Robert Davis
asked on
802.1x Authentication on Cisco C2960 & Win2k8 R2
Hello All,
We are trying to setup dynamic vlan assignment based on the user's AD group; the Cisco switch in question is a 2960-S, and it's trying to talk to our NPS server running on Server 2008 R2. We have RADIUS authentication already set up on the switch, as we can authenticate to the switch via telnet using our AD credentials, so we have the initial config right.
Here's our switch config:
When Wired Auto Config is enabled on the workstation, we are not assigned any vlan nor prompted for a username/pass. Instead there's no network connectivity. After enabling debugging on the switch, we get the following:
The workstation is configured with PEAP, validating our self signed cert from our AD CS server.
We are really stuck, so can anyone give us some tips as to what we are doing wrong? Thanks.
We are trying to setup dynamic vlan assignment based on the user's AD group; the Cisco switch in question is a 2960-S, and it's trying to talk to our NPS server running on Server 2008 R2. We have RADIUS authentication already set up on the switch, as we can authenticate to the switch via telnet using our AD credentials, so we have the initial config right.
Here's our switch config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key psswd
radius-server vsa send authentication
interface GigabitEthernet3/0/11
switchport access vlan 12
switchport mode access
authentication control-direction in
authentication port-control auto
authentication periodic
authentication violation restrict
When Wired Auto Config is enabled on the workstation, we are not assigned any vlan nor prompted for a username/pass. Instead there's no network connectivity. After enabling debugging on the switch, we get the following:
Received an EAPOL frame
Received pkt saddr =0012.3fc4.2aad , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-ev(Gi3/0/11): New client detected, issuing Start Request to AuthMgr
dot1x-ev(Gi3/0/11): Role determination not required
dot1x-packet(Gi3/0/11): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
The workstation is configured with PEAP, validating our self signed cert from our AD CS server.
We are really stuck, so can anyone give us some tips as to what we are doing wrong? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you debug aaa events on the switch and post the log?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The expert's comment put us on the right track, but it didn't provide us with the entire solution.
ASKER
Thanks,
Robert