ESW 520 802.1x MAB authentication problem

Similar Messages

• ESW 520 802.1x re authentication problem

  Hello
  I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  If I connect same hosts on Catalyst 2960 switch, they work successfully.

  Hi  ngtransge
  There are  tree possible explanations about  why the authentications  fails.
  A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.
  To verify the client has a domain certificate:
  1. Click Start and click Run.
  2. Type mmc, and then press ENTER.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
  On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.
  B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.
  C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)
  Greetings, Johnnatn Rodriguez Miranda

• Macs joined to AD Domain, and 802.1x/mab authentication problems

  Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

  hello,
  in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
  the interfaces have the following config:
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer restart 120
   authentication timer reauthenticate server
   authentication timer inactivity 600
   mab
   dot1x pae authenticator
  Good luck

• 802.1x re authentication problem

  Hello,
  I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.
  The problem is following, when PC  is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful.  If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.
  I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.
  On Windows 7 host Event viewer I see  following log messages:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  The ACS version is 5.3. Authentication method is PEAP.  Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other  than “Multi Session" if works without any issue.
  Do you have any Idea how can i fix this ?

  Hi ngtransge,
  Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out.

• Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

  Hi!
  I'm in the processes of setting up a new wireless network for a costumer.
  A little info about the hardware:
  Cisco WLC 5508
  Cisco AP 2602i
  Cisco ISE - radius server
  ipads gen 4 (iOS 6)
  EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
  The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
  I use the Use Per-connection password option
  User that are allowed to connect are placed in a specific group in there AD.
  The problem that I have is:
  When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
  BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
  I cant seem to get rid of this popup and therefor the ipad cant connect.
  If I don't use the profile I can forget about the network and after that i can connect with a different user.
  But then i can't verify the server-certificate and use the option per-connection password!
  Please help!
  Has someone else seen this type of bug.
  //Simon

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• IPhone 802.1x WiFi authentication problem

  my WiFi access works fine at home and almost all WiFi areas. but i go to school where wireless access is authenticated with a login and password. it works fine on my macbook. since the iPhone has OSX, i thought the school's WiFi would work on my iPhone, but it doesnt. i can see the Network on my iPhone and it has a check mark. but i cant connect to it because i am not authenticated (i think). anyone know how to do this?

  On the iPhone when you try to connect to 802.1x it may ask for a password, no username, but this won't allow you access to the network. No support for it yet.
  Some also allow IPSec and/or PPTP for WiFi you might check with your help desk people. In this case you might see the network but it would not allow you access to anything. You would need to setup VPN settings in Settings > General > Network > VPN > Settings to make a VPN connection. You have to go back to this location to enter your password because it does not save it. Also if you try to use Settings > VPN to connect, you get a number pad not a keyboard to enter your password. This works fine for Apple employes but almost no one else in the world.

• ESW 520 ARP Inspection Problem

  Hello,
  I have observed strange behavior on ESW 520 switches, with ARP Inspection operation.  ARP inspection is configured with static ip to mac bindings, and it work.Problem is with logs, switch generates tons of ARP inspection logs, during network normal operation, but network endpoints are working well. These logs are same witch are generated during ARP poisoning in network. This operation was observed in older and new firmware.
  Here is sample log:
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:5a:85:2e SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:19:85:26 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:12:85:2e SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:11:85:26 SRC I
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.1
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:14:85:0c SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e3 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:3f SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.12
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:51:85:0c SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
  Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
  from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:57:85:26 SRC IP
  0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
  It seems switch dont like ARP request which are going to local network addresses., but in that vlan all host can communicate which each other.
  Do you have any idea what can be the problem ?

  Hi ngtransge,
  I will first come to say I do not know the answer. But, I will suspect the log entries are indicating a MAC address that arrived on the interface that did not recognize the IP or MAC address. If the MAC or IP is not found in the inspection list, it would revert to the DHCP snooping table if that is enabled.
  I would suspect these entries are coming from an untrusted interface then goes through validation.
  Can you show the trusted interfaces and the MAC bindings?
  Are the MAC addresses on the log entry meaningful to you in any way?
  Are those MAC addresses supposed to be going to a particular destination? Or conversely, are the MAC addresses supposed to be seen on an untrusted interface?
  -Tom

• Problem in connecting ESW 520 POE switches

  Hi
  New on ESW 520 switches
  Need help to configure the ESW 520  24 POE switches
  How can i configure the last port of 24 to oonnect to another ESW 520 24 port switches ?

  Why not use the GE ports at the far right to chain the switches one to the other from the UC540/UC560?  They are best for this and gives you an extra port on the switch this way.  Use straight thru ethernet cables.

• Windows 7 / 2008 duplicate static address when using 802.1x / MAB - ISE

  Hi all!
  ISE 1.1.3
  Cisco 3750 switches
  Windows XP / 7 / 2008 clients
  I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem.  Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor.  This is happening with Windows 7 and Windows 2008 devices.
  Windows XP clients don't get the issue.
  Some clients will use 802.1x native supplicant and some will be authenticated based on MAB.  Not noticed the problem with 802.1x clients but it always occurs on MAB.
  I came across a similar issue here:
  http://networkingblog.vvlabs.com/2012/07/cisco-ise-duplicate-ip-address-windows-7.html
  Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
  The switches are 3750  switches running version 12.2(58)SE2.
  All I have is  "count, interval, use-svi" as extra options.
  Catalyst 4500 switch guide has  "delay" option but no "count, interval or use-svi".
  The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client.  This is fine for the odd server but not realistic when there will be hundreds of other clients.
  Any ideas?

