Skip navigation
Cisco Learning Home > CCIE Routing and Switching Study Group > Discussions
1323 Views 10 Replies Latest reply: Mar 31, 2012 6:29 AM by Elvin Arias RSS

Currently Being Moderated

Active Directory integrated dot1x Authentication using ACS and 3560 switch

Mar 27, 2012 3:12 AM

finix 17 posts since
Aug 30, 2010

HI guys,


I configured 3560 switch for client authentication using 802.1x.I have configured RADIUS server in ACS 5.2 .I dont know why the port connected to the client is not coming up.

Before i configured TACACS and AAA on my router and it is working perfectly with the Active Directory .

I need some help to make this attaching a drawn diagram and configuration of the switch.



aaa new-model

aaa authentication dot1x default group radius none

radius-server host auth-port 1645 acct-port 1646 key regional

radius-server source-ports 1645-1646


dot1x system-auth-control


interface FastEthernet0/14

switchport mode access

dot1x pae authenticator

dot1x port-control auto

spanning-tree portfast


ntp server


Thanks in advance.

  • Elvin Arias 1,828 posts since
    Mar 12, 2010

    I have a couple of questions:


    What is connected to the "FastEthernet0/14" port? A normal client or a router/switch device? Besides what the port numbers of the ACS for the RADIUS authentication and accounting?



  • Are you using a mac auth bypass?

    Are you trying to authenticate via machine certificate in AD, or user/pass via Windows login?

    Do you have a radius key in ACS?

    Did you create a network device entry in ACS for the switch?

    Are you sourcing the radius requests from the interface whose IP is in ACS?

    Have you done any debugs?

    Have you checked the authentication session for that interface?

    Did you look at the ACS troubleshooting logs to check whether it matched a policy, passed or failed, and why?

    Are you trying to set a different VLAN or just bring the port up?


    Lots of moving parts to look at.....

  • Elvin Arias 1,828 posts since
    Mar 12, 2010

    But in the case of the port numbers did you did the same on the ACS server?

    What kind of EAP are you configuring on the supplicant and the authentication server? Is EAP-FAST with an inner method like MSCHAPv2?


    Did you enable dot1x AAA authentication globally on your switch?



  • Elvin Arias 1,828 posts since
    Mar 12, 2010

    The authentication server, and supplicant must match the EAP method in order to successfully authenticate the supplicant to the network. If you are going to choose PEAP you must have some kind of PKI certificate on the server side, but since you are willing to use EAP-MD5 you should choose the EAP-MD5 authentication protocol. Yes, that's the command used in order to enable 802.1X globally.



  • Elvin Arias 1,828 posts since
    Mar 12, 2010

    You could use EAP-FAST with an inner method like MSCHAPv2.




More Like This

  • Retrieving data ...

Bookmarked By (0)