Disabling NAC from 802.1x wired access authentication

Similar Messages

• Photosmart 6515 disables scanner from 1 computer wired to router.

  Photosmart 6515 disables scanner from 1 desktop wired to a wireless router. Wireless laptops are fine. Computer won't load web pages while scanner is disabled. Can only enable it again by restarting the computer.  If I choose USB connection from printer to desktop then the 6515 is not web enabled.  Reloaded printer software & connection wizard. Ran HP Print and Scan Doctor with no errors being found. Windows XP operating system. No changes except  Photosmart C700 to 6515 printer. Disabled firewall & problem persists.

  OK, thanks for that.  Let's leave the USB cable disconnected for this experiment.
  Lets set a static IP AND an external DNS for the pritner:
  - Print a Network Config Page from the front of the printer. Note the printer's IP address.
  - Type that IP address into a browser to reveal the printer's internal settings.
  - Choose the Networking tab, then Wireless along the left side, then the IPv4 tab.
  - On this screen you want to set a Manual IP. You need to set an IP address outside the range that the router automatically sets (called the DHCP range). If you do not know the range, change the last set of numbers (those after the last '.') to 250
  - Use 255.255.255.0 for the subnet (unless you know it is different, if so, use that)
  - Enter your router's IP (on the Network Config Page) for the gateway.
  - Enter 8.8.8.8 for the first DNS and 8.8.4.4 for the second DNS. This is Google DNS. You can choose another external DNS if you wish.
  - Click 'Apply'.
  Now, shut down the router and printer, start the router, wait, then start the printer.
  Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
  I am employed by HP

• Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

  Hi
  My company has implemented 802.1x Wired authentication, we use GPO to specify a
  Wired Profile that uses a COMPUTER certificate.
  We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
  This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
  I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
  KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
  issue still occurs.

  Hi,
  From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
  Meanwhile, I found the following hotfix which may related to this issue.
  No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
  Next Action Plan:
  1.Clean Boot
  a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
  b. In the Startup tab, click the "Disable All" button.
  c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
  ======================================================
  Clean Boot + binary search
  In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
  You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
  we find out the root cause. Please let me know if this action plan is OK for you.
  2.Collect etl trace on the problematic client.
  netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
  ****Try to reproduce this issue****
  netsh trace stop
  Please send the net.etl to us for underlying analysis.
  For any concerns, please let us know.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 802.1x with AD authentication in a wired environment

  Hello,
  I have a question about 802.1x authentication. I want use a combination from 802.1x and a domain authentication on a AD from microsoft. I think the first login request is the domain login, but the port on the switch is always blocked. After the PC is already up, then I can login with 802.1x authentication. Please let me know what is the best solution for this scenario. The customer need a domain login and he want use the 802.1x authentication.
  Give it a solution with only 1 login request???
  thanks
  Jens

  You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.
  You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.
  http://support.microsoft.com/kb/318750/EN-US/
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).
  HTH
  Andy

• NAC Clean Access Authentication not doing anything

  Hi!
  I have instaled an NAC solution, using oob with acl's.
  When i get to the Clean Access Authentication page, using the right user and password, or an worng one, the page keeps showing up, requesting to authenticate and without any errors.
  Did this happened to anyone?
  TKX
  Miguel

  Hi Miguel,
  The configuration so far looks OK.
  The only test I would suggest would be to keep the clients on a vlan/subnet different from the CAS untrusted IP's subnet.
  I am telling this because usually we have the following:
  1. Clients are being assigned to a trusted vlan/subnet, for which we have an IP address configured in the CAS as a managed subnet and assigned to that vlan.
  2. In this case, clients are getting an IP on the same subnet as the untrusted interface of the CAS, which is not doing any kind of vlan tagging.
  As a further test, you could for example keep the clients on a subnet that is not the same as the one for the CAS untrusted interface and add the corresponding managed subnet for that client vlan.
  Alternatively, you could configure the CAS untrusted interface to tag traffic on the same vlan where clients are getting an IP, but this is usually more tricky.
  This suggestion comes from the fact that what you are experiencing (clients continuously re-prompted for authentication) is often seen when the CAS is not configured for the proper managed subnets.
  One more thing to verify is that the user being authenticated is not falling under the Unauthenticated Role.
  This could happen for example when configuring an Authentication Provider with the default role as Unauthenticated and mapping rules: if mapping rules are not triggered correctly, the default Unauthenticated Role will be assigned and the client will keep getting the authentication prompt.
  If these further points didn't show any improvements, I would recommend to keep following this through a TAC Service Request:
  http://tools.cisco.com/ServiceRequestTool/create/launch.do
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Guest-wired access connections drop every 1- 2 minutes

