>

    <Data Name="AccountSessionIdentifier">-</Data>

    <Data Name="ReasonCode">96</Data>

    <Data Name="Reason">Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.</Data>

  </EventData>

</Event>

The switch is in default configuration, so no VLAN's are used.

I called support and they told me it has to be something with virtual machine (since I'm using NPS on 2012 Hyper-V). But I also used Oracle Virtualbox and VMware and results where same.

In attachment is Wireshark capture of radius requests.

Thanks for any help!

Best regards,

Boris Bahes.

3 Replies 3

Tom Watts
VIP Alumni
VIP Alumni

Hi Boris, what syntax does the RADIUS expect for the mac address?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I haven't changed too much default Windows Server 2012 NPS settings. Most are default. I ran Configure 802.1x wizard in NPS console. But here is configuration in XML file so you can check. Also in attachment is switch running configuration.

PS. I have downgraded firmware to 1.0.5.1 and problem is still there.

Problem was solved by connecting client and NPS server to domain controller. My guess is that was certificate distribution related issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X