Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4208
Views
0
Helpful
3
Replies

SG200-8 802.1x fails

Boris Bahes
Level 1
Level 1

‎04-22-2013 11:17 PM

Hi!

I'm testing new switch sg200-08 (firmware: SG200-08x_FW_1.0.6.2.stk) for 802.1x with RADIUS authentication.

For RADIUS server I use Microsoft 2012 NPS. For client I use Windows 7.

So far I have been unable to authenticate to RADIUS. So maybe I'm doing something wrong...

First thing I noticed is that documentation (200 Series 8-port Smart Switches Administration Guide - Page 136) says:

Key String—A shared secret text string used for authenticating and

encrypting all RADIUS communications between the switch and the RADIUS

server. This secret must match the secret configured on the RADIUS server.

The secret key can be edited by deleting the entry and recreating the entry

with the desired secret key. This must be an ASCII alphanumeric value

between 32 to 176 characters.

Now this is a problem (I guess)...since in interface of switch I can't enter value larger that 16 characters....

On the switch log I allways get this message when I try authenticate with Windows 7 client:

85 2013-04-23  07:59:31 Notice DOT1X[dot1xTask] dot1x_radius.c(246)  951 %% Failed to  authenticate on lIntIfNum [32] - Radius Request Timed Out.
84 2013-04-23  07:59:31 Notice DOT1X[dot1xTask] dot1x_sm.c(1277)  950 %%  dot1xBamMachine Dot1x authentication failed on intf 3, for user 'bbahes'. 

On the server side I get three same messages in Security log:

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          23.4.2013. 7:56:42

Event ID:      6274

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      KLSERVER

Description:

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID:                              NULL SID

Account Name:                              bbahes

Account Domain:                              -

Fully Qualified Account Name:          -

Client Machine:

Security ID:                              NULL SID

Account Name:                              -

Fully Qualified Account Name:          -

OS-Version:                              -

Called Station Identifier:                    84-78-ac-a5-83-11

Calling Station Identifier:                    d4:3d:7e:57:f5:4f

NAS:

NAS IPv4 Address:                    192.168.125.54

NAS IPv6 Address:                    -

NAS Identifier:                              84-78-ac-a5-83-10

NAS Port-Type:                              Ethernet

NAS Port:                              3

RADIUS Client:

Client Friendly Name:                    NEXUS3

Client IP Address:                              192.168.125.54

Authentication Details:

Connection Request Policy Name:          Secure Wired (Ethernet) Connections

Network Policy Name:                    -

Authentication Provider:                    Windows

Authentication Server:                    KLSERVER

Authentication Type:                    -

EAP Type:                              -

Account Session Identifier:                    -

Reason Code:                              96

Reason:                                        Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>6274</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>12552</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2013-04-23T05:56:42.268504600Z" />

    <EventRecordID>1012</EventRecordID>

    <Correlation />

    <Execution ProcessID="528" ThreadID="2720" />

    <Channel>Security</Channel>

    <Computer>KLSERVER</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="SubjectUserSid">S-1-0-0</Data>

    <Data Name="SubjectUserName">bbahes</Data>

    <Data Name="SubjectDomainName">-</Data>

    <Data Name="FullyQualifiedSubjectUserName">-</Data>

    <Data Name="SubjectMachineSID">S-1-0-0</Data>

    <Data Name="SubjectMachineName">-</Data>

    <Data Name="FullyQualifiedSubjectMachineName">-</Data>

    <Data Name="MachineInventory">-</Data>

    <Data Name="CalledStationID">84-78-ac-a5-83-11</Data>

    <Data Name="CallingStationID">d4:3d:7e:57:f5:4f</Data>

    <Data Name="NASIPv4Address">192.168.125.54</Data>

    <Data Name="NASIPv6Address">-</Data>

    <Data Name="NASIdentifier">84-78-ac-a5-83-10</Data>

    <Data Name="NASPortType">Ethernet</Data>

    <Data Name="NASPort">3</Data>

    <Data Name="ClientName">NEXUS3</Data>

    <Data Name="ClientIPAddress">192.168.125.54</Data>

    <Data Name="ProxyPolicyName">Secure Wired (Ethernet) Connections</Data>

    <Data Name="NetworkPolicyName">-</Data>

    <Data Name="AuthenticationProvider">Windows</Data>

    <Data Name="AuthenticationServer">KLSERVER</Data>

    <Data Name="AuthenticationType">-</Data>

    <Data Name="EAPType">-</Data>

    <Data Name="AccountSessionIdentifier">-</Data>

    <Data Name="ReasonCode">96</Data>

    <Data Name="Reason">Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.</Data>

  </EventData>

</Event>

The switch is in default configuration, so no VLAN's are used.

I called support and they told me it has to be something with virtual machine (since I'm using NPS on 2012 Hyper-V). But I also used Oracle Virtualbox and VMware and results where same.

In attachment is Wireshark capture of radius requests.

Thanks for any help!

Best regards,

Boris Bahes.

Labels:
15358852-klserver-radius.pcapng.zip
0 Helpful
3 Replies 3

Tom Watts
VIP Alumni
VIP Alumni

‎04-23-2013 06:27 PM

Hi Boris, what syntax does the RADIUS expect for the mac address?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Boris Bahes
Level 1
Level 1
In response to Tom Watts

‎04-23-2013 10:02 PM

I haven't changed too much default Windows Server 2012 NPS settings. Most are default. I ran Configure 802.1x wizard in NPS console. But here is configuration in XML file so you can check. Also in attachment is switch running configuration.

PS. I have downgraded firmware to 1.0.5.1 and problem is still there.

15358933-running-config.txt.zip
0 Helpful

Boris Bahes
Level 1
Level 1
In response to Boris Bahes

‎04-25-2013 02:19 AM

Problem was solved by connecting client and NPS server to domain controller. My guess is that was certificate distribution related issue.

0 Helpful
Customers Also Viewed These Support Documents