Avatar of oelolemy
Flag for Egypt

asked on 

ieee 802.1x issue with IAS using microsoft IAS and a catalyst switch as an authenticator

Dear Experts

kindly help me on this issue , i have been given a task to auithenticate PCs using ieee 802.1x with the IAS and microsoft IAS, the swicthes ( or the

authenticator ) is a catalust 3550 acting as a layer 2 switch

I tried to set a lab using a catalyst switch 3550, a client pc and a server installed with windows server 2003 , the main puropse was at allow a PC client to

authenticate to the IAS server through the switch catalyst using micorosoft certificate  ,

PC ----->>> ||catalyst3550||---->>||IAS windows 2003 server||

- however my manager requested me not to change the  " EAP type  " on the user PC and leave it as  " smart card or other certificate " , so i searched for a

documantation and i found one that uses ieee 802.1x using EAP type as " smart card " on both server and client and below is the steps of the configuration

guide i followed from this URL http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm

-  i started  issuing two additional certificate types:

    - RAS and IAS Server

    - Workstation Authentication

- 1. Open Certificate Authority Snap-in,
  2. Right-Click on
  3. Select RAS and IAS Server and Workstation Authentication Templates from the list
  4. Since we would like to take advantage of certificate auto-enrollment capabilities of       Active Directory we need to modify security settings on the

Workstation       Authentication Template to allow Domain Computers to auto-enroll for this type of       certificate. This would eliminate the need for manual

certificate distribution to       desktops. In order to do this, while still in the Certificate Authority Snap-in       right-click on Certificate Templates

node and select Manage. This should open       Certificate Template Snap-in.
  5. Once in Certificate Templates Snap-in select Workstation Authentication Template, and       open its properties and switch to Security Tab. Setup

security so that Domain       Computers can Read, Enroll and Autoenroll for this template.

|||||||||- Configuration of Microsoft Internet Authentication Server (Radius)-||||||||||||
   1. First we need to install RAS and IAS Certificate on the IAS server. While                   logged-in as a Domain Admin on the IAS server, run

mmc from command line
   2. Ensure to select Computer account when adding the snap-in.
   3. Expand Personal folder then right-click on Certificates and select to Request a New             Certificate
   4. Ensure to select RAS and IAS Server template
   5. Provide a friendly name to the certificate and finish the wizard
   6.  Open IAS Snap-in, right-click on Internet Authentication Service and click on             Register Server with Active Directory
   7. Next we need to create a Radius Client that will represent our 802.1x capable switch.       Right-click on Radius Clients and specify the IP address of

the management interface       of the Catalyst Switch and a friendly name
   8. Leave Radius Standard as the Client-Vendor and provide a shared secret. This secret             key will be used to encrypt the traffic between the

IAS and Catalyst.
      Make sure to match this shared secret when configuring Radius Server settings on the       Catalyst Switch.

      Click on Finish
   9.Switch to Remote Access Policies. You can delete the default policies, unless they are       being used.

   10. Right-click on Remote Access Policies and select New Access Policy. Provide a name       for the policy and choose custom policy type.

   11. Next we need to add conditions that need to be met in order for the client to gain       access. As you can see multiple conditions can be provided.

For the purposes of this       blog I only add one conditions, which specifies that the request need to come from       the IP address of the Catalyst

Switch. Depending on the security requirements of       your organization you may specify additional conditions. Of course, the validity of       client's

certificate will always be checked by the IAS server (see step 15).

   12. Allow access if the conditions specified on the previous step are met. Click on next
   13. Click on Edit Profile and switch to authentication tab

   14. Uncheck all authentication methods and click on EAP Methods (EAP allows for       certificate based authentication)

   15. Click on Add new EAP authentication type and select Smart Card or other certificates.        Click Ok

   16. Finish the wizard

|||||||||||||||||||- Configuration of Active Directory Policy-|||||||||||||||||||||||||
 The whole idea   to prevent workstations without a valid certificate from connect to the corporate network. Of course, this implies that we need to

distribute the appropriate certificates to the legitimate users/workstations. We can do this in a number of ways, but the most efficient one is through

autoenrollment process. See the link below on configuration of autoenrollment:

|||||||||||||-Checklist: Configuring certificate autoenrollment-|||||||||||||||||||||||

1. Open Active Directory Users and Computers Snap-in

2. Select the OU where you want to modify the computer policy in order to allow for auto-enrollment. In this blog we assume that top level domain policy will

be modified. Select the properties of the OU and open the associated group policy.