  I have an interesting problem.
  My connections to the guest wired access drop consistanly every 1 -2 minutes. There are no drops in the mobility between the WiSM and the 4402 anchor in the DMZ.  DHCp is served from the 4402 DMZ controller as well as thier authentication.
  When a user connects to the guest wired access vlan some times they obtain a 169.X.X.X address and after several tries they get the proper 192.168.x.x addres. The user get thier IP address and get the redirect login. They maintain thier internet connection for only 1 - 2 minutes.
  DHCP on the 4402 is set for 4hours
  Any thoughts ?   
  Mike

  Ouch, the forums ate my formatting for that first post!
  Thanks for the reply Ray. I should mention that this is a shared house, not a family home, so I cannot always access the devices. I'm the one on the ethernet connection and I've gone into my ethernet adaptor's settings to change my IP address to a static number just below that of the DHCP range whilst leaving DHCP enabled for everyone else. After restarting my computer the connection's still dropping.
  Haven't had a chance to reset the hub yet, if that's necessary, as other people are using the connection at the moment.
  I do have the admin password for the hub but I'm under the impression a static IP address would have to be set from the devices themselves which I can't access - or can I use Home Network > Devices, check "Always use this IP address" then disable DHCP?

• NAC-L2-802.1x with 7940 IP Phones and builtin swithport?

  Hi
  I've got the NAC Framework, NAC-L2-802.1x working in a test LAB with network hosts (PCs) connected directly to the L2 switch. In our production environment, we have Cisco 7940 IP phones on every desk, and the PCs connect to the switchport on the back of these phones. How would one configure NAC-L2-802.1x to work in a setup like this? I've done quite a bit of searching on Cisco and only found this reference to IP phones and NAC;
  IP Telephone and Device Mobility
  The computer connected to the PC port on an IP phone will get posture validated successfully.
  It does not help much...
  Thanks very much.
  Jason

  You have 2 choices:
  1) Ignore the phones based on CDP. You get this be just configuring 802.1X along with a VVID. Here's an example port config from a 3750:
  interface GigabitEthernet1/0/2
  description endpoints
  switchport access vlan 2
  switchport mode access
  switchport voice vlan 200
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  queue-set 2
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 10
  The config above will allow a Cisco phone in "for free" just b/c it can do CDP.
  2) Authenticate IP phones via 1X or MAC-Authentication for phones that cannot support 1X. This would be the same config as above, with the addition of this line:
  dot1x host-mode multi-domain
  And if your IP phone cannot do 1X (for example the 7940 cannot) then you'll need to check it's MAC for entry into the network by adding this line:
  dot1x mac-auth-bypass
  Hope this helps,

• NAC L2 802.1x (wireless)

  Can somebody advice me - where i can find information about configuring NAC L2 802.1x on wireless AP 1200 series? Or can somebody show me example of configuration file? I have found configuration guide only about wired solutions (configuring NAC L2 IP and NAC 802.1x on switch).
  Thank you in advance!

  For NAC implementation with wireless access points, the implementation is the same as the switch wired Layer 2 802.1x implementation for network admission control. The only difference is that you will need to use a third party NAC-enabled supplicant such as Meetinghouse for your wireless devices.
  sample config on AP
  aaa new-model
  aaa authentication eou default group radius
  aaa session-id common
  radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
  radius-server key cisco123
  radius-server vsa send authentication #Enable VSAs
  ip radius source-interface FastEthernet0/0
  ip admission name NAC-L2-IP eapoudp #Define NAC policy
  ip admission name NAC-L2-IP-Bypass eapoudp bypass #
  ip admission name NAC-L3-IP eapoudp1 list EoU-ACL #Define NAC trigger, routers only
  ip access-list extended EoU-ACL
  deny udp any any eq domain #allow DNS to bypass NAC
  deny tcp any host 10.100.100.101 eq www #allow HTTP to bypass NAC
  permit ip any any #all other traffic triggers
  ip access-list extended Interface-ACL
  permit udp any any eq 21862 #permit EAPoUDP
  permit udp any eq bootpc any eq bootps #permit DHCP
  Refer these links:
  http://www.cisco.com/en/US/netsol/ns617/netbr0900aecd80355b2f.html
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080606cbe.html#wp1072071

