1748099 Members
5693 Online
108758 Solutions
New Discussion юеВ

dot1x authentication

 
timaz
Advisor

Re: dot1x authentication

I tested the same configurarion with another RADIUS server and it worked well. I know that we can use username/password instead of certificates but I think we need to setup a certificate regardless of using the "username" and "password"in this case!! "Invalid Authentication Type" is some type of strange error, in which I've used just the same protocols on the both sides.

Besides, I've disabled the "use of windows credentials" and enabled just "user authentication" rather that "user and computer authentication" on the NIC properties on the client PC.

NeilR
Esteemed Contributor

Re: dot1x authentication

OK - I get that you have made it worked with other radius server - could you tell or find out what kind of authentication type it accepted? Maybe in its logs?

 

Then you would know more about what kind of authentication your client is sending.

 

Invalid authentication type may occur for different types of errors. I see it on my setup when an 802.1x client authenticates on a port with both 802 & mac set. The mac authentication fails as the client is sending 802 - that's why I asked about that. So I see a mac failure with invalid auth type, and an 802 success.

 

Again you probably want to use wireshark - you can see what type of radius packets are being sent, and some different information on why the challenge is failing

 

UPDATE: Now that I had a few minutes to test this out, I have no problem making this work:

 

IMC/UAM - created user, password, assigned a service/policy 

Switch: 802.1x/MAC authentication

Windows 7 client, not in my domain: 802.1x enabled, PEAP/MSCHAPV2 (no validate server cert, no windows credentials), no saved credentials.

 

Entered credentials on client - IMC says authenticated, Switch says authenticated, VLAN is deployed, and user is connected.

 

So not sure what your issue is - works as designed as far as I can tell. Perhaps a problem with your access device configuration or policy/service configurations.

timaz
Advisor

Re: dot1x authentication

Hi; First of all, I would like to thank you for your replies. anyway, I used another laptop as client and again did not managed to authenticate it. I'm using Cisco 3560 switch as Authenticator. from debugs (dot1x and radius debugs) I tracked that switch did well as authenticator and because of "Access Reject" message received by IMC UAM, it blocks user access. I don't know which parameter is different on both sides that causes this. this is what I got on switch:

 

RADIUS: Received from id 1645/3 10.1.1.6:1645, Access-Reject, len 83
RADIUS:  authenticator 9E 5A 0F D2 72 BB 6A 91 - DF F4 29 31 08 74 86 D0
RADIUS:  EAP-Message         [79]  7
RADIUS:   00 03 00 05 23                 [ #]
RADIUS:  Reply-Message       [18]  38
RADIUS:   45 36 33 30 35 33 3A 20 49 6E 76 61 6C 69 64 20  [E63053: Invalid ]
RADIUS:   61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20 74  [authentication t]
RADIUS:   79 70 65 2E              [ ype.]
RADIUS:  Message-Authenticato[80]  18
RADIUS:   6C 77 14 A5 1C A5 17 BB A2 80 97 AA C7 88 E4 BE                [ lw]
RADIUS(00000002): Received from id 1645/3

 

so would you mind please, comparing the settings on my Access Policy in IMC with your own working Access Policy. I will appreciated.

 

-------------------------------------------------------

Basic Information:
Access Policy Name: Policy01  
Service Group: Ungrouped  
Description: -

 

Authorization Information:
Access Period: No Limit        Allocate IP: No
Downstream Rate(Kbps): -       Upstream Rate(Kbps): -
Priority: - 
RSA Authentication: -
Certificate Authentication: EAP  
Certificate Type: EAP-PEAP AuthN       Certificate Sub-Type: MS-CHAPV2 AuthN
Deploy VLAN: -  
Deploy User Profile: -
Deploy User Group: - 
Deploy ACL: -

 

and nothing selected in the "Authentication Binding Information" and "User Client Configuration" sections.

------------------------------------------------------------------------------------------------------------------

 

settings of Client NIC:

 

on Authentication tab:

Enable IEEE 802.1x Authentication (checked)

Microsoft: Protected EAP (PEAP)

Remember My Credentials For This Connection Each Time (Checked)

Fallback to Unauthorized Network Access (Checked)

 

after clicking on the Settings button "Protected EAP Properties" page appeares, I cleared every checkbox on this page. after clicking the "Configure" button on the "Protected EAP Properties" page a page appears and I unchecked the "Automatically Use My Windows Logon..." option too.

