PEAP(EAP-TLS) Using ACS

Hi,
I'm trying to complete "PEAP(EAP-TLS) Using ACS" lab but I can't see any attempts from Win7 to authenticate with certificate.

 

image

 

image


SW1#
%DOT1X-5-FAIL: Authentication failed for client (586d.8fce.a7cd) on Interface Fa1/0/5 AuditSessionID
SW1#
%AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (586d.8fce.a7cd) on Interface Fa1/0/5 AuditSessionID 8801130900000006001A8744
SW1#

Could someone confirm that the solution worked fine ? It looks like something is missing on Win7 side

Thanks
Hubert

Comments

  • Is the test-PC-a trusted? Otherwise it will not use it.
    Open certmgr.msc and look in personal store.
    Add also print screens of windows supplicant configuration 
    To see if configured correctly.
    Workbook solution is correct.
    Regards,
    Cristian.

    Sent from my iPhone

    On Oct 1, 2013, at 1:15, HubertW <[email protected]> wrote:

    Hi,
    I'm trying to complete "PEAP(EAP-TLS) Using ACS" lab but I can't see any attempts from Win7 to authenticate with certificate.

     

     


    SW1#
    %DOT1X-5-FAIL: Authentication failed for client (586d.8fce.a7cd) on Interface Fa1/0/5 AuditSessionID
    SW1#
    %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (586d.8fce.a7cd) on Interface Fa1/0/5 AuditSessionID 8801130900000006001A8744
    SW1#

    Could someone confirm that the solution worked fine ? It looks like something is missing on Win7 side

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Also look in the session details for the failed authentication 
    Session, see if there is any kind of EAP communication
    Between ACS and test-PC-a , if hey negotiate the EAP type.
    Regards,
    Cristian.

    Sent from my iPhone

    On Oct 1, 2013, at 1:15, HubertW <[email protected]> wrote:

    Hi,
    I'm trying to complete "PEAP(EAP-TLS) Using ACS" lab but I can't see any attempts from Win7 to authenticate with certificate.

     

     


    SW1#
    %DOT1X-5-FAIL: Authentication failed for client (586d.8fce.a7cd) on Interface Fa1/0/5 AuditSessionID
    SW1#
    %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (586d.8fce.a7cd) on Interface Fa1/0/5 AuditSessionID 8801130900000006001A8744
    SW1#

    Could someone confirm that the solution worked fine ? It looks like something is missing on Win7 side

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hello Cristian,

    I tried today once again and I have exactly the same symptoms. Moreover I did the same lab for ISE and ACS and the result is exactly the same. I can’t see any attempt from Win7. Below you can find print screens from settings and logs. I will wait till someone else confirm he is able to complete the lab

     

    image

     

    image

    image

    image

    image

     

    image

     

    image

     

    thanks

    Hubert

  • Hi Hubert,

     

     1. I can confirm it works.

     2. I don't see the screenshot from "Use simple certificate selection" tab, did you try using AnyConnect client? Double click the certificate of Windows-7 as well, is it trusted?

     3. Try disabling/enabling the USB NIC and shut/no shut on switchport;

     4. Remove the pre-auth ACL, configure authentication open, can you ping the TEST-PC-A?

     

    Regards,

    Cristian.

  • Hi Cristian,

    success !

    I found two reasons why I didn't authenticate properly. First one is below question, not sure why I didn't see it before. Today I confirmed 'trust' and I started to see EAP-TLS authentication method. It's not yet x509_PKI but much better than yesterday's 'Lookup'.

     

    image

     

    image

     

    After quick investigation I found the problem was with certificate (but I was sure the cert was OK), so the first idea was time. I updated NTP server on ACS and I was able to authenticate using certificate:

    image

     

    regards

    Hubert

  • Perfect, it needs to work also with the native windows
    Supplicant.

    Regards,

    Sent from my iPhone

    On Oct 2, 2013, at 12:13, HubertW <[email protected]> wrote:

    Hi Cristian,

    success !

    I found two reasons why I didn't authenticate properly. First one is below question, not sure why I didn't see it before. Today I confirmed 'trust' and I started to see EAP-TLS authentication method. It's not yet x509_PKI but much better than yesterday's 'Lookup'.

     

     

     

    After quick investigation I found the problem was with certificate (but I was sure the cert was OK), so the first idea was time. I updated NTP server on ACS and I was able to authenticate using certificate:

     

    regards

    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
Sign In or Register to comment.