• Systemd with wpa_supplicant 802.1X wired and dhcpcd - Need help

  Hi,
  At work we use 802.1X wired authentication on the network to get access. If successfully authenticated then I get 10.x.x.x network address from DHCP,
  and if not successfully authenticated, I get a 172.x.x.x address from DHCP.
  Now I've configured wpa_supplicant with certificates in its configuration file so that one is working fine.
  What I have problems with is the startup, this is what I need in order:
  * I need wpa_supplicant to start up
  * wpa_supplicant needs to authenticate completely
  * now dhcpcd may run and I should get 10.x.x.x address.
  I've tried two (b*ttfugly) ways of solving this under systemd:
  wpa_auth.service
  [Unit]
  Description=WPA 802.1X
  Requires=sys-subsystem-net-devices-eth0.device
  After=sys-subsystem-net-devices-eth0.device
  [Service]
  Type=simple
  ExecStart=/usr/sbin//wpa_supplicant -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
  [Install]
  Alias=multi-user.target.wants/wpa_auth.service
  And in [email protected] I've added:
  After=wpa_auth.service
  However this won't work since wpa_supplicant isn't done authenticating when dhcpcd starts up.
  I've also tried using -B option to wpa_supplicant and forking in wpa_auth.service like this:
  Type=forking
  ExecStart=/usr/sbin//wpa_supplicant -B -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
  Now if I'm lucky this works, but it's still a race condition.
  So: Next things I've tried is to make the wpa_auth.service start up a script (Type=forking) that executes wpa_supplicant, and adds a sleep 1, this gives wpa_supplicant 1 second to authenticate, but its still a shitty and unsafe solution.
  Last solution I tried was using the above solution but replaced sleep with wpa_cli -a script that according to man page executes the script when it recieves an event. So right now the chain looks like this:
  In chronological order:
  - wpa_auth.service (systemd)
  Type=forking
  - script
  - wpa_supplicant
  - wpa_cli -a script2 (will block until recieving an CONNECTED/DISCONNECTED event from wpa_supplicant, then run script2)
  - script2
  -pkill wpa_cli
  - exit 0
  done - dhcpcd may start
  I just want to find a way to start dhcpcd after wpa_supplicant has authenticated so I get a correct IP address.
  How do I do this in a correct way? Can I use dbus somehow to make wpa_supplicant signal that it is done authenticating?
  Thanks
  Last edited by dimman (2012-11-23 15:56:01)

  From the sample wpa_supplicant.conf:
  # scan_ssid:
  # 0 = do not scan this SSID with specific Probe Request frames (default)
  # 1 = scan with SSID-specific Probe Request frames (this can be used to
  # find APs that do not accept broadcast SSID or use multiple SSIDs;
  # this will add latency to scanning, so enable this only when needed)
  So... looks like that likely isn't the solution. Of course, this is all just speculation now, until I can resolve the hardware issues or get a new laptop.

• How to Prevent or Block Rogue APs from Joining Your Wired or Wireless WLANs

  Hi all, I deployed a WLAN with 1 WLC 4400 and 5 1252AP. I do not see the way to Block Rogue APs from Joining the Wired or Wireless WLANs

