Hi Jimmy Have you enabled NAPs in the ACS? if yes, check whether the dot1x request is being sent to the NAP. In that case, NAP should have MD5 or PEAP enabled.
With regards Kings On Thu, Feb 11, 2010 at 10:44 PM, Tyson Scott <[email protected]> wrote: > Jimmy, > > > > I haven't tested with Win 7 so I wasn't sure. You will need to enable > certificates in ACS and go thru the process of enabling PEAP. As mentioned > by the failed log the protocol type is unknown as it hasn't been enabled by > default. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Jimmy > Larsson > *Sent:* Thursday, February 11, 2010 11:55 AM > *To:* Tyson Scott > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] 802.1x > > > > I know, it´s a bit confusing. But in windows7 eap-md5 is not mentioned.This > is how it looks on my win7-computer: > > > > http://blogg.kvistofta.nu/junk/dot1x_w7.jpg > > > > > > 2010/2/11 Tyson Scott <[email protected]> > > Jimmy, > > > > By default EAP-MD5 is the only protocol enabled but make sure you check it > as Piotr has suggested. But on the Windows Client you hare using PEAP. > Change that to EAP-MD5. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Kaluzny > *Sent:* Thursday, February 11, 2010 11:22 AM > *To:* Jimmy Larsson > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] 802.1x > > > > Jimmy, > > Have you enabled EAP-MD5 under the "Global Authentication" section on the > ACS? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> wrote: > > Hi > > > > I am doing my first attempt ever to setup 802.1x. I know the basic idea > with EAP-types and radius, but I cant get it to work. Fact: > > > > c2970. Configured like this: > > > > aaa new-model > > ! > > ! > > aaa authentication login default none > > aaa authentication dot1x default group radius > > aaa authorization network default group radius > > ! > > interface FastEthernet0/19 > > description T43 > > switchport mode access > > dot1x pae authenticator > > dot1x port-control auto > > dot1x violation-mode restrict > > dot1x auth-fail vlan 1 > > spanning-tree portfast > > ! > > radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco > > radius-server vsa send authentication > > > > The ACS is setup with a username/password, I have configured the network > device and all that jazz... > > > > On port Fa0/19 I have my windows7-client that cant connect. It prompts me > for username/password and saids "authentication failed". Debug of > radius/dot1x on the switch show me that I get a "Access-Reject" back from > the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the > EAP-type column is empty. > > > > My gess is that there is something misconfigured in the win7-supplicant. I > have: > > * Enabled dot1x-authentication. > > * chosen method: Microsoft PEAP (not "Smart card or other certificate") > > * Under settings I have unchecked "Validate server certificate" > > * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as > authentication method. > > > > But what am I doing wrong? Can I get more debug-output from my win7-client? > Or should I try with a third-party supplicant instead? > > > > Also, is the "dot1x pae authenticator"-command on the switchport needed in > my case? > > > > Can I get more detailed output from ACS than the default-info in the > failed-attempts-log? > > > > Thanks in advance! > > > > Br Jimmy > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
