asked on
I am in the process of setting up EAP-TLS authentication on my network.
I use cisco 3850's running 16.6.5 IOS XE
Microsoft Server 2016 for Radius / NPS
The question I have is the following:
Radius is configured as follows:
!
radius server NPS
address ipv4 x.x.206.16 auth-port 1812 acct-port 1813
We have a ACL that permits the following:
permit tcp any eq 1812 any
permit udp any any eq radius
permit udp any eq radius any
permit udp any any eq 1813
permit udp any eq 1813 any
permit tcp any any eq 1813
permit tcp any eq 1813 any
However EAP-TLS was not working. After reviewing the logs we found the following entries. UDP from the switch being denied going to the NPS server:
Dec 3 07:48:59:I:list MGMT denied udp x.x.221.139(42599)(Etherne
Dec 3 07:42:24:I:list MGMT denied udp x.x.221.145(40734)(Etherne
Dec 3 07:37:23:I:list MGMT denied udp x.x.221.145(14857)(Etherne
If NPS is using 1812 / 1813 why is the switch sending out traffic on random high level UDP ports? What is this traffic being used for? Possibly EAP-TLS packet fragmentation?
I use cisco 3850's running 16.6.5 IOS XE
Microsoft Server 2016 for Radius / NPS
The question I have is the following:
Radius is configured as follows:
!
radius server NPS
address ipv4 x.x.206.16 auth-port 1812 acct-port 1813
We have a ACL that permits the following:
permit tcp any eq 1812 any
permit udp any any eq radius
permit udp any eq radius any
permit udp any any eq 1813
permit udp any eq 1813 any
permit tcp any any eq 1813
permit tcp any eq 1813 any
However EAP-TLS was not working. After reviewing the logs we found the following entries. UDP from the switch being denied going to the NPS server:
Dec 3 07:48:59:I:list MGMT denied udp x.x.221.139(42599)(Etherne
Dec 3 07:42:24:I:list MGMT denied udp x.x.221.145(40734)(Etherne
Dec 3 07:37:23:I:list MGMT denied udp x.x.221.145(14857)(Etherne
If NPS is using 1812 / 1813 why is the switch sending out traffic on random high level UDP ports? What is this traffic being used for? Possibly EAP-TLS packet fragmentation?
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.