locked
802.1x wired EAP packets being drop silently from Cisco 3750 switch RRS feed

  • Question

  • I have a very strange issue and I hoping someone can point me in the right direction to troubleshooting this. I have NPS on Windows 2008 R2 that is currently working great for a Wireless 802.1x and a whole host of other RADIUS clients. It is even authenticating the Cisco switch's login requests for the same switch that I'm testing 802.1x on.

    The issue I see is that a Window 7 client requests authentication, the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet. It does the same thing with EAP-PEAP. I'm about to pull my hair out because I can't find any errors on the NPS or the Cisco switch except for timeout errors on the switch and client.

    Thanks for your help!

    Sunday, June 24, 2012 3:57 PM

Answers

  • It turns out my Cisco 3750 was dropping the RADIUS packets from the NPS because it doesn't like fragmented frames. I found a TechNet article about this and how to reduce the EAP payload size. This solved the issue.

    http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29

    Friday, July 6, 2012 6:45 PM

All replies

  • Hi NathanOmni,

    Thanks for posting here.

    > the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet

    I’m not quite sure the root cause yet, but it seems the certificate that provided by client was rejected . Do we have any other client that can successfully pass the authentication or this was only occur on a single client ?

    We have a blog post that discussed steps on how to investigate and troubleshoot 802.1x authentication issue. Perhaps we might will benefit form that :

    Authentication Problem on a 802.1x Wireless Network

    http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx

    Meanwhile, have we checked the certificate we issued to clients? And what about the conditions we defined in policies on NPS server ?

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    http://support.microsoft.com/kb/814394/

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Monday, June 25, 2012 3:24 AM
  • Hi NathanOmni,

    If there is any update on this issue, please feel free to let us know.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Tuesday, June 26, 2012 8:13 AM
  • I've started a support call with Microsoft. I'll post the results.
    Tuesday, June 26, 2012 3:17 PM
  • Hi NathanOmni,

    It has been a while, do we have any update form our support service?

    Thanks.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Tuesday, July 3, 2012 3:05 AM
  • Not yet, I have a ticket open with Cisco and Microsoft right now trying to get to the bottom of this. I'll update the forum as soon as I have more info.
    Tuesday, July 3, 2012 3:19 AM
  • It turns out my Cisco 3750 was dropping the RADIUS packets from the NPS because it doesn't like fragmented frames. I found a TechNet article about this and how to reduce the EAP payload size. This solved the issue.

    http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29

    Friday, July 6, 2012 6:45 PM
  • Thank you, was pulling mu hair out trying to make this work to a couple different Cisco switches and this resolved it!
    Monday, December 22, 2014 9:00 PM
  • I know this is an old post but I'm running into the same issue.

    I changed the MTU setting but it did not make a difference for me.  All my wireless clients authenticate with both PEAP and EAP/TLS.  but I can't get any wired clients to authenticate with a Cisco 3560CX IOS 15.2 switch. I can see the login attempts in the security log but it just shows log on and then <g class="gr_ gr_660 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="660" id="660">log</g> off immediately after. 

    Any ideas or what I should check?

    Tuesday, June 12, 2018 5:04 PM