asked on

EAP-TLS; Cisco + Microsoft NPS; wired 802.1x

I am in the process of setting up EAP-TLS authentication on my network.
I use cisco 3850's running 16.6.5 IOS XE
Microsoft Server 2016 for Radius / NPS

The question I have is the following:

Radius is configured as follows:
!
radius server NPS
address ipv4 x.x.206.16 auth-port 1812 acct-port 1813

We have a ACL that permits the following:
permit tcp any eq 1812 any
permit udp any any eq radius
permit udp any eq radius any
permit udp any any eq 1813
permit udp any eq 1813 any
permit tcp any any eq 1813
permit tcp any eq 1813 any

However EAP-TLS was not working. After reviewing the logs we found the following entries. UDP from the switch being denied going to the NPS server:

Dec 3 07:48:59:I:list MGMT denied udp x.x.221.139(42599)(Ethernet 5/7 5006.ab22.1e54) -> x.x.206.16(43961), 1 event(s)
Dec 3 07:42:24:I:list MGMT denied udp x.x.221.145(40734)(Ethernet 5/13 9c57.ada7.aa54) -> x.x.206.16(18819), 1 event(s)
Dec 3 07:37:23:I:list MGMT denied udp x.x.221.145(14857)(Ethernet 5/13 9c57.ada7.aa54) -> x.x.206.16(32594), 1 event(s)

If NPS is using 1812 / 1813 why is the switch sending out traffic on random high level UDP ports? What is this traffic being used for? Possibly EAP-TLS packet fragmentation?

Craig Beck

Can you post the switch config? You don't usually need an ACL unless you're restricting management traffic to/from the switch. It's important to note that EAP traffic isn't actually IP, so you don't need an ACL to only allow clients to talk to NPS on specific ports. In fact, EAP happens before the client even receives an IP, so an ACL won't stop anything anyway.

The logs don't show traffic from the switch; they show two different IP addresses, so it's unlikely to be sourced from your switch.

ASKER CERTIFIED SOLUTION

xSEOx

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial