[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

NPS server shows "invalid RADIUS client IP address"

Posted on 2011-10-14
9
Medium Priority
?
2,785 Views
Last Modified: 2012-05-12
I am trying to get port-based authentication working so that you can't just plug into an network port here. I have setup the cisco 2950 switch I have as a client on my MS NPS server and then I've set the policy to accept domain users/computers. I have also gone on to the Cisco switch and created the secret, etc. but when I telnet back to the Cisco switch it's asking for user/password.

Obviously it's trying to authenticate me with Radius just to login to the switch, but that's not really what I'm looking for. I just want this authentication to happen when you plug into a switch port. Also, the NPS server is showing the following error when I try to login to the switch:

"A RADIUS message was received from the invalid RADIUS client IP address <IP of my laptop>.

Can anyone tell me how I can apply this policy just to the switch ports and not to the telnet login?

I have this working great with a wireless policy and a WLAN controller but this switch is not cooperating.
0
Comment
Question by:willlandymore
  • 7
  • 2
9 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 36970641
Can you post the switch config?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36970701
yeah, here's the output for a 'show run' and 'show dot1x'. I enabled the 802.1X for ports 0/20 - 0/24 so I've just put the configuration for those ones.

Switch#show run
Building configuration...
version 12.1

hostname Switch
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
enable secret 5 $1$2dQi$wkZs1GB3afKyMmS356yKr/
!
ip subnet-zero
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
(OTHER INTERFACES OMITTED BECAUSE THEY'RE NOT SET FOR 802.1X)

interface FastEthernet0/20
 switchport mode access
 no ip address
 dot1x port-control auto
!
interface FastEthernet0/21
 switchport mode access
 no ip address
 dot1x port-control auto
!
interface FastEthernet0/22
 switchport mode access
 no ip address
 dot1x port-control auto
!
interface FastEthernet0/23
 switchport mode access
 no ip address
 dot1x port-control auto
!
interface FastEthernet0/24
 switchport mode access
 no ip address
 dot1x port-control auto
!

interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface Vlan1
 ip address 192.168.2.18 255.255.255.0
 no ip route-cache
!
ip http server
!
radius-server host 192.168.2.59 auth-port 1812 acct-port 1813 key SuperSecretTest
radius-server retransmit 3
!
line con 0
line vty 0 4
<password>
!
end

show dot1x

Fa0/20                   enabled     Auto (negotiate)    no
Fa0/21                   enabled     Auto (negotiate)    no
Fa0/22                   enabled     Auto (negotiate)    no
Fa0/23                   enabled     Auto (negotiate)    no
Fa0/24                   enabled     Auto (negotiate)    no

0
 
LVL 1

Author Comment

by:willlandymore
ID: 36970769
and the error in the NPS server logs is showing my computer IP, not the IP of the Cisco switch that I setup as a client which is kind of weird...
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 26

Accepted Solution

by:
Soulja earned 2000 total points
ID: 36970809
try adding this:

aaa authentication login default enable
aaa authentication enable default enable

line vty 0 4
login

This should help you login using your secret password.


In your global config do you have;

dot1x system-auth-control

This enable 802.1x on the switch
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36970892
Okay, that worked to get me logging in with telnet again which is nice. However, I don't have the command "dot1x system-auth-control". When I have the dot1x and hit ? it gives me these options:

 default                             Set global 802.1X parameters to default values
 max-req                          Set maximum number of identity requests
 re-authentication             Enable periodic 802.1X authentication
 timeout                            Set 802.1X timeout values

I remember seeing that one in the Cisco doc about enabling 802.1X but I couldn't get it to work.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36971005
I also set my nic card authentication manually and got an 'authentication failed' when I tried to plug into port 0/23 on that switch....which is sort of an improvement. :)

I can also see a better error on the NPS server as well which says:

=======
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.

User:
      Security ID:                           DOMAIN\Laptop1$
      Account Name:                  host/Laptop1.domain.com
      Account Domain:                  DOMAIN
      Fully Qualified Account Name:      domain.com/OU/TestOU/Laptop1

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            -
      Calling Station Identifier:            00-26-C9-B1-6B-1A

NAS:
      NAS IPv4 Address:            192.168.2.18
      NAS IPv6 Address:            -
      NAS Identifier:                  -
      NAS Port-Type:                  Ethernet
      NAS Port:                  50023

RADIUS Client:
      Client Friendly Name:            Switch
      Client IP Address:                  192.168.2.18

Authentication Details:
      Connection Request Policy Name:      WiredPolicy
      Network Policy Name:            WirelessPolicy
      Authentication Provider:            Windows
      Authentication Server:            Radius.domain.com
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  70
      Reason:                        The network access method used by the access client to connect to the network does not match the value of the NAS-Port-Type attribute that is configured in the constraints of the matching network policy.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36971079
okay, now that I've switched the NPS server to use ethernet for this policy it shows WiredPolicy for both network and connection request policy and then displays:

Reason Code:                  22
Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Is this due to that missing command about the dot1X now on the switch? It sees me, my credentials, matches the policies but can't get approved because it can't process the EAP type.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36971395
Found out why I didn't have the dot1X system-auth-control command....

Seems the software on the switch was not new enough. I upgraded the bin file on the switch and now have that option. I'll see if I can get it working over the weekend and then post back
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36971462
Awesome! Works like a charm now on those ports. I'll see about putting this in on a production box now. :)

The dot1X system-auth-control was part of the solution here. The other part was that I had not remembered to put EAP-PEAP on the policy so it was shooting the requests coming from the Cisco switch and computer down.

Thanks a lot.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question