3. Navigate to Computer Configuration->Windows Settings->Security Settings->Public Key Policy and double-click on Autoenrollment Settings.
Enable autoenrollment.

||||||||||||||||||||||||||||||||- Configuring Clients-||||||||||||||||||||||||||||||
1. If you did not use certificate autoenrollment process you have to manually request the Workstation Authentication certificate. The process of requesting

this certificate is identical to the process we used to request RAS and IAS certificate earlier in this blog. The only exception is that we need to request a

Workstation Authentication certificate, see picture below.

2. Under the Network Connections ensure that the IEEE 802.1x authentication is enabled (this is default on Windows XP).

the catalyst 3550 switch configuration

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control

radius-server cache expiry 1
radius-server host auth-port 1812 acct-port 1813 key ev6dfrs4
radius-server host auth-port 1645 acct-port 1646 key ev6dfrs4
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server source-ports 1645-1646
radius-server timeout 4
radius-server deadtime 2
radius-server key ev6dfrs4
radius-server vsa send authentication

interface FastEthernet0/28
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 spanning-tree portfast

interface Vlan1
 ip address

using a port without authentycaition,everrything works fine , once i plug the cable on the port configured for authentication, the PC is not able to obtain

IP address from the server and i get the message " windows was not able to issue a certificate to let you log in " , on
, i ran a debug on the switch using " debug aaa authentication " and " debug radius authentication" but no output, even on the  server eventviewer , no


- when changing the EAP type on the PC using PEAP method and " CHAP version 2 " and on the windows server IAS " configuring the authentication method on the

remote policy of microsoft IAS using PEAP and chap version2" , the following output appears on the debug of the catalyst switch

interface FastEthernet0/3617 39
07:02:54: RADIUS:  Message-Authenticato[80]  183 55 04 0B 13
interface FastEthernet0/38:45
07:02:54: RADIUS:   C8 12 F9 DB 30 E0 A9 98 28 EE B7 08 E0 0B A4 91  [????0???(?a
interface FastEthernet0/40:   20 32 20 50 75 62 6C 6
interface FastEthernet
??????]      [
07:02:54: RADIUS:  Vendor, Cisco       [26]  2407 A5 31 8D  [.I??hZ
interface FastEthern
07:02:54: RADIUS:   cisco-nas-port     [2]   18  "FastEthernet0/28"Certific08:45: RADIU
interface FastEthernet0/457 50 E9 46 14
07:02:54: RADIUS:  NAS-Port            [5]   6   50028  41 75 74
len 161
07:03:55: RADIUS:  authenticator 3E E6 EC F8 33 BE 0C 33 - 5A C3 B7 11 8E A1 E6
07:03:55: RADIUS:  User-Name           [1]   13  "RADTEST\A7A"
07:03:55: RADIUS:  Service-Type        [6]   6   Framed                    [2]
07:03:55: RADIUS:  Framed-MTU          [12]  6   1500
07:03:55: RADIUS:  Called-Station-Id   [30]  19  "00-1B-D4-BD-D1-A0"
07:03:55: RADIUS:  Calling-Station-Id  [31]  19  "00-0F-B0-46-3C-E7"
07:03:55: RADIUS:  EAP-Message         [79]  18
07:03:55: RADIUS:   02 02 00 10 01 52 41 44 54 45 53 54 5C 41 37 41  [?????RADTE
07:03:55: RADIUS:  Message-Authenticato[80]  18
07:03:55: RADIUS:   E4 04 50 52 64 BE 58 FE AF 06 6B 56 98 6E 0E F1  [??PRd?X???
07:03:55: RADIUS:  Vendor, Cisco       [26]  24
07:03:55: RADIUS:   cisco-nas-port     [2]   18  "FastEthernet0/28"
07:03:55: RADIUS:  NAS-Port            [5]   6   50028
07:03:55: RADIUS:  NAS-Port-Type       [61]  6   Eth                       [15]
07:03:55: RADIUS:  NAS-IP-Address      [4]   6
07:03:55: RADIUS: Received from id 1645/73, Access-Reject, len
20                             <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 
07:03:55: RADIUS:  authenticator CA 68 C6 A9 D1 22 C5 1C - D3 A8 26 24 15 F5 AA
07:03:55: RADIUS(00000007): Received from id 1645/73
on the windows event viewer , i get the follwing reason code 48 " connection attempt did not match any remote access policy" and on the client PC , i get the message " windows cannot log you onto the network "
- even though i troed to search for doncumantaion guides on the internet, there is no guide for troubleshooting such types of incidents,most of the guides includes only the configuration guides for wireless lans but a few only contains wired networks

 therefore kindly assist me to tackle this incident or kindly provide me with a configuration guide if possible to configure IAS, CA, and GP and intergrate them with ieee 802.1x on lan networks
Microsoft Server AppsWindows Server 2003Switches / Hubs

Avatar of undefined
Last Comment

8/22/2022 - Mon