id="info"

Question

Locked

802.1x Wired

By EVGA ·
Wondering if anyone out there can point me to information on how to setup wired 802.1x with 2k3 IAS without using any kind of certificate. Cisco device is a 2960 ver 12.55SE and Windows XP sp3 with Correct Services Enabled. I have tried alot of commands on the switch to set this up but there are some problems I am hiting Example I plug the laptop into the port and run a debug on radius events and dot1x and I get all kinds of information about dot1x and then the port is block. I go into my IAS and there are no hits to the radius server. I cannot tell if the issuie is on the switch to server or the switch to Client.


I am attempting to config this with EAP with. MD5 Challenge

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Let's start with this

by NetMan1958 In reply to 802.1x Wired

Can you post a sanitized config from your switch? Maybe also post the debug output.

Collapse -

Posting

by EVGA In reply to Let's start with this

Building configuration...

Current configuration : 5206 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname Bldg-800
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
aaa session-id common
clock timezone MST -7
system mtu routing 1500
authentication mac-move permit
udld aggressive

udld message time 7

ip subnet-zero
no ip source-route
!
!
!
crypto pki trustpoint TP-self-signed-481643392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-481643392
revocation-check none
rsakeypair TP-self-signed-481643392
!
!
dot1x system-auth-control
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
errdisable recovery cause small-frame
!
spanning-tree mode pvst
spanning-tree logging
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 40
switchport mode access
authentication event no-response action authorize vlan 50
authentication port-control auto
spanning-tree portfast
!
interface GigabitEthernet0/1
description Server-3750s 1/0/7
switchport trunk native vlan 1000
switchport mode trunk
logging event spanning-tree
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan99
ip address 172.16.0.8 255.255.255.0
no ip route-cache
!
ip default-gateway 172.16.0.1
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
snmp-server enable traps stpx loop-inconsistency
radius-server host 192.168.168.8 auth-port 1645 acct-port 1646 key 7 keyhere
A1713
banner motd ^C
** ---> Unauthorized Access is Strictly Forbidden <--- ** ^C
!
line con 0
line vty 0 4
logging synchronous
transport input telnet ssh
transport output telnet ssh
line vty 5 15
logging synchronous
transport input none
!
ntp clock-period 36029381
ntp server 172.16.0.1
end


I cannot provide the debug becuase I am at a remote location. I can post the debug tommrow

Collapse -

One thing I see right off

by NetMan1958 In reply to Posting

is that none of the interfaces are configured for dot1x. For example:
switch#conf t
switch(config)#interface FastEthernet0/1
switch(config-if)#dot1x port-control auto

Try adding that to one of the ports and see if it helps. If not, post your debug output when you can. Also see this article:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/sw8021x.html

Collapse -

Disregard Last Post

by NetMan1958 In reply to Posting

Now that I'm not half asleep I see that you have interface FastEthernet0/8 configured with "authentication port-control auto". I'll watch for you to post the output of your debugs and see if that gives me a clue.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Hardware Forums