 

and again on the Authentication tab on NIC Properties on Client computer, after clicking on "Additional Settings" a page appears and on that page, I checked the "Specify Authentication Mode" and selected "User Authentication" option. no other checkbox are selected on this page.

 

and this is switch's config, in the case you want futher info:

 

------------------------------------------------------

Switch(config)#do sh run | inc aaa|username|authentication|dot1x|radius


username cisco privilege 15 password 0 cisco
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa session-id common
dot1x system-auth-control

!

interface g0/10

 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
radius-server host 10.1.1.6 auth-port 1645 acct-port 1646 key cisco

-------------------------------------------------------

 

 

thank you for your time.

NeilR
Esteemed Contributor

Re: dot1x authentication

Regards to radius log - looks like the response to the challenge sent. You also want to look for what was sent to the radius server. You may need to know what the request was. All you see is that is rejected.

 

Regards to Policy - I assume that you have a service that points to the policy. the user account points to service points to policy. If you don't link service to policy, the default is access forbidden.

 

Also assume your switch has desired vlan set as untagged for that port as you don't deploy one in the policy. But that's not affecting authentication

 

On Nic - My settings as indicated

 

on Authentication tab:

Enable IEEE 802.1x Authentication (checked) - YES

Microsoft: Protected EAP (PEAP) - YES

Remember My Credentials For This Connection Each Time (Checked) - YES

Fallback to Unauthorized Network Access (Checked) - NO, but doesn't matter

 

after clicking on the Settings button "Protected EAP Properties" page appeares, I cleared every checkbox on this page.  - YES, but Fast reconnect optional - may improve re-authentication time

 

after clicking the "Configure" button on the "Protected EAP Properties" page a page appears and I unchecked the "Automatically Use My Windows Logon..." option too. - YES

 

and again on the Authentication tab on NIC Properties on Client computer, after clicking on "Additional Settings" a page appears and on that page, I checked the "Specify Authentication Mode" and selected "User Authentication" option. no other checkbox are selected on this page. - YES

 

Client looks good - with these settings it should prompt you to click in tray area and enter credentials - more information needed or something like that.

 

Regards to switch - don't have cisco, only procurve. But what's there looks ok - however wouldn't know if you omitted something.

 

Assume that you added device to access devices and specified type as cisco, then deployed AAA config, synched ports etc:

 

User>User Access Policy>Access Device Management>Access Device 

 

This is how UAM knows the radius key, types of parameters, and port configurations etc.

 

 

 

 

timaz
Advisor

Re: dot1x authentication

Hi; thank you for your detailed answers my friend ;)

 

as you said, I've created an Access Service and have bound it to a Access Condition (with just an simple Workhours Access Period policy) and an Access User for sure. It might help if I say I did managed to successfuly authenticate "Device Users". I mean the switch can communicate with IMC in authenticating of users that want to login to devices (switches, routers). but for any reason I cannot authenticate dot1x users while any user wants accessability to the network. my last portion of configuration on IMC is like this:

 

--------------------------------------------------------------------

 

Access Service Details:

 

Basic Information:
Service Name: TEST_ACCESS_SERVICE        Service Suffix: -
Service Group: Ungrouped           Default Access Policy: Access Forbidden
Default Proprietary Attribute Assignment Policy: Do not use  
Default Max. Number of Bound Endpoints: 0             Default Max. Number of Online Endpoints: 0

Available (Checked)

Transparent Authentication on Portal Endpoints (unchecked)

 

Access Scenario Name: TEST_ACCESS_SCENARIO 
Access Policy: Policy01    
Proprietary Attribute Assignment Policy: Do not use

 

------------------------------------------------------------------

 

for any attempts, it says "Invalid Authentication". when I want to login as unknown and non-existant user, it says that the user doesn't exist and this means it can check the user DB, but actually there is some mismatched authentication parameter that I cannot find.

