|
Posted by wisdom1999@gmail.com on January 27, 2006, 11:30 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have a project to stop rogue users form pluging onto my network. I
have seen where cisco switches can do port authentication with a radius
server. I would like to setup and IAS server on win2k3 as my radius
server. Can anyone provide me with configuration guides to configure
the switch as well as the IAS server? I would really appreciate the
assistance.
PWM
|
|
Posted by hidalgal@gmail.com on January 27, 2006, 2:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
You can find how to set up IAS for W2K (almost the same for W2K3) in
the following page:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml#install
Regards,
AHG
|
|
Posted by wisdom1999@gmail.com on January 27, 2006, 3:06 pm
If you were Registered and logged in, you could reply and use other advanced thread options
something wrong.
Here is a copy of the dubug i did on my 802.1x
SW_SPARE>en
Password:
4d02h: AAA: parse name=tty0 idb type=-1 tty=-1
4d02h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0
channel=0
4d02h: AAA/MEMORY: create_user (0x80CC7D30) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
4d02h: AAA/AUTHEN/START (1449486165): port='tty0' list='' action=LOGIN
service=LOGIN
4d02h: AAA/AUTHEN/START (1449486165): console login - default to "no
auth required"
4d02h: AAA/AUTHEN/START (1449486165): Method=NONE
4d02h: AAA/AUTHEN (1449486165): status = PASS
4d02h: AAA: parse name=tty0 idb type=-1 tty=-1
4d02h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0
channel=0
4d02h: AAA/MEMORY: create_user (0x80CCFC34) user='' ruser=''
port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
4d02h: AAA/AUTHEN/START (3877385355): port='tty0' list='' action=LOGIN
service=ENABLE
4d02h: AAA/AUTHEN/START (3877385355): console enable - default to
enable password (if any)
4d02h: AAA/AUTHEN/START (3877385355): Method=ENABLE
4d02h: AAA/AUTHEN (3877385355): status = GETPASS
SW_SPARE#
4d02h: AAA/AUTHEN/CONT (3877385355): continue_login (user='(undef)')
4d02h: AAA/AUTHEN (3877385355): status = GETPASS
4d02h: AAA/AUTHEN/CONT (3877385355): Method=ENABLE
4d02h: AAA/AUTHEN (3877385355): status = PASS
4d02h: AAA/MEMORY: free_user (0x80CCFC34) user='' ruser='' port='tty0'
rem_addr='async' authen_type=ASCII service=ENABLE priv=15
SW_SPARE#
4d02h: AAA: parse name=tty1 idb type=-1 tty=-1
4d02h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1
channel=0
4d02h: AAA/MEMORY: create_user (0x80CDCAEC) user='' ruser=''
port='tty1' rem_addr='172.17.12.100' authen_type=ASCII service=LOGIN
priv=1
4d02h: AAA/AUTHEN/START (760582369): port='tty1' list='' action=LOGIN
service=LOGIN
4d02h: AAA/AUTHEN/START (760582369): non console login - defaults to
local database
4d02h: AAA/AUTHEN/START (760582369): Method=LOCAL
4d02h: AAA/AUTHEN (
SW_SPARE#760582369): status = GETUSER
SW_SPARE#
4d02h: AAA/AUTHEN/CONT (760582369): continue_login (user='(undef)')
4d02h: AAA/AUTHEN (760582369): status = GETUSER
4d02h: AAA/AUTHEN/CONT (760582369): Method=LOCAL
4d02h: AAA/AUTHEN (760582369): status = GETPASS
SW_SPARE#
4d02h: AAA/AUTHEN/CONT (760582369): continue_login (user='cisco')
4d02h: AAA/AUTHEN (760582369): status = GETPASS
4d02h: AAA/AUTHEN/CONT (760582369): Method=LOCAL
4d02h: AAA/AUTHEN (760582369): status = PASS
SW_SPARE#
4d02h: AAA/MEMORY: free_user (0x80CDCAEC) user='cisco' ruser=''
port='tty1' rem_addr='172.17.12.100' authen_type=ASCII service=LOGIN
priv=1
SW_SPARE#
4d02h: dot1x-registry:** dot1x_vp_statechange:
4d02h: dot1x-ev:vlan 20 vp is removed on the interface FastEthernet0/24
4d02h: dot1x-ev:Now Processing: 20 link DOWN for FastEthernet0/24,
accss_vlan = 20, oper_vlan = 20
4d02h: dot1x-registry:dot1x_port_modechange invoked on interface
FastEthernet0/24
4d02h: dot1x-registry:dot1x_port_linkchange invoked on interface
FastEthernet0/24
