RADIUS and 802.1x -- Help!

[xlt92explorer]

Hey guys, hoping someone here can provide some insight here to an issue I've been fighting with for the better part of the week..

I've got a Server 03 R2 SP2 box running a domain (AD, DNS, DHCP, IAS, IIS, you get the idea..). I've also got an HP Procurve 2824 switch, updated to the latest firmware, and a D-Link DWL-2100AP, also with the latest firmware.

I've been successful in getting 802.1x to work with the AP after a little futzing around, not a big deal. When I try to get 802.1x to authenticate using the switch, though, it fails. Here's the config running on the switch now..

gotbump# sh run

Running configuration:

; J4903A Configuration Editor; Created on release #I.10.70

hostname "gotbump"
interface 1
no lacp
exit
interface 2
no lacp
exit
interface 3
no lacp
exit
interface 4
no lacp
exit
interface 5
no lacp
exit
interface 6
no lacp
exit
interface 7
no lacp
exit
interface 8
no lacp
exit
ip default-gateway 192.168.0.1
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 192.168.0.254 255.255.255.0
exit
aaa authentication port-access eap-radius
radius-server host 192.168.0.105 key ist402
aaa port-access authenticator 1-8
aaa port-access authenticator active

Windows prompts me for authentication, which I enter (same credentials as I use for the wireless), and it fails and prompts again. I ran wireshark, and the requests are making it to the switch, and being refused.

Any thoughts?

 

[xlt92explorer]

Server = 192.168.0.105
Switch = 192.168.0.254

Server:



Client:



Any thoughts?

 

[XOR != OR]

For clarification, is the auth request making it past the switch? What does wireshark show on the radius server?

 

[xlt92explorer]

The access request is making it past the switch, yes. The top image is what wireshark is picking up on the NIC in the server.

 

[Captain Colonoscopy]

I would check the IAS logs on server. Does it show anything goofy? Perhaps the switch isn't sending the auth request in a manner it understands? I've seen something like that happen with some Cisco gear before. Also, I am assuming you have the switch added in IAS?

 

[xlt92explorer]

I would check the IAS logs on server. Does it show anything goofy? Perhaps the switch isn't sending the auth request in a manner it understands? I've seen something like that happen with some Cisco gear before. Also, I am assuming you have the switch added in IAS?

Yes, the switch is set up in IAS. Event viewer isn't showing anything for IAS at all. Thanks for the suggestions! Keep 'em coming!

 

[jfyeh]

I don't see the DHCP discover making it to the server.

I also don't see the RADIUS packets on the switch? Is it somewhere else in the log?

Are you sure the client is getting authenticated correctly? Is there logs from the RADIUS service seeing the authentication request?

I'm pretty sure you have to be authenticated before you can request DHCP.

 

[xlt92explorer]

Are you sure the client is getting authenticated correctly? Is there logs from the RADIUS service seeing the authentication request?

No..in fact that's the problem. For whatever reason, I can't get the client to authenticate across a wired connection through the switch. It DOES work wirelessly with the access point I have, so I'm leaning towards a configuration issue with the switch, or something silly I missed in the IAS configuration.

 

[xlt92explorer]

So an update..I shut everything down last night because I was pretty disgusted with it. When I tried to authenticate today, I got this. I've installed the certificates on the client PC by going to \\servername\certsrv and downloading and installing the certificate chain as trusted root CA. I've also got the workstation set to not validate the server certificate, so I'm somewhat puzzled as to why it's asking. Any thoughts?

 

[Captain Colonoscopy]

Yes, the switch is set up in IAS. Event viewer isn't showing anything for IAS at all. Thanks for the suggestions! Keep 'em coming!

Most of the RADIUS/IAS junk doesn't show up in Event Viewer. You have to actually open up the log file in the C:\WINDOWS directory. You can see the whole process that is going on.