EAP doest work with Cisco Catalyst 2950?

Thai Duong thaidn at yahoo.com
Fri Jul 28 14:12:36 CEST 2006 

> --- James J J Hooper <jjj.hooper at bristol.ac.uk>
> wrote:
> 
> > Hi,
> >   We had similar problems. An example of what we
> put
> > in the switch config 
> > to get it to work is here:
> >
>
<http://www.bristol.ac.uk/is/computing/advice/networks/documentation/dot1x/cisco.html>
> > 
> > ... as Josh said - pay particular attention to the
> > dot1x & radius server 
> > timeout settings - we found the cisco defaults be
> be
> > generally broken.
> > 
> > Regards,
> >   James

Attachment is the Ethereal's dump file on the client
side. There are five message (>> means traffic from
switch to client and vice versa)

>> eap request identity
<< eap response identity
>> eap request eap-tls (rfc2716) [aboba]
<< tls client hello
>> eap unknown code (0x30)

It seems that the switch (Catalyst 2950 with IOS
version 12.1(6)EA2c) didnt understand that "Client
Hello" packet from the client so it returned something
like "unknown code (0x30)". In fact this "Client
Hello" never reached the server. 

Here is my switch dot1x configuration:

Global 802.1X Parameters
reauth-enabled               yes
reauth-period               3600
quiet-period                  60
tx-period                     30
supp-timeout                  30
server-timeout                30
reauth-max                     2
max-req                        2

802.1X Port Summary
Port Name                Status      Mode             
  Authorized
Fa0/1                    disabled    n/a              
  n/a
Fa0/2                    enabled     Auto (negotiate) 
  no
Fa0/3                    enabled     Auto (negotiate) 
  no

aaa new-model
aaa authentication dot1x default group radius
radius-server host 192.168.2.8 auth-port 1812
acct-port 1813 key <deleted>
radius-server retransmit 3
radius-server timeout 10
radius-server deadtime 2
radius-server vsa send authentication

Why the switch doesnt understand that Client Hello TLS
packet? What should I do now? I installed freeradius
into another server, create the certificates from
scratch but still NO LUCK. Please advise.

Regards,

Thai Duong 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client.dump
Type: application/octet-stream
Size: 411 bytes
Desc: 2907206978-client.dump
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060728/914c1501/attachment.obj>

More information about the Freeradius-Users mailing list