4d02h: dot1x-err:calling pm_idb_set_port_access_oper_vlanid with
vlan=12
4d02h: dot1x-ev:supp_info=80CD3594 txWhen_timer
SW_SPARE#=80CD35E4 quietWhile_timer=80CD35A4reAuthWhen_timer=80CD35C4
awhile_timer=80CD3604
4d02h: dot1x-ev:destroy supplicant block for 0000.0000.0000
4d02h: dot1x-ev:Enter function dot1x_aaa_acct_end
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
FastEthernet0/24
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from int
SW_SPARE#erface FastEthernet0/24
4d02h: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/24, changed state to down
4d02h: dot1x-registry:dot1x_port_linkchange invoked on interface
FastEthernet0/24
4d02h: dot1x-registry:dot1x_port_linkcomingup invoked on interface
FastEthernet0/24
4d02h: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface
FastEthernet0/24
4d02h: dot1x_auth Fa0/24: initial state auth_initialize has enter
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_initialize_enter cal
SW_SPARE#led
4d02h: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
4d02h: dot1x_auth Fa0/24: during state auth_initialize, got event
0(cfg_auto)
4d02h: @@@ dot1x_auth Fa0/24: auth_initialize -> auth_disconnected
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_disconnected_enter_action
called
4d02h: dot1x-sm:
dot1x_update_port_status called with port_status =
DOT1X_PORT_STATUS_UNAUTHORIZED
4d02h: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
FastEthernet0/24
4d02h: dot1x-ev:do
SW_SPARE#t1x_update_port_status: Called with host_mode=0 state
UNAUTHORIZED
4d02h: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
send port to unauthorized on vlan 0
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest
vlan=0 on FastEthernet0/24
4d02h: dot1x-ev: GuestVlan configured=0
4d02h: dot1x-ev:supplicant 0000.0000.0000 is default
4d02h: dot1x-ev:supplicant 0000.0000.0000 is last
4d02h
SW_SPARE#: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:0000.0000.0000 is now unauthorized on port
FastEthernet0/24
4d02h: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
FastEthernet0/24
4d02h: dot1x-ev:Enter function dot1x_aaa_acct_end
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x_auth Fa0/24: idle during state auth_disconnected
4d02
SW_SPARE#h: @@@ dot1x_auth Fa0/24: auth_disconnected -> auth_connecting
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_connecting_enter called
4d02h: dot1x_bend Fa0/24: initial state dot1x_bend_initialize has
enter
4d02h: dot1x-sm:Dot1x Initialize State Entered
4d02h: dot1x_bend Fa0/24: initial state dot1x_bend_initialize has
idle
4d02h: dot1x_bend Fa0/24: during state dot1x_bend_initialize, got
event 16383(idle)
4d02h: @@@ dot1x_bend Fa0/24: dot1x_bend_initialize -> dot1x_bend_idle
4d02h: dot1x-sm:D
SW_SPARE#ot1x Idle State Entered
4d02h: dot1x-ev:Created port supplicant block 0000.0000.0000
expected_id=0 current_id=0
4d02h: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at
memloc 80CD3594
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/24
4d02h: dot1x-ev:
dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
ID=1
4d02h: dot1x-ev:Transmitting an EAPOL frame on FastEt
SW_SPARE#hernet0/24
4d02h: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/24)
4d02h: dot1x-registry:registry:dot1x_ether_macaddr called
4d02h: dot1x-packet:Tx sa=0014.695e.d598, da=0180.c200.0003, et 888E
(Fa0/24)
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/24
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
supplicant 0000.0000.0000
4d02h: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/24
4d02h: dot1x-packet:Tx EAP-Request(Id), id
SW_SPARE# 1, ver 1, len 5 (Fa0/24)
4d02h: dot1x-registry:registry:dot1x_ether_macaddr called
4d02h: dot1x-packet:Tx sa=0014.695e.d598, da=0180.c200.0003, et 888E
(Fa0/24)
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
4d02h: dot1x-registry:dot1x_port_linkchange invoked on interface
