Jimmy,
By default EAP-MD5 is the only protocol enabled but make sure you check it as Piotr has suggested. But on the Windows Client you hare using PEAP. Change that to EAP-MD5. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Kaluzny Sent: Thursday, February 11, 2010 11:22 AM To: Jimmy Larsson Cc: [email protected] Subject: Re: [OSL | CCIE_Security] 802.1x Jimmy, Have you enabled EAP-MD5 under the "Global Authentication" section on the ACS? Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: Hi I am doing my first attempt ever to setup 802.1x. I know the basic idea with EAP-types and radius, but I cant get it to work. Fact: c2970. Configured like this: aaa new-model ! ! aaa authentication login default none aaa authentication dot1x default group radius aaa authorization network default group radius ! interface FastEthernet0/19 description T43 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode restrict dot1x auth-fail vlan 1 spanning-tree portfast ! radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco radius-server vsa send authentication The ACS is setup with a username/password, I have configured the network device and all that jazz... On port Fa0/19 I have my windows7-client that cant connect. It prompts me for username/password and saids "authentication failed". Debug of radius/dot1x on the switch show me that I get a "Access-Reject" back from the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the EAP-type column is empty. My gess is that there is something misconfigured in the win7-supplicant. I have: * Enabled dot1x-authentication. * chosen method: Microsoft PEAP (not "Smart card or other certificate") * Under settings I have unchecked "Validate server certificate" * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as authentication method. But what am I doing wrong? Can I get more debug-output from my win7-client? Or should I try with a third-party supplicant instead? Also, is the "dot1x pae authenticator"-command on the switchport needed in my case? Can I get more detailed output from ACS than the default-info in the failed-attempts-log? Thanks in advance! Br Jimmy -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu ------- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
