I know, it´s a bit confusing. But in windows7 eap-md5 is not mentioned.This is how it looks on my win7-computer:
http://blogg.kvistofta.nu/junk/dot1x_w7.jpg <http://blogg.kvistofta.nu/junk/dot1x_w7.jpg> 2010/2/11 Tyson Scott <[email protected]> > Jimmy, > > > > By default EAP-MD5 is the only protocol enabled but make sure you check it > as Piotr has suggested. But on the Windows Client you hare using PEAP. > Change that to EAP-MD5. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Kaluzny > *Sent:* Thursday, February 11, 2010 11:22 AM > *To:* Jimmy Larsson > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] 802.1x > > > > Jimmy, > > Have you enabled EAP-MD5 under the "Global Authentication" section on the > ACS? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> > wrote: > > Hi > > > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > with EAP-types and radius, but I cant get it to work. Fact: > > > > c2970. Configured like this: > > > > aaa new-model > > ! > > ! > > aaa authentication login default none > > aaa authentication dot1x default group radius > > aaa authorization network default group radius > > ! > > interface FastEthernet0/19 > > description T43 > > switchport mode access > > dot1x pae authenticator > > dot1x port-control auto > > dot1x violation-mode restrict > > dot1x auth-fail vlan 1 > > spanning-tree portfast > > ! > > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > > radius-server vsa send authentication > > > > The ACS is setup with a username/password, I have configured the network > device and all that jazz... > > > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > for username/password and saids "authentication failed". Debug of > radius/dot1x on the switch show me that I get a "Access-Reject" back from > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the > EAP-type column is empty. > > > > My gess is that there is something misconfigured in the win7-supplicant. I > have: > > * Enabled dot1x-authentication. > > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > > * Under settings I have unchecked "Validate server certificate" > > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > authentication method. > > > > But what am I doing wrong? Can I get more debug-output from my win7-client? > Or should I try with a third-party supplicant instead? > > > > Also, is the "dot1x pae authenticator"-command on the switchport needed in > my case? > > > > Can I get more detailed output from ACS than the default-info in the > failed-attempts-log? > > > > Thanks in advance! > > > > Br Jimmy > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
