Solved

802.1x Authentication on Cisco C2960 & Win2k8 R2

Posted on 2013-11-22
5
1,432 Views
Last Modified: 2013-12-07
Hello All,

We are trying to setup dynamic vlan assignment based on the user's AD group; the Cisco switch in question is a 2960-S, and it's trying to talk to our NPS server running on Server 2008 R2. We have RADIUS authentication already set up on the switch, as we can authenticate to the switch via telnet using our AD credentials, so we have the initial config right.

Here's our switch config:

aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
radius-server dead-criteria time 5 tries 10
radius-server host 10.42.10.13 auth-port 1812 acct-port 1813 key psswd
radius-server vsa send authentication


interface GigabitEthernet3/0/11 
 switchport access vlan 12 
 switchport mode access 
 authentication control-direction in 
 authentication port-control auto 
 authentication periodic 
 authentication violation restrict

Open in new window


When Wired Auto Config is enabled on the workstation, we are not assigned any vlan nor prompted for a username/pass.  Instead there's no network connectivity. After enabling debugging on the switch, we get the following:
Received an EAPOL frame
Received pkt saddr =0012.3fc4.2aad , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-ev(Gi3/0/11): New client detected, issuing Start Request to AuthMgr
dot1x-ev(Gi3/0/11): Role determination not required
dot1x-packet(Gi3/0/11): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue

Open in new window


The workstation is configured with PEAP, validating our self signed cert from our AD CS server.

We are really stuck, so can anyone give us some tips as to what we are doing wrong? Thanks.
0
Comment
Question by:Robert Davis
  • 3
  • 2
5 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39671351
The port config is slightly incorrect I think.

With 802.1x you don't configure an access port VLAN ID.  If you want to set a VLAN ID you'd configure the fail-auth VLAN ID or the critical VLAN ID.

Also you're not using port-control.

Test using this...

interface GigabitEthernet3/0/11
switchport mode access
authentication port-control auto
dot1x pae authenticator

Open in new window

If you're authenticating machines on a domain it's easier and more secure to use EAP-TLS and certificate auto-enrolment.  You can use PEAP to process the user login after the machine is authenticated if you want, and that will enable you to do cool tricks like put the PC on one VLAN when it boots to get GPOs, etc, then shift the user into a specific VLAN based on security group, for example.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 39675528
We added dot1x pae authenticator and removed the access vlan, which I thought was used for clients that do not support Dot1x, but no change.

Thanks,
Robert
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39675720
Can you debug aaa events on the switch and post the log?
0
 
LVL 1

Assisted Solution

by:Robert Davis
Robert Davis earned 0 total points
ID: 39690534
So the switch config was slightly incorrect, and adding dot1x pae authenticator did the trick on the switch. We had to make changes server-side as well. First we had to set up a certificate for the NPS server; then we had to specify that certificate inside of the PEAP properties in the Connection Request Policy that the clients were using to talk to the server.

For anyone that might be interested, this is the link for setting up the NPS Server Cert: http://technet.microsoft.com/en-us/library/cc754198.aspx
And this talks about VLAN attributes that need to be used in the Network Policy: http://technet.microsoft.com/en-us/library/cc754422%28v=ws.10%29.aspx
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 39702882
The expert's comment put us on the right track, but it didn't provide us with the entire solution.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reseller Hosting 2 85
ERR_NAME_NOT_RESOLVED 7 19
Switch ports not working 8 31
E-mail delayed during DNS server reboot 8 30
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now