802.1x wired EAP packets being drop silently from Cisco 3750 switch
I have a very strange issue and I hoping someone can point me in the right direction to troubleshooting this. I have NPS on Windows 2008 R2 that is currently working great for a Wireless 802.1x and a whole host of other RADIUS clients. It is even authenticating
the Cisco switch's login requests for the same switch that I'm testing 802.1x on.
The issue I see is that a Window 7 client requests authentication, the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet. It does the same thing with EAP-PEAP.
I'm about to pull my hair out because I can't find any errors on the NPS or the Cisco switch except for timeout errors on the switch and client.
Thanks for your help!
June 24th, 2012 11:57am
Hi NathanOmni,
Thanks for posting here.
> the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet
Im not quite sure the root cause yet, but it seems the certificate that provided by client was rejected . Do we have any other client that can successfully pass the authentication or this was only occur on a single client ?
We have a blog post that discussed steps on how to investigate and troubleshoot 802.1x authentication issue. Perhaps we might will benefit form that :
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Meanwhile, have we checked the certificate we issued to clients? And what about the conditions we defined in policies on NPS server ?
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
http://support.microsoft.com/kb/814394/
Regards,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tnmff@microsoft.com.Tiger Li
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2012 11:24pm
Hi NathanOmni,
If there is any update on this issue, please feel free to let us know.
Regards,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tnmff@microsoft.com.Tiger Li
TechNet Community Support
June 26th, 2012 4:13am
I've started a support call with Microsoft. I'll post the results.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2012 11:17am
Hi NathanOmni,
It has been a while, do we have any update form our support service?
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tnmff@microsoft.com.Tiger Li
TechNet Community Support
July 2nd, 2012 11:16pm
Not yet, I have a ticket open with Cisco and Microsoft right now trying to get to the bottom of this. I'll update the forum as soon as I have more info.
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2012 11:31pm
It turns out my Cisco 3750 was dropping the RADIUS packets from the NPS because it doesn't like fragmented frames. I found a TechNet article about this and how to reduce the EAP payload size. This solved the issue.
http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29
July 6th, 2012 2:58pm