NeilR
Esteemed Contributor

Re: dot1x authentication

The switch will be using a different authentication type - PAP or CHAP or MD5 - when authenticating the "device user".  Switches do not usually speak eap/mschapv2. The switch is making the request for authentication to the radius server.

 

For the "access user" as iMC refers to it, the switch is only forwarding the request that the client is making on the port. The switch is only providing a key to the radius server to prove its own identity (using the key in the setup) and then sending on the request. It does not reformat the request - the client is using a different method to request authentication as "access user" then the switch is to authenticate "device user". One may work, but won't guarantee the other will.

 

When the radius server gets this from the switch it needs to know how to decode it. Then it responds back to the switch with specific info on how to set the port.

 

In your last reply, was not sure if/how you had configured the access device settings. See attched screen shot.

 

If you have it set up this way, maybe try the general setting instead of cisco. But make sure it is set to access user, not device user.

 

Also confirm that you did deploy the AAA configuration and synchronize the ports. 

timaz
Advisor

Re: dot1x authentication

Hi; I changed the device mode from "Cisco (General)" to "Standard" and even changed the "Service Type" from "Device Management Service" to "LAN Access Service" and again faced with the same error "Invalid Authentication Type"!

It is so interesting. even I tried integrating with AD and managed to load the existing AD users to IMC DB. but trying to access the network through Dot1x authentication faild again with the exact same error. I think that I can test HP iNode client as my Dot1x Suplicant on client computer. have you ever deploy it instead of Windows built-in Dot1x agant on client computers?

NeilR
Esteemed Contributor

Re: dot1x authentication

Last thing I can think of,then I'm really out of ideas - check the AAA configuration make sure its set to EAP. Screen shot attached.

 

Otherwise you will need to use wireshark to capture and analyze packets. Install on your imc radius server, set an input capture filter to you imc radius server ip address, then while capturing enter radius into the filter when viewing.

 

Toggle your port connectivity and you should see the whole conversation.

 

My previously posted PDFs will mostly document the whole AD/LDAP configuration. I did not want to use iNode so I have not tested it.

 

But if you have many users the AD/LDAP route is much easier to manage.

 

My gut feel is switch configuration is incorrect or out of synch with imc, but my cisco experience with this is none.

timaz
Advisor

Re: dot1x authentication

Hi NeilR;

 

I did not have any certificate on my IMC server while using PEAP-MSCHAv2, but after adding a Root Certificate Authority and a server certificate, it seems that I managed to get rid of tha "Invalid Authentication Type" error message. after searching the net, I found one of your post again abot configuring Server Parameter (iMC UAM MS AD authentication issue) and configured the iMC in that way. but after this point, when I try to connect any client to the switch port, I don't get any log at the "User Access Log > Authentication Failure Log" !! but after taking some captures with Wireshark, I saw that the switch sends many RADIUS Request messages to IMC and after some time, it gets "Reply Message: No This User" from the IMC and rejects the user. but I integrated the IMC with existing AD and can see the AD users list on the IMC while clicking on the "LDAP USERS". it is interesting that, I have one local user on IMC and even loging in with that user, results the same error!! so I'm thinking about the default port that IMC and AD are talking to each other through it (the port while configuring Server Parameters to make iMC to work with PEAP authentication server). the default port is listed as 9812 and I uses Windows 2012 R2 on both of iMC server and AD DC. I defined a filter on Wireshark to find that port, but it seems this port is not used by these devices to talk. do you have any idea abot this?

NeilR
Esteemed Contributor

Re: dot1x authentication

If you have a windows Active Directory base for your users, doing it via LDAP makes more sense then trying to add users and passwords. All the PDFS from my posts should give a pretty complete picture on how to do this.

 

Don't think the server certificate should have been required for just UID/Password , but may be something about windows. All my testing had a cert installed, either LDAP user or not.

 

So something easy to overlook may be the user account format setup on the LDAP server. Make sure to include the remove prefix and delimiter \ as that's how the accounts are sent by the clients. see attached screen shot.

 

You should be able to see the account name that the client is sending in Wireshark btw.

 

I'm using all the default ports for everything. However might want to make sure windows firewall is not active on imc, at least until you get everything working.