  PART 1
  There are three parts to this:
  1. detect - automatic
  2. classify - by default APs are untrusted/unknown, various methods can be configured to classify them as trusted and threat (connected to wired network).
  3. over the air contain (aka mitigate) - in 4.x this is manual, in 5.x you can configure auto-containment
  First you need to detect. WLC does this automatically out of the box. It listens the air for unknown APs, clients and ad-hocs. Are you seeing Rogue APs under Monitor > Rogues > Rogue APs?
  Next, you can manually classify rogue APs as "known" (internal or external). Starting with 5.0 you can also build rogue rules based on RSSI, SSID, Clients, etc. If an AP is classified as "known" (internal or external), WCS stops alerting you.
  Another key classification piece is to detect whether or not the rogue AP is physically connected to your network which is a high security risk. There are three ways WLC can detect it and neither of them is automatic. You must configure these methods manually.
  1. Rogue AP Detector, aka ARP sniffing. You have to dedicate one AP as "Rogue Detector" (change AP mode from local to rogue detector). Configure the port the AP is connected to as switchport mode trunk (normally it's switchport mode access). Rogue Detector AP turns off and doesn't use its radios. When WLC detects rogue APs it can also detect the MAC addresses of any clients associated to that rogue APs, and the rogue detector AP simply watches each hardwire trunked VLAN for ARP requests coming from those rogue AP clients. If it sees one, WLC automatically classifies the rogue AP as "threat" indicating that the rogue AP is physically connected to your network. It doesn't actually do anything with the rogue AP, it simply classifies it and alerts you. Also, keep in mind that this method doesn't work if the rogue AP is a Wireless Router, because Wireless Routers NAT and ARP requests don't propagate to the wire.
  2. RLDP. Rogue Location Discovery Protocol. This feature is by default turned off and can be enabled under Security > Wireless Protection Policies > Rogue Polices. This feature works only when the rogue SSID is open, meaning that it's not using WEP/WPA/802.1x. When you enable RLDP, your WLC will pick some AP (you can't pick manually) which hears Rogue AP traffic, it will temporarily shut off its radio, turn it into a client, and instruct it to associate to the Rogue AP as client (this is where the requirement comes in for the Rogue SSID to be open authentication). Once associated, AP gets a DHCP IP through Rogue AP, it then sends a special small UDP port 6352 RLDP packet to every possible WLC's IP address (mgmt ip, ap manager ip, dynamic int IPs). If WLC gets one of those packets, it means that rogue AP is physically connected to your network. This method will work when Rogue AP is a Wireless Router. But this method is not recommended. It has an adverse effect on your wireless clients because RLDP AP goes offline for a period of time disconnecting your clients and forcing them to associate to another AP. Also, keep in mind, that WLC runs this RLDP process *once* per detected rogue AP. It doesn't periodically do this, it only does it once. In some later WLC versions, you can configure RLDP to run only on "monitor mode" APs, eliminating impact on your clients. Also, you can manually trigger RLDP for a rogue AP from CLI "config rogue ap rldp initiate ". You can "debug dot11 rldp" to see the process.
  3. Switchport Tracing (need WCS, and WLC 5.1). This is a later feature that requires WCS. You can add your Catalyst switches to WCS, and WCS will look at CDP information and MAC tables on your switches to detect whether or not Rogue AP is connected to your network. This works with secured and NAT rogues. You can also *manually* instruct WCS to shut down the switchport that Rogue AP is connected to.

• NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

  Hi
  I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
  Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
  Cisco 1811 router (inter-vlan routing)
  Cisco Secure ACS (90 day trial) 4.2
  CTA 2.1.103
  CSSC 5.1.0.39
  Windows XP SP3 client machine
  So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
  Jason
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  dot1x system-auth-control
  Client port;
  interface FastEthernet0/1
  switchport mode access
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x reauthentication

  You can refer to the below URL for future reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

• How do I use Airport Extreme to create wired access point on wireless network?

  Bit of an odd situation. I just went from cable to DSL at home and the modem moved from right by my computer to upstairs.
  Trouble is, there's no real easy way to get a cable from the modem upstairs to my X-box (sans wireless connector) downstairs.
  I could buy the wireless adaptor for the X-Box, but I was hoping I wouldn't have to spend any more money.
  I have my airport extreme, and I was hoping I could use it to create a wired access point on the network, recieving the signal from the wireless modem upstairs and allowing me to plug in the X-Box.
  Is this possible? If so, how? I've been through the config panel about a dozen times, but can't figure out what combination to set up.
  Thanks.

  Will it work if I use the express to create the network?
  Yes, providing that you have an 802.11n version of the AirPort Express and the Express has been configured to "Allow this network to be extended".
  Then, the AirPort Extreme can be configured to "extend" the Express network. When you do this, the AirPort Extreme will provide more wireless coverage and the LAN Ethernet ports are enabled, so you can connect an Ethernet device.
  This will not be a "normal" Ethernet connection. It will only work as well as the wireless "hop" between the Express and Extreme allow.
  For best results and performance, a wired connection through the hole in the wall is always best. If you decide to do this, you will need the "new" AirPort Express with both a WAN and LAN port on the device. But, you could try wireless first to see if it will meet your goals before you reach for the tools.

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• 802.1X Port Based Authentication Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I believe , you need to configure re-authentication on this switch port:
  ! Enable re-authentication
  authentication periodic
  ! Enable re-authentication via RADIUS Session-Timeout
  authentication timer reauthenticate server