Cisco IP 7841 802.1x Configuration

Similar Messages

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• 802.1x configuration for 3500 switch and 2800 switc

  Can anyone point me to a document on how to do a 3500 switch 802.1x configuration as well as a 2800 switch? How do you define the server auth-port? Thanks

  Even tough this link is for CAT6k, it has some very useful screen-shots that will help you to successfully implement dot1x:
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml
  Regards
  Farrukh

• What is the cisco ironport C680 and M680 configuration backup file size?

  what is the cisco ironport C680 and M680 configuration backup file size?

  Size of the XML itself?  That is going to vary based on what you have configured, total lines of code, and # of appliances you may/may not have in cluster.
  M680, based on SMA as stand-alone, should be similar --- you are probably looking @ < 1 MB... 
  Looking @ my test environment, in which I have a nightly cron job set to grab a backup of...
  -rw-rw----  1 robert robert 161115 Sep 26 02:00 C000V-564D1A718795ACFEXXXX-YYYYBAD60A5A-20140926T020002.xml
  So, 161115 bytes = .15 MB
  -Robert

• Create New 802.1x Configuration?

  Hi all,
  Is there a command in the terminal to create a New 802.1x Configuration? I want to bypass the Internet Connect app so that I can automate this.
  Thanks,
  Matt

  Hello Sergio,
  You can read this document:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
  This works im my case except VLAN assignment. :(
  But I'm occupied with this only for one day, so if I will success in VLAN assigment I will inform you.
  Mladen

• Cisco IP Phone 802.1x authentication with NPS

  Hi All,
  I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
  deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

  Hi,
  Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
  configuring 802.1x authentication for Cisco IP phones.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• PoE standard (cisco ILP vs 802.3af)

  I have CCNP switch official guide book, page 306 says below.
  For cisco ILP, inline power is provided over data pairs 2 and 3 (RJ45 1,2 and 3,6)
  For 802.3af power can be supplied in the same fashion (1 2 3 6) or over paris 1 and 4 (RJ45 4,5 and 7,8)
  Can you give me when those bold option is used in terms of PoE?
  Thanks.

  I believe the 802.3af standard actually allows both pinout configurations.They are known as Mode A and Mode B.  Mode A uses the data pairs while Mode B uses the "spare" pairs. I have always been under the impression that Mode A would be what one would find on devices that terminate a connection. For example, a Cisco Catalyst switch that provides 802.3af power will use the Data Tx/Rx pairs (pins 1,2,3,6).  Further, my belief is that Mode B would be used by "mid-span" devices that insert power. For example, in-line power patch panels or in-line power injectors.  These panels use the "spare" pairs to carry DC power (pins 4,5,7,8).
  The equipment that provides the power (i.e. the power sourcing equipment) determines which Mode (i.e. pins) is used. The powered device that is 802.3af compliant must be capable of supporting both modes.
  Here is a quick reference chart:
  https://supportforums.cisco.com/docs/DOC-10259
  The chart doesn't directly answer your question, but you may find it handy as you are getting a feel for the material.
  HTH.
  Regards,
  Bill
  Please rate helpful posts.

