Yes that´s enabled by default and verified... br Jimmy
2010/2/11 Piotr Kaluzny <[email protected]> > Jimmy, > > Have you enabled EAP-MD5 under the "Global Authentication" section on the > ACS? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > > On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: > >> Hi >> >> I am doing my first attempt ever to setup 802.1x. I know the basic idea >> with EAP-types and radius, but I cant get it to work. Fact: >> >> c2970. Configured like this: >> >> aaa new-model >> ! >> ! >> aaa authentication login default none >> aaa authentication dot1x default group radius >> aaa authorization network default group radius >> ! >> interface FastEthernet0/19 >> description T43 >> switchport mode access >> dot1x pae authenticator >> dot1x port-control auto >> dot1x violation-mode restrict >> dot1x auth-fail vlan 1 >> spanning-tree portfast >> ! >> radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco >> radius-server vsa send authentication >> >> The ACS is setup with a username/password, I have configured the network >> device and all that jazz... >> >> On port Fa0/19 I have my windows7-client that cant connect. It prompts me >> for username/password and saids "authentication failed". Debug of >> radius/dot1x on the switch show me that I get a "Access-Reject" back from >> the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the >> EAP-type column is empty. >> >> My gess is that there is something misconfigured in the win7-supplicant. I >> have: >> * Enabled dot1x-authentication. >> * chosen method: Microsoft PEAP (not "Smart card or other certificate") >> * Under settings I have unchecked "Validate server certificate" >> * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as >> authentication method. >> >> But what am I doing wrong? Can I get more debug-output from my >> win7-client? Or should I try with a third-party supplicant instead? >> >> Also, is the "dot1x pae authenticator"-command on the switchport needed in >> my case? >> >> Can I get more detailed output from ACS than the default-info in the >> failed-attempts-log? >> >> Thanks in advance! >> >> Br Jimmy >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
