Kings, What is NAP? Please explain...
/J 2010/2/11 Kingsley Charles <[email protected]> > Hi Jimmy > > Have you enabled NAPs in the ACS? if yes, check whether the dot1x request > is being sent to the NAP. In that case, NAP should have MD5 or PEAP enabled. > > > With regards > Kings > > On Thu, Feb 11, 2010 at 10:44 PM, Tyson Scott <[email protected]> wrote: > >> Jimmy, >> >> >> >> I haven't tested with Win 7 so I wasn't sure. You will need to enable >> certificates in ACS and go thru the process of enabling PEAP. As mentioned >> by the failed log the protocol type is unknown as it hasn't been enabled by >> default. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Jimmy >> Larsson >> *Sent:* Thursday, February 11, 2010 11:55 AM >> *To:* Tyson Scott >> >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] 802.1x >> >> >> >> I know, it´s a bit confusing. But in windows7 eap-md5 is not >> mentioned.This is how it looks on my win7-computer: >> >> >> >> http://blogg.kvistofta.nu/junk/dot1x_w7.jpg >> >> >> >> >> >> 2010/2/11 Tyson Scott <[email protected]> >> >> Jimmy, >> >> >> >> By default EAP-MD5 is the only protocol enabled but make sure you check it >> as Piotr has suggested. But on the Windows Client you hare using PEAP. >> Change that to EAP-MD5. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Piotr Kaluzny >> *Sent:* Thursday, February 11, 2010 11:22 AM >> *To:* Jimmy Larsson >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] 802.1x >> >> >> >> Jimmy, >> >> Have you enabled EAP-MD5 under the "Global Authentication" section on the >> ACS? >> >> Regards, >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> >> On Thu, Feb 11, 2010 at 5:15 PM, Jimmy Larsson <[email protected]> >> wrote: >> >> Hi >> >> >> >> I am doing my first attempt ever to setup 802.1x. I know the basic idea >> with EAP-types and radius, but I cant get it to work. Fact: >> >> >> >> c2970. Configured like this: >> >> >> >> aaa new-model >> >> ! >> >> ! >> >> aaa authentication login default none >> >> aaa authentication dot1x default group radius >> >> aaa authorization network default group radius >> >> ! >> >> interface FastEthernet0/19 >> >> description T43 >> >> switchport mode access >> >> dot1x pae authenticator >> >> dot1x port-control auto >> >> dot1x violation-mode restrict >> >> dot1x auth-fail vlan 1 >> >> spanning-tree portfast >> >> ! >> >> radius-server host 192.168.1.51 auth-port 1645 acct-port 1646 key cisco >> >> radius-server vsa send authentication >> >> >> >> The ACS is setup with a username/password, I have configured the network >> device and all that jazz... >> >> >> >> On port Fa0/19 I have my windows7-client that cant connect. It prompts me >> for username/password and saids "authentication failed". Debug of >> radius/dot1x on the switch show me that I get a "Access-Reject" back from >> the ACS. The ACS saids "EAP Type not configured" in failed-attempts. But the >> EAP-type column is empty. >> >> >> >> My gess is that there is something misconfigured in the win7-supplicant. I >> have: >> >> * Enabled dot1x-authentication. >> >> * chosen method: Microsoft PEAP (not "Smart card or other certificate") >> >> * Under settings I have unchecked "Validate server certificate" >> >> * Under settings I have chosen "Secured Password EAP-MSCHAP v2" as >> authentication method. >> >> >> >> But what am I doing wrong? Can I get more debug-output from my >> win7-client? Or should I try with a third-party supplicant instead? >> >> >> >> Also, is the "dot1x pae authenticator"-command on the switchport needed in >> my case? >> >> >> >> Can I get more detailed output from ACS than the default-info in the >> failed-attempts-log? >> >> >> >> Thanks in advance! >> >> >> >> Br Jimmy >> >> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> >> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