• Cisco 1242AG Access Point proper configuration

  Hello everyone,
  Here is the situation:
  Recently we decide to create a small WLAN in our business.We choose the Cisco AIR-AP1242AG-E-K9 with 2x2.4GHz 2.2dbi Swivel Dipole Antenna.
  For better managability a new routable VLAN (ID:20) added to our Router with IP 192.168.55.1 and SNET 255.255.255.0
  Next, I made the followings configurations in the autonomous AP through WEB Console:
  Static IP:192.20.10.35, SNET:255.255.254.0, GWY:192.20.10.200
  VLAN1 (Native) and VLAN20 (Radio0-802.11g) added into Services.
  I set the Encryption Mode to None for VLAN1 and Cipher AES CCMP for VLAN20
  Into Server Manager I defined a new RADIUS server 192.20.10.35 (AP IP) and a shared secret and left the default ports for Authentication and Accounting (1645 and 1646). Also, in Default Server Priorities section I set as Priotity 1 both for EAP and MAC authentication the Access Point IP (Radius Server) 192.20.10.35.
  In Local RADIUS Server General Set-Up, I add as current network access server (AAA client) the same IP and shared secret like the ones I use during RADIUS server configuration above. Into Enable Authentication Protocols I left checked only the LEAP and MAC. Also, into Individual Users section 2 new users created with text passwords.
  Into SSID Manager a new hidden SSID created for interface Radio0-802.11g, associated with VLAN20 and into Client Authentication Settings section I left as accepted Method Open Authentication with MAC authentication and EAP. Also, I left the Use Defaults option both for EAP and MAC Authentication Servers in Server Priorities Section and finally into Client Authenticated Key Management section I choose Mandatory for Key Management and checked the Enable WPA option.
  I can ping both the AP and VLAN20 IPs from any PC which is a member of the native VLAN
  As wireless clients I use 2 Motorola MC5574 with Windows Mobile 6.1 professional. Both of them have a Jedi WLAN adapter configured with the followings:
  IPs:192.168.55.10 and 192.168.55.11
  SNET:255.255.255.0
  GWY:192.168.55.1
  Also, a unique profile has been created on each one of them to be used for AP association-authentication. Each profile has been configured for WPA2 Enterprise with AES and LEAP and the predefined user credentials (those defined into AP for Individual Users)
  The problem:
  Clients association with AP is always succesful but, Authentication fails and I can't ping from the clients AP IP,  VLAN20 IP, neither each other.
  What am I missing here? I'm sure that it is somenthing quite simple but although I tried several different setups (i.e. WPA2-PSK, WPA-PSK even with TKIP) I always end up without a proper solution for ping inability.
  Thank you in advance for any help

  Hello Madhuri,
  below is the latest run config output from the access point
  Building configuration...
  Current configuration : 3743 bytes
  ! Last configuration change at 03:56:04 +0200 Sun Nov 28 2010 by Cisco
  ! NVRAM config last updated at 03:58:07 +0200 Sun Nov 28 2010 by Cisco
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname RCT_THP_AP1
  enable secret 5 $1$26u0$emaUzNvvihCCZeKeooQ8M0
  aaa new-model
  aaa group server radius rad_eap
  server 192.20.10.35 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  server 192.20.10.35 auth-port 1645 acct-port 1646
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone +0200 2
  ip name-server 192.20.11.2
  dot11 ssid RCTHP
     vlan 20
     authentication open mac-address mac_methods eap eap_methods
     authentication key-management wpa
  power inline negotiation prestandard source
  username Cisco password 7 00271A150754
  username 00236867a192 password 7 101E594B56414A5D5B057B7276
  username 00236867a192 autocommand exit
  username 00236867a19b password 7 091C1E5B4A534F445C0D557329
  username 00236867a19b autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 20 mode ciphers aes-ccm
  ssid RCTHP
  channel 2462
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  no dfs band block
  channel dfs
  station-role root
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface BVI1
  ip address 192.20.10.35 255.255.254.0
  no ip route-cache
  ip default-gateway 192.20.10.200
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  snmp-server view dot11view ieee802dot11 included
  snmp-server community public view dot11view RO
  snmp-server contact IS
  radius-server local
    no authentication eapfast
    nas 192.20.10.35 key 7 03130807055F2C1F
    user motomob1 nthash 7 15315B29557B0D767E111074455E332022000F0D0A725C223B300C7A0E760A0371
    user motomob2 nthash 7 075E716D6C2F49514636532A5C0B0A067C1567003224335553047F0C710058263E
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.20.10.35 auth-port 1645 acct-port 1646 key 7 120E561B115B0157
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  sntp server 192.20.10.2
  sntp broadcast client
  end
  Regards
  Vasilis

• IOS 15.0.(1)SE2 802.1X configuration ignores VSA ?