  Hi
  We are doing 802.1x for clients using the Windows supplicant.  For clients not using supplicants we are using MAB.  So the print servers and printers use MAB.
  Extract of config...
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client x server-key 7 x
  client x server-key 7 x
  aaa session-id common
  clock summer-time BST recurring last Sun Mar 23:00 last Sun Oct 23:00
  system mtu routing 1500
  vtp mode transparent
  authentication mac-move permit
  ip routing
  no ip domain-lookup
  ip device tracking
  dot1x system-auth-control
  dot1x critical eapol
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet1/0/1
  description ### Dot1x with MAB fallback ###
  switchport mode access
  switchport voice vlan 2
  ip access-group ACL-DEFAULT in
  srr-queue bandwidth share 10 10 60 20
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer restart 0
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  mls qos trust device cisco-phone
  mls qos trust cos
  auto qos voip cisco-phone
  dot1x pae authenticator
  dot1x timeout tx-period 5
  spanning-tree portfast
  service-policy input AutoQoS-Police-CiscoPhone
  ip http server
  ip http secure-server
  ip access-list extended ACL-DEFAULT
  remark Deny access to new network
  deny   ip any 172.x.x.x 0.0.0.255 log
  remark Allow everything else to other networks
  permit ip any any
  ip radius source-interface Vlan2
  logging esm config
  logging host x transport udp port 20514
  logging host x transport udp port 20514
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-1
  address ipv4 x auth-port 1645 acct-port 1646
  key 7 x
  radius server ISE-2
  address ipv4 x auth-port 1645 acct-port 1646
  key 7 x

• Can't Console into ESW-520-24P Switch, Need help.

  Hi,
  We have 3 ESW-520-24P series switches.
  I can not console them because by default they have a security profile attached into it for "Console Only" and It is set as "Deny".
  I can't modify or delete it because it's a default security policy.
  We can do console into ESW-540-24P series switches without any problems.
  Can someone share any solutions to gain console access for these switches?
  Any one from Cisco TAC support?
  Thanks in advance.
  Mansur.

  Hi Devicarr,
  Thanks for your reply.
  I can set the VLAN and Management IP address using the web interfaces.
  But when I am trying to connect it via console it is not responding. I reset it to factory default and then found from the web control panel/interface that the switch has an "Access Authentication" under that it has a "Access Profile" and the profile has a default or built in profile attached says "Console Only" and it has a rule like "IP Source = 0.0.0.0/32 Permit = Deny".
  I tried to delete or modify it even I tried to add a new rule to allow the console access but failed.
  Does this switch series "ESW-520-24P" by default Console disabled when manufactured or ELSE? Please provide me your valuable suggestions.
  Thanks in advance.
  Mansur.

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• 802.1X wireless network problems with Intel Mac

  To login to the wireless network at my school I have to use an 802.1X connection authenticating with TTLS, TLS, EAP-FAST and PEAP protocols.
  This works intermitently. Some days my MacBook logs on quickly with no problems at all but most days it has a self assigned IP address and I can't use the internet. My friend also uses a MacBook, which acts in the same way. Some days she manages to get on, some days I can get on and some days we are both on together. The problem is really irritating!! We get no support from the techs as we are the only Mac people in the school. The rest of the staff have PCs. The techs are just trying to use this issue to justify why letting people lease Macs is a problem and stop other staff from leasing them in the future.
  I did find a solution at
  http://discussions.apple.com/thread.jspa?threadID=425113&tstart=0
  but this was written in 2006 and I wonderered if this was still valid.
  Can anyone help? please???

  I am a tech at our school and we have the same problems. still trying to find a permanent solution!
  If you turn airport off, then turn on again, (from system prefs > network) does it change from "self-assigned IP Address" to "Authenticated via PEAP)?
  the macs are more and more popular at our school, so its becoming more and more of an issue.
  cheers,
  Harry

• 802.1x Port Authentication via RADIUS

  I am investigating implementing 802.1x port authentication on our network.
  I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
  I have configured the switch with the following commands
  aaa new-model
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius-server host x.x.x.x key test
  and the port to be authorised has been configured with
  dot1x port-control auto
  As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
  When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasn’t available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
  Client address [x.x.x.x]
  NAS address [x.x.x.x]
  UniqueID=3
  Realm = def
  User = Administrator
  Code = Access request
  ID = 26
  Length = 169
  Authenticator = 0xCCD65F510764D2B2635563104D0C2601
  NAS-IP-Address = x.x.x.x
  NAS-Port = 50024
  NAS-Port-Type = Ethernet
  User-Name = Administrator
  Called-Station-Id = 00-11-00-11-00-11
  Calling-Station-Id = 11-00-11-00-11-00
  Service-Type = Framed
  Framed-MTU = 1500
  State = 0x3170020000FCB47C00
  EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
  Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
  Client address [x.x.x.x]
  NAS address [x.x.x.x]
  UniqueID=4
  Realm = def
  User = Administrator
  Code = Access reject
  ID = 26
  Length = 0
  Authenticator = 0xCCD65F510764D2B2635563104D0C2601
  EAP-Message = 0x04010004
  Message-Authenticator = 0x00000000000000000000000000000000
  On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
  *Mar 2 01:58:38: dot1x-ev:Username is Administrator
  *Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
  *Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
  *Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
  *Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
  *Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
  *Mar 2 01:58:38: dot1x-ev:Sent to Bend
  *Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  *Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
  *Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
  *Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
  Again there doesn’t appear to be a password, shouldn't I see one?
  Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
  I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

  These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
  I would recommend either:
  a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
  b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
  Eval copies are available on their websites.
  Hope this helps,

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"