Re: Freeradius, Cisco Catalyst 2950, Windwos Domain

[M.Cerqui - PUBLISHERIA]

Here my 2950 configuration: usts01# configure terminal <>usts01(config)# aaa new-model usts01(config)# aaa authentication dot1x default group radius <> usts01(config)# dot1x system-auth-control <> usts01(config)# aaa authorization network default group radius <> usts01(config)# interface FastEthernet0/1 <> usts01(config-if)# dot1 port-control auto<> usts01(config-if)# end usts01(config)# radius-server host 192.168.107.43 auth-port 1812 acct-port 1813 key whatever My goal is, that the windows supplicant does the authentication BEFORE the windows login, because without that I don't have any connection to the domain controller. I had the same configuration for the windows supplicant, but it didn't send any request when I did the login, so I didn't get any connection to the DC -> login failed. Now I use the Aegis client and with this, I works perfectly! The disadvantage is, that you have to pay for the client. You understand what I mean? I created a user account for the computer in the users file for the authentication. Did the windows supplicant with your configuration send the user name / password before  connecting to the DC? Cheers Marco Øystein Gåsdal wrote: The WindowsXP supplicant works for me...kinda. It sends requests via my 2950, but i still can't logon, but I guess that has something to do with the configuration on the radius server.   In Network Connections -> <interface card> -> Authentication, it says something like this.   Enable IEEE 802.1x etc. is marked EAP type: Protected EAP (PEAP)   Press the Properties button   Take away the Validate server certificate mark.   Under Select Authentication Method, choose Secured password (EAP-MSCHAP v2)   Do you have the same?   Anyway, does this mean you have been able to authenticate users via a NT domain? What files did you configure to make it work? and what parameters?   - Øystein From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED]] Sent: 8. oktober 2004 11:45 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain Hi Øystein Thanks for your help. I have the Calatlyst already configured like this and even when I turn on the "debug radius" option on the catalyst there is no output before a successful login :-( I now have tried the Aegis Client as Supplicant on Windows and with this supplicant authentication before domain login works perfectly (PEAP). Any other idea? Is the default Microsoft Windows XP supplicant that bad? Cheers Marco Øystein Gåsdal wrote: If nothing shows in the radius debug, my guess is that you haven't configured the 2950 properly, i.e you have the wrong ip adress to the radius server. The configuration should look like this: aaa new-model aaa authentication dot1x default group radius radius-server host <radius server ip address> auth-port 1812 acct-port 1813 key <shared key> On the ethernet interface, you shold have this: dot1x port-control auto - Øystein Gåsdal -----Original Message----- From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED]] Sent: 4. oktober 2004 21:02 To: [EMAIL PROTECTED] Subject: RE: Freeradius, Cisco Catalyst 2950, Windwos Domain No wireless, wired environment! Authentication is required because the port goes into unauthenticated state and I haven't got any network access. ---------------------------------------- [EMAIL PROTECTED] said... ---------------------------------------- -----Original Message----- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Montag, 4. Oktober 2004 21:07 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain "M.Cerqui - PUBLISHERIA" <[EMAIL PROTECTED]> wrote: Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start "freeradius -X" and turn "debug radius" on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. If the windows box is accessing the network via wireless, without FreeRADIUS being involved, then you haven't configured the AP to require authentication. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html