  Hi all,
  i configured dot1x on a 3750X with version 15.0.(1)SE2 but have a problem with MDA:
  My phone is authenticating successfully but is placed in the DATA domain instead of voice:
  show authentication interface gi3/0/9
  Client list:
  Interface  MAC Address     Method   Domain   Status         Session ID
    Gi3/0/9    0080.9fab.d2f2  dot1x    DATA     Authz Success  000000000000361C1BA5BAF5
  though the switch receives an VSA from the radius server (output from debug radius authentication):
  Mar  9 18:10:28.976: RADIUS: Received from id 1645/106 10.0.0.4:1645, Access-Accept, len 240
  Mar  9 18:10:28.976: RADIUS:  authenticator 6B 87 86 16 99 E7 A3 06 - 6B 98 63 12 16 C8 9C 48
  Mar  9 18:10:28.985: RADIUS:  EAP-Message         [79]  6  
  Mar  9 18:10:28.985: RADIUS:   03 07 00 04
  Mar  9 18:10:28.985: RADIUS:  Class               [25]  46 
  Mar  9 18:10:28.985: RADIUS:   47 1B 05 65 00 00 01 37 00 01 02 00 0A 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 01 CC F8 92 38 D7 D3 4D 00 00 00 00 00 02 68 07           [ Ge7(8Mh]
  Mar  9 18:10:28.985: RADIUS:  Vendor, Cisco       [26]  34 
  Mar  9 18:10:28.985: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
  Mar  9 18:10:28.985: RADIUS:  Vendor, Microsoft   [26]  58 
  Mar  9 18:10:28.985: RADIUS:   MS-MPPE-Send-Key   [16]  52  *
  Mar  9 18:10:28.985: RADIUS:  Vendor, Microsoft   [26]  58 
  Mar  9 18:10:28.985: RADIUS:   MS-MPPE-Recv-Key   [17]  52  *
  Mar  9 18:10:28.985: RADIUS:  Message-Authenticato[80]  18 
  Mar  9 18:10:28.985: RADIUS:   82 9D F1 DB 64 0D 65 85 D2 C8 09 C7 10 9B C3 84                [ de]
  Mar  9 18:10:29.001: RADIUS(00003686): Received from id 1645/106
  Mar  9 18:10:29.001: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  Mar  9 18:10:29.010: %DOT1X-5-SUCCESS: Authentication successful for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720
  Mar  9 18:10:29.010: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720
  Mar  9 18:10:29.446: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720
  Mar  9 18:10:29.454: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/9, changed state to up
  and "radius-server vsa send authentication" is set
  The switchport is configured in the following way:
  interface GigabitEthernet3/0/9
  switchport access vlan 115
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 113
  authentication control-direction in
  authentication event fail action authorize vlan 101
  authentication event server dead action authorize vlan 100
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication port-control auto
  authentication violation replace
  mls qos trust dscp
  dot1x pae authenticator
  storm-control broadcast level 10.00
  storm-control action shutdown
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip dhcp snooping limit rate 20
  Radius Server is MS W2K8 NPS.
  Am i missing something or is it a bug in 15.0? I remeber it worked on 12.5something
  Many thanks in advance for any hints!

  Hi,
  i am authenticating with dot1x, mab might be used some day for devices not supporting 802.1X.
  Authentication works fine, i just wonder why the phone is placed into the DATA domain though the Radius Server returns a VSA "device-traffic-class=voice".
  SWITCH#show authentication sessions interface gi3/0/9
              Interface:  GigabitEthernet3/0/9
            MAC Address:  0080.9fab.d2f2
             IP Address:  Unknown
              User-Name:  ipphone
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  in
          Authorized By:  Authentication Server
             Vlan Group:  N/A
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0000000000003AC232ED1550
        Acct Session ID:  0x00003B3D
                 Handle:  0xB0000BD7
  Runnable methods list:
         Method   State
         dot1x    Authc Success
  SWITCH#show dot1x all details
  Sysauthcontrol              Enabled
  Dot1x Protocol Version            3
  Dot1x Info for GigabitEthernet3/0/9
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = In
  HostMode                  = MULTI_DOMAIN
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  Dot1x Authenticator Client List
  EAP Method                = (13)
  Supplicant                = 0080.9fab.d2f2
  Session ID                = 0000000000003AC232ED1550
      Auth SM State         = AUTHENTICATED
      Auth BEND SM State    = IDLE