FastEthernet0/24
4d02h: dot1x-ev:supp_info=80CD3594 txWhen_timer=80CD35E4
quietWhile_timer=80CD35A4reAuthWhen_timer=80CD35C4
awhile_timer=80CD3604
4d02h: dot1x-ev:destroy supplicant block for 0000.0000.0000
4d02h: dot1x-ev:Enter function dot1x_aaa_acct_end
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:dot1x_port_
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#
SW_SPARE#cleanup_author: cleanup author on interface FastEthernet0/24
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/24
4d02h: dot1x-registry:dot1x_port_linkchange invoked on interface
FastEthernet0/24
4d02h: dot1x-registry:dot1x_port_linkcomingup invoked on interface
FastEthernet0/24
4d02h: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface
FastEthernet0/24
4d02h: dot1x_auth Fa0/24: initial state auth_initialize has enter
4d02h: dot1x-sm:Fa0/24:0000
SW_SPARE#.0000.0000:auth_initialize_enter called
4d02h: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
4d02h: dot1x_auth Fa0/24: during state auth_initialize, got event
0(cfg_auto)
4d02h: @@@ dot1x_auth Fa0/24: auth_initialize -> auth_disconnected
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_disconnected_enter_action
called
4d02h: dot1x-sm:
dot1x_update_port_status called with port_status =
DOT1X_PORT_STATUS_UNAUTHORIZED
4d02h: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
SW_SPARE#FastEthernet0/24
4d02h: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state
UNAUTHORIZED
4d02h: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
send port to unauthorized on vlan 0
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest
vlan=0 on FastEthernet0/24
4d02h: dot1x-ev: GuestVlan configured=0
4d02h: dot1x-ev:supplicant 0000.0000.0000 is default
4d02h: dot1x-ev:suppli
SW_SPARE#cant 0000.0000.0000 is last
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:0000.0000.0000 is now unauthorized on port
FastEthernet0/24
4d02h: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
FastEthernet0/24
4d02h: dot1x-ev:Enter function dot1x_aaa_acct_end
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x_auth Fa0/24: idle
SW_SPARE#during state auth_disconnected
4d02h: @@@ dot1x_auth Fa0/24: auth_disconnected -> auth_connecting
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_connecting_enter called
4d02h: dot1x_bend Fa0/24: initial state dot1x_bend_initialize has
enter
4d02h: dot1x-sm:Dot1x Initialize State Entered
4d02h: dot1x_bend Fa0/24: initial state dot1x_bend_initialize has
idle
4d02h: dot1x_bend Fa0/24: during state dot1x_bend_initialize, got
event 16383(idle)
4d02h: @@@ dot1x_bend Fa0/24: dot1x_bend_initialize -
SW_SPARE#> dot1x_bend_idle
4d02h: dot1x-sm:Dot1x Idle State Entered
4d02h: dot1x-ev:Created port supplicant block 0000.0000.0000
expected_id=0 current_id=0
4d02h: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at
memloc 80CD3594
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/24
4d02h: dot1x-ev:
dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
ID=1
4d02h: dot1x-ev:T
SW_SPARE#ransmitting an EAPOL frame on FastEthernet0/24
4d02h: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/24)
4d02h: dot1x-registry:registry:dot1x_ether_macaddr called
4d02h: dot1x-packet:Tx sa=0014.695e.d598, da=0180.c200.0003, et 888E
(Fa0/24)
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/24
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
supplicant 0000.0000.0000
4d02h: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/24
4d02h:
SW_SPARE# dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/24)
4d02h: dot1x-registry:registry:dot1x_ether_macaddr called
4d02h: dot1x-packet:Tx sa=0014.695e.d598, da=0180.c200.0003, et 888E
(Fa0/24)
SW_SPARE#
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:dot1x_process_txWhen_expire
called
4d02h: dot1x_auth Fa0/24: during state auth_connecting, got event
18(txWhen_expire)
