Change the password to something other than cisco. Make sure you don't have a space after the password. I would also recommend downgrading the switch to 12.2(46) as your command structure is not what you are going to see on the test. Yusuf has confirmed that on learn...@cisco.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Vybhav Ramachandran Sent: Friday, May 21, 2010 8:29 AM To: OSL Security Subject: [OSL | CCIE_Security] Dot1x Not working Guys, I've tried doing dot1x manytimes and it usually works. But this time , i'm getting access-reject messages from the ACS. I don't understand why. HERE IS MY SWX CONFIG _________________________ version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Rack1SW2 ! ! aaa new-model ! ! aaa authentication login default local aaa authentication dot1x default group radius aaa authorization network default group radius ! ! ! aaa session-id common ip subnet-zero ip routing ! ! vtp file vlan.dat ! ! crypto pki trustpoint TP-self-signed-2319349120 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2319349120 revocation-check none rsakeypair TP-self-signed-2319349120 ! ! crypto pki certificate chain TP-self-signed-2319349120 certificate self-signed 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32333139 33343931 3230301E 170D3933 30333031 30303031 30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33313933 34393132 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A267 437C38E5 510B83DD BA465985 8150ED4E CF745172 01FC6BA3 E8CAEAB4 512B92B7 C6759F9E D6958DC0 9971DA1E B01CEBE4 8CFCE25F 93C478A6 1EF3DB7E BD2631E5 F8ADB428 36F1261F CC99BC65 727E7EF6 D1833EF6 26EADB82 1F499725 0323F51E B2486533 1CF7A3D4 4611E79A 650C2225 3A76DA20 75FE169A 9BE68ED6 5F5F0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603 551D1104 0D300B82 09526163 6B315357 322E301F 0603551D 23041830 1680140A 00DCB5B5 068E18DA 8FD75717 94C5966C D7F86730 1D060355 1D0E0416 04140A00 DCB5B506 8E18DA8F D7571794 C5966CD7 F867300D 06092A86 4886F70D 01010405 00038181 008F957E 1400C4C1 6D055796 9065968F 167A3DD4 3F3F296B 1A104C81 2C6F8A95 15B9170A 8450FF37 A8836806 9F418055 88025644 44B071EA 2D7C3A19 46BC98BA 9F9265E3 C4C4B4C6 9CE66025 36856F52 F6E78CB3 0DC34208 FBDCAFF6 BD7B2487 A51242AE 6F2D46DF 76CE2F15 B226DD95 B8CE5548 ECE34C70 C52B81DE 908C7D62 CD quit dot1x system-auth-control ! ! spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! ! ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode dynamic desirable ! interface FastEthernet0/3 switchport mode dynamic desirable ! interface FastEthernet0/4 switchport mode dynamic desirable ! interface FastEthernet0/5 switchport mode dynamic desirable ! interface FastEthernet0/6 switchport mode access authentication event fail action authorize vlan 999 authentication event no-response action authorize vlan 888 authentication port-control auto dot1x pae authenticator ! interface FastEthernet0/7 switchport mode dynamic desirable ! interface FastEthernet0/8 switchport mode dynamic desirable ! interface FastEthernet0/9 switchport mode dynamic desirable ! interface FastEthernet0/10 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/11 switchport mode dynamic desirable ! interface FastEthernet0/12 switchport access vlan 122 switchport mode access ! interface FastEthernet0/13 switchport access vlan 100 switchport mode access ! interface FastEthernet0/14 switchport mode dynamic desirable ! interface FastEthernet0/15 switchport mode dynamic desirable ! interface FastEthernet0/16 switchport mode dynamic desirable ! interface FastEthernet0/17 switchport mode dynamic desirable ! interface FastEthernet0/18 switchport mode dynamic desirable ! interface FastEthernet0/19 switchport mode dynamic desirable ! interface FastEthernet0/20 switchport access vlan 200 switchport mode access ! interface FastEthernet0/21 switchport mode dynamic desirable ! interface FastEthernet0/22 switchport mode dynamic desirable ! interface FastEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/24 switchport mode dynamic desirable ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport mode dynamic desirable ! interface Vlan1 no ip address shutdown ! interface Vlan122 ip address 136.1.122.100 255.255.255.0 ! ip classless ip route 10.0.0.0 255.255.255.0 136.1.122.12 ip http server ip http secure-server ! ! radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco ! control-plane ! ! line con 0 logging synchronous level 0 limit 20 line vty 5 15 ! end Here's the supplicant ( R6's) configuration ___________________________________ dot1x system-auth-control dot1x credentials dot1x username new_user password 0 cisco interface FastEthernet0/1 ip address 136.1.122.6 255.255.255.0 duplex auto speed auto dot1x pae supplicant dot1x credentials dot1x On the ACS ___________ I've created a user called "new_user" with a password of "cisco" I then selected "tunnel-type = VLAN" "tunnel-medium-type=802" "tunnel-private-group-ID=122" Authentication fails and i keep getting the error "CS CHAP password invalid " on the fail-logs on the ACS. Any help would be appreciated, Thanks! Vybhav
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
