We are trying to setup dynamic vlan assignment based on the user's AD group; the Cisco switch in question is a 2960-S, and it's trying to talk to our NPS server running on Server 2008 R2. We have RADIUS authentication already set up on the switch, as we can authenticate to the switch via telnet using our AD credentials, so we have the initial config right.
Here's our switch config:
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key psswd
radius-server vsa send authentication
switchport access vlan 12
switchport mode access
authentication control-direction in
authentication port-control auto
authentication violation restrict
When Wired Auto Config is enabled on the workstation, we are not assigned any vlan nor prompted for a username/pass. Instead there's no network connectivity. After enabling debugging on the switch, we get the following:
Received an EAPOL frame
Received pkt saddr =0012.3fc4.2aad , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-ev(Gi3/0/11): New client detected, issuing Start Request to AuthMgr
dot1x-ev(Gi3/0/11): Role determination not required
dot1x-packet(Gi3/0/11): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
The workstation is configured with PEAP, validating our self signed cert from our AD CS server.
We are really stuck, so can anyone give us some tips as to what we are doing wrong? Thanks.