802.1x wired EAP packets being drop silently from Cisco 3750 switch
I have a very strange issue and I hoping someone can point me in the right direction to troubleshooting this. I have NPS on Windows 2008 R2 that is currently working great for a Wireless 802.1x and a whole host of other RADIUS clients. It is even authenticating the Cisco switch's login requests for the same switch that I'm testing 802.1x on. The issue I see is that a Window 7 client requests authentication, the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet. It does the same thing with EAP-PEAP. I'm about to pull my hair out because I can't find any errors on the NPS or the Cisco switch except for timeout errors on the switch and client. Thanks for your help!
June 24th, 2012 11:57am

Hi NathanOmni, Thanks for posting here. > the NPS send back a EAP-TLS reply, the client send it's TLS cert to the NPS which just drops the packet and send another "I'll accept EAP-TLS" packet Im not quite sure the root cause yet, but it seems the certificate that provided by client was rejected . Do we have any other client that can successfully pass the authentication or this was only occur on a single client ? We have a blog post that discussed steps on how to investigate and troubleshoot 802.1x authentication issue. Perhaps we might will benefit form that : Authentication Problem on a 802.1x Wireless Network http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx Meanwhile, have we checked the certificate we issued to clients? And what about the conditions we defined in policies on NPS server ? Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS http://support.microsoft.com/kb/814394/ Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2012 11:24pm

Hi NathanOmni, If there is any update on this issue, please feel free to let us know. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support
June 26th, 2012 4:13am

I've started a support call with Microsoft. I'll post the results.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2012 11:17am

Hi NathanOmni, It has been a while, do we have any update form our support service? Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support
July 2nd, 2012 11:16pm

Not yet, I have a ticket open with Cisco and Microsoft right now trying to get to the bottom of this. I'll update the forum as soon as I have more info.
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2012 11:31pm

It turns out my Cisco 3750 was dropping the RADIUS packets from the NPS because it doesn't like fragmented frames. I found a TechNet article about this and how to reduce the EAP payload size. This solved the issue. http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29
July 6th, 2012 2:58pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics