Jimmy, Have you enabled EAP-MD5 under the "Global Authentication" section on the ACS?
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: > Hi > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > with EAP-types and radius, but I cant get it to work. Fact: > > c2970. Configured like this: > > aaa new-model > ! > ! > aaa authentication login default none > aaa authentication dot1x default group radius > aaa authorization network default group radius > ! > interface FastEthernet0/19 > description T43 > switchport mode access > dot1x pae authenticator > dot1x port-control auto > dot1x violation-mode restrict > dot1x auth-fail vlan 1 > spanning-tree portfast > ! > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > radius-server vsa send authentication > > The ACS is setup with a username/password, I have configured the network > device and all that jazz... > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > for username/password and saids "authentication failed". Debug of > radius/dot1x on the switch show me that I get a "Access-Reject" back from > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the > EAP-type column is empty. > > My gess is that there is something misconfigured in the win7-supplicant. I > have: > * Enabled dot1x-authentication. > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > * Under settings I have unchecked "Validate server certificate" > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > authentication method. > > But what am I doing wrong? Can I get more debug-output from my win7-client? > Or should I try with a third-party supplicant instead? > > Also, is the "dot1x pae authenticator"-command on the switchport needed in > my case? > > Can I get more detailed output from ACS than the default-info in the > failed-attempts-log? > > Thanks in advance! > > Br Jimmy > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
