Question

Wired 802.1x Authentication Failed on Brocade VDX

  • 1 May 2019
  • 3 replies
  • 473 views

Hello,

I am trying to implement wired dot1x for machine authentication using certificate.

As soon as I enabled dot1x authentication on the port, link protocol goes down with dot1x authentication failed. Machine

Here is my setup:
1) Brocade VDX:
radius-server host 10.20.10.4
key
802.1x enabled globally:
dot1x enable
802.1x configuration on interface:
interface TenGigabitEthernet 1/2/3
dot1x authentication
dot1x port-control auto
dot1x protocol-version 2
dot1x quiet-period 30
dot1x reauthentication
dot1x reauthMax 3
dot1x timeout re-authorized 200
dot1x timeout server-timeout 30
dot1x timeout supp-timeout 30
dot1x timeout tx-period 60
2) Windows RADIUS Server
Network Policy
Conditions:
NAS Port Type :Ethernet
Windows Groups : dot1x Computers
Authentication Type: EAP
Constraints
Authentication Method: Smart Card or Other Certificate
In the certificate settings : Selected certificate for the RADIUS server
3) Group Policy
a) Computer Configuration/Policies/Security Settings/System Services : Wired Autoconfig (startup mode: Automatic)
b) Wired Network (802.3) Policies
Used Windows wired LAN network services for clients: Enabled
Shared User credentials for network authentication: Enabled
Network Profile/Security Settings
Enable use of IEEE 802.1x authentication for network access: Enabled
IEEE 802.1x settings
Computer Authentication: Computer Only
Network Authentication Method Properties
Authentication Method: Smart card or Certificate
Validate server certificate: Enabled (select CA certificate)
Use a certificate on this computer: Enabled
Use simple certificate selection: Enabled

Workstation clients and RADIUS server authentication certificates are auto enrolled.

Following error is