Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
802.1x wired EAP packets being drop silently from Cisco 3750 switch

Answered 802.1x wired EAP packets being drop silently from Cisco 3750 switch

  • Sunday, June 24, 2012 3:57 PM
     
     
    Sign In to Vote
    0

    I have a very strange issue and I hoping someone can point me in the right direction to troubleshooting this. I have NPS on Windows 2008 R2 that is currently working great for a Wireless 802.1x and a whole host of other RADIUS clients. It is even authenticating the Cisco switch's login requests for the same switch that I'm testing 802.1x on.

    The issue I see is that a Window 7 client requests authentication, the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet. It does the same thing with EAP-PEAP. I'm about to pull my hair out because I can't find any errors on the NPS or the Cisco switch except for timeout errors on the switch and client.

    Thanks for your help!

     

All Replies

  • Monday, June 25, 2012 3:24 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi NathanOmni,

    Thanks for posting here.

    > the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet

    I’m not quite sure the root cause yet, but it seems the certificate that provided by client was rejected . Do we have any other client that can successfully pass the authentication or this was only occur on a single client ?

    We have a blog post that discussed steps on how to investigate and troubleshoot 802.1x authentication issue. Perhaps we might will benefit form that :

    Authentication Problem on a 802.1x Wireless Network

    http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

    Meanwhile, have we checked the certificate we issued to clients? And what about the conditions we defined in policies on NPS server ?

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    http://support.microsoft.com/kb/814394/

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.

    Tiger Li

    TechNet Community Support

     
  • Tuesday, June 26, 2012 8:13 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi NathanOmni,

    If there is any update on this issue, please feel free to let us know.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.

    Tiger Li

    TechNet Community Support

     
  • Tuesday, June 26, 2012 3:17 PM
     
     
    Sign In to Vote
    0
    I've started a support call with Microsoft. I'll post the results.
     
  • Tuesday, July 03, 2012 3:05 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi NathanOmni,

    It has been a while, do we have any update form our support service?

    Thanks.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tnmff@microsoft.com.

    Tiger Li

    TechNet Community Support

     
  • Tuesday, July 03, 2012 3:19 AM
     
     
    Sign In to Vote
    0
    Not yet, I have a ticket open with Cisco and Microsoft right now trying to get to the bottom of this. I'll update the forum as soon as I have more info.
     
  • Friday, July 06, 2012 6:45 PM
     
     Answered
    Sign In to Vote
    0

    It turns out my Cisco 3750 was dropping the RADIUS packets from the NPS because it doesn't like fragmented frames. I found a TechNet article about this and how to reduce the EAP payload size. This solved the issue.

    http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29

    • Marked As Answer by NathanOmni Friday, July 06, 2012 6:45 PM
    •