Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

802.1x authenticate with IAS

Status
Not open for further replies.

swabs

IS-IT--Management
Jul 28, 2003
155
US
Hello,
I am attempting to use 802.1x authentication between Windows Xp clients and a Windows 2003 IAS Radius Server using a Cisco Catalyst 2950 switch.

I have configured the Cisco Switch for aaa authentication. I can successfully see the client passing traffic to the switch (below)

Switch#sho dot1x statistics int f0/2
PortStatistics Parameters for Dot1x
--------------------------------------------
TxReqId = 13 TxReq = 13 TxTotal = 18
RxStart = 0 RxLogoff = 0 RxRespId = 0 RxResp = 0
RxInvalid = 0 RxLenErr = 0 RxTotal= 0
RxVersion = 0 LastRxSrcMac 0000.0000.0000

But when I run "show radius statistics" I don't see any packets:
Switch#sho radius statistics
Maximum inQ length: 0
Maximum waitQ length: 0
Maximum doneQ length: 0
Total responses seen: 0
Packets with responses: 0
Packets without responses: 0
Average response delay: 0 ms
Maximum response delay: 0 ms
Number of Radius timeouts: 0
Duplicate ID detects: 0

Elapsed time since counters last cleared: 1h7m

Can anyone point me in the right direction. Here is my running-config in case there is anthying obvious.

Switch#sho run
Building configuration...

Current configuration : 3131 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
enable secret 5 $1$vPzf$5MUv263B1tmYZZosZfjP2.

interface FastEthernet0/2
switchport access vlan 248
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x reauthentication
spanning-tree portfast


interface Vlan248
ip address 192.168.15.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.15.1
ip http server
radius-server host 192.168.15.1 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key password
!
line con 0
line vty 0 4
password vpna
line vty 5 15
password vpna
!
!
end
 
reactornet thanks for the reply.
I believe it has been enabled. Any other help would be greatly appreciated.

Switch#sho dot1x
Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both
 
How is your IAS server setup? Do you know your IAS server actually works?
Are you getting any errors logged on IAS? Are you using Active Directory or local users on the IAS Server? Do you users have 'remote access' enabled?
What output do you get when debugging dot1x and aaa authentication?

I have this setup on some 2950's, 3550's and 3750's and the config is pretty consistent between them all.

aaa new model
!
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key RADIUS-KEY
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key RADIUS-KEY
!
aaa group server radius Radius-Servers
server 10.10.10.10 auth-port 1812 acct-port 1813
server 10.10.10.11 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group Radius-Servers
!
interface FastEthernet0/5
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
!

HTH

Andy
 
ADB100,
Thanks for the reply. I just found the cause of the issue this morning. My client didn't have the correct registry setttings for:
supplicatemode = 3
authmode= 2

After I changed the client to the settings above it was successfully able to authenticate.

It is up and running and I am a happy guy for the day.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top