You can add additional fields to the failed attempts log by going to System Configuration>Logging in the ACS.
What about using EAP-MD5 instead of PEAP? It's in Global Authentication. You'll change it on the adapter under Authentication as well. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Thu, Feb 11, 2010 at 8:15 AM, Jimmy Larsson <[email protected]> wrote: > Hi > I am doing my first attempt ever to setup 802.1x. I know the basic idea with > EAP-types and radius, but I cant get it to work. Fact: > c2970. Configured like this: > aaa new-model > ! > ! > aaa authentication login default none > aaa authentication dot1x default group radius > aaa authorization network default group radius > ! > interface FastEthernet0/19 > description T43 > switchport mode access > dot1x pae authenticator > dot1x port-control auto > dot1x violation-mode restrict > dot1x auth-fail vlan 1 > spanning-tree portfast > ! > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > radius-server vsa send authentication > The ACS is setup with a username/password, I have configured the network > device and all that jazz... > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > for username/password and saids "authentication failed". Debug of > radius/dot1x on the switch show me that I get a "Access-Reject" back from > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the > EAP-type column is empty. > My gess is that there is something misconfigured in the win7-supplicant. I > have: > * Enabled dot1x-authentication. > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > * Under settings I have unchecked "Validate server certificate" > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > authentication method. > But what am I doing wrong? Can I get more debug-output from my win7-client? > Or should I try with a third-party supplicant instead? > Also, is the "dot1x pae authenticator"-command on the switchport needed in > my case? > Can I get more detailed output from ACS than the default-info in the > failed-attempts-log? > Thanks in advance! > Br Jimmy > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