• Cisco 1130 ag 802.11B clients

  hello, i've set an aironet cisco AP 1130ag.
  but only radio G is working so 802.11g
  radio A is disable.
  only the G clients can see my wireless ssid
  in B clients my network doesn't apear in laptops
  i have the data rates speeds as default so that B clients can see it
  the network encapsulation in 802.1x instead of RFC1042
  what kind of configurations do i need to do so that B clients can see my network.

  hello, i've set an aironet cisco AP 1130ag.
  but only radio G is working so 802.11g
  radio A is disable.
  only the G clients can see my wireless ssid
  in B clients my network doesn't apear in laptops
  i have the data rates speeds as default so that B clients can see it
  the network encapsulation in 802.1x instead of RFC1042
  what kind of configurations do i need to do so that B clients can see my network.

• Cisco ASA 5510 Backup Interface configuration

  Hi Experts,
  I am a newbie with Cisco Firewalls, pls help.
  We have a BSNL Leased Line of 2MBPS with few Static IP's of Which 2 IP's are configured in Firewall 1 For the Outside Interface and one for publishing the DMZ server. Most of the times due to some reasons or the other the BSNL line is going down. so now I need to configure one another TATA Broadband 1MBPS Dialup Line as a Backup for the BSNL Line so as to provide a uninterupted Internet to our users.
  Pls guide me the Steps
  Thank in Advance.
  Anish N

  Hi Anish,
  Check the below mentioned link for configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

• Cisco MSE3310 integration with WCS configuration procedures

  Dears,
  Kindly I have a Cisco WCS configured now I brought Cisco MSE3310 and I need to configure it for IPS, so please can you support me with configuration procedures for the configuration specially for the IPS and how is it will work.
  Thanks for your support,

  http://www.cisco.com/en/US/docs/wireless/mse/3350/6.0/CAS/configuration/guide/msecg_ch2_CAS.html

• Cisco ISE & 3750 Switch MAB configuration Issue

  Hi,
  I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
  Here is the test switch configuration :
  interface FastEthernet0/22
  switchport access vlan 10
  switchport mode access
  authentication event fail action next-method
  authentication event server dead action authorize vlan 11
  authentication event server alive action reinitialize
  authentication order mab dot1x
  authentication priority mab dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  mab     
  dot1x pae authenticator
  spanning-tree portfast
  spanning-tree bpduguard enable
  snmp-server community ISE-Test RO
  snmp-server community ISE-Test1 RW
  snmp-server trap-source FastEthernet0/24
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
  radius-server vsa send accounting
  radius-server vsa send authentication
  Thank you in advanced! I hope that this issue might be intersting!
  Martin

  Can you confirm that you have the following syntax in your NAD:
  aaa server radius dynamic-author
  client 192.168.98.10 server-key AAA_Secret
  Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
  Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x

• 802.1x Configuration

  Hi all
  >I want to deploy 802.1x on my network.
  1- Switches 3560 series with IOS 12.2(35)SE1
  2- ACS 4.1
  3- Windows Vista for Clients
  >My questions are:
  1- Is 802.1x support windows vista
  2- How the client will be authenticated. Is there any software will be installed on the clients machine or the ACS
  will pop up a window for the authentication. Also Where can I put the vlan in the ACS to be dropped on the port after authentication.
  3- If I have VMPS and the ports are configured as dynamic (not access ), how can I solve this problem.
  4- If the ACS radius server down. how the authenication will go. It can take from the switch local database.
  5- what is the use of this command .....dot1x pae authenticator....
  I appreciate any help. Please, I need this to be clear ASAP.
  Thanks and Best Regards
  amady

  Vista supports MD5-Challenge, Protected EAP (PEAP), Smartcard or certificate,Secured password (EAP-MSCHAPv2). Click Add/ Edit from the user setup page. When scroll down the page you will have an option for IETF attribute choose the Vlan there. Wireless users will not be affected by Switch VMPS. PAE refers to Port Access Entity. Defines the role of an interface (as a supplicant, as an authenticator, or as an authenticator and supplicant). In this case it happens to be Authenticator which is access point.