4d02h: @@@ dot1x_auth Fa0/24: auth_connecting -> auth_connecting
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_connecting_connecting_action
called
4d02h: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
supplicant 0000.0000.0000
4d02h: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/24
4d02h: dot1x-packet:Tx EAP-Request(Id), i
SW_SPARE#d 1, ver 1, len 5 (Fa0/24)
4d02h: dot1x-registry:registry:dot1x_ether_macaddr called
4d02h: dot1x-packet:Tx sa=0014.695e.d598, da=0180.c200.0003, et 888E
(Fa0/24)
SW_SPARE#
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:dot1x_process_txWhen_expire
called
4d02h: dot1x_auth Fa0/24: during state auth_connecting, got event
18(txWhen_expire)
4d02h: @@@ dot1x_auth Fa0/24: auth_connecting -> auth_connecting
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_connecting_connecting_action
called
4d02h: dot1x-sm:dot1x_auth_connecting_action:0000.0000.0000
reauth_count=3 exceeded DOT1X_DEFAULT_REAUTH_MAX
4d02h: dot1x-ev:Default and only instance. evaluation for guest vlan
move
4d02h:
SW_SPARE#dot1x_auth Fa0/24: during state auth_connecting, got event
7(authSuccess)
4d02h: @@@ dot1x_auth Fa0/24: auth_connecting -> auth_authenticated
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_connecting_exit alled
4d02h: dot1x-sm:Fa0/24:0000.0000.0000:auth_authenticated_enter called
4d02h: dot1x-sm:
dot1x_update_port_status called with port_status =
DOT1X_PORT_STATUS_AUTHORIZED
4d02h: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
send port to authorized
4d02h: dot1x-ev:dot1x_update_port_
SW_SPARE#status: using mac 0000.0000.0000 to send port to authorized
4d02h: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CD3594
4d02h: dot1x-ev:dot1x_port_authorized:supplicant 0000.0000.0000 is
first, old vlan 1, new vlan 20
4d02h: dot1x-ev:dot1x_port_authorized: Host-mode=0 radius/guest vlan=20
4d02h: dot1x-ev: GuestVlan configured=1
4d02h: dot1x-registry:** dot1x_vp_statechange:
4d02h: dot1x-ev:vlan 20 vp is added on the interface FastEthernet0/24
4d02h: dot1x-registry:dot1x_port_
SW_SPARE#modechange invoked on interface FastEthernet0/24
4d02h: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
4d02h: dot1x-ev:dot1x_update_port_status:0000.0000.0000: Current ID=1
4d02h: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/24
4d02h: dot1x-packet:Tx EAP-Success, id 1, ver 1, len 4 (Fa0/24)
4d02h: dot1x-registry:registry:dot1x_ether_macaddr called
4d02h: dot1x-packet:Tx sa=0014.695e.d598, da=0180.c200.0003, et 888E
(Fa0/24)
4d02h: dot1x-ev:Found a supplicant block for mac
SW_SPARE# 0000.0000.0000 80CD3594
4d02h: dot1x-ev:0000.0000.0000 is now authorized on port
FastEthernet0/24
4d02h: dot1x-ev:Searching DHCP snooping binding table for
0000.0000.0000/20
4d02h: dot1x-ev:No binding found
4d02h: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/24, changed state to up
SW_SPARE#
Can you tell me what is going on here? I do not see any enteries in my
IAS logs? What am i doing wrong.
PWM
|
| Similar Threads | Posted | | MAC Authentication Bypass on Catalyst 2950 supported? | May 14, 2008, 11:41 pm |
| differnce between a 2950 xl and a 2950 Cisco switch? | March 12, 2007, 10:19 pm |
| Failed Authentication, Status "Unsupported Authentication Algorithm" | November 26, 2004, 5:20 am |
| Cisco PIX 525 Authentication Problem | September 8, 2006, 5:30 am |
| Cisco VPN Client w/ Certificate Authentication | June 23, 2007, 3:40 pm |
| Radius Authentication on Cisco Switches | August 15, 2007, 11:00 am |
| Cisco 871 PPP Authentication Issue--Baffling! | January 29, 2008, 12:33 pm |
| Configure 802.1x & MAC authentication in Cisco Secure ACS 4.2 | May 14, 2008, 11:49 pm |
| cisco 2600 voip authentication with RADIUS | November 9, 2004, 6:45 am |
| Authentication problem with a Cisco 3005 concentrator | April 28, 2005, 11:59 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map