Jimmy,
I haven't tested with Win 7 so I wasn't sure. You will need to enable certificates in ACS and go thru the process of enabling PEAP. As mentioned by the failed log the protocol type is unknown as it hasn't been enabled by default. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Larsson Sent: Thursday, February 11, 2010 11:55 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] 802.1x I know, it´s a bit confusing. But in windows7 eap-md5 is not mentioned.This is how it looks on my win7-computer: http://blogg.kvistofta.nu/junk/dot1x_w7.jpg 2010/2/11 Tyson Scott <[email protected]> Jimmy, By default EAP-MD5 is the only protocol enabled but make sure you check it as Piotr has suggested. But on the Windows Client you hare using PEAP. Change that to EAP-MD5. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Kaluzny Sent: Thursday, February 11, 2010 11:22 AM To: Jimmy Larsson Cc: [email protected] Subject: Re: [OSL | CCIE_Security] 802.1x Jimmy, Have you enabled EAP-MD5 under the "Global Authentication" section on the ACS? Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: Hi I am doing my first attempt ever to setup 802.1x. I know the basic idea with EAP-types and radius, but I cant get it to work. Fact: c2970. Configured like this: aaa new-model ! ! aaa authentication login default none aaa authentication dot1x default group radius aaa authorization network default group radius ! interface FastEthernet0/19 description T43 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode restrict dot1x auth-fail vlan 1 spanning-tree portfast ! radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco radius-server vsa send authentication The ACS is setup with a username/password, I have configured the network device and all that jazz... On port Fa0/19 I have my windows7-client that cant connect. It prompts me for username/password and saids "authentication failed". Debug of radius/dot1x on the switch show me that I get a "Access-Reject" back from the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the EAP-type column is empty. My gess is that there is something misconfigured in the win7-supplicant. I have: * Enabled dot1x-authentication. * chosen method: Microsoft PEAP (not "Smart card or other certificate") * Under settings I have unchecked "Validate server certificate" * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as authentication method. But what am I doing wrong? Can I get more debug-output from my win7-client? Or should I try with a third-party supplicant instead? Also, is the "dot1x pae authenticator"-command on the switchport needed in my case? Can I get more detailed output from ACS than the default-info in the failed-attempts-log? Thanks in advance! Br Jimmy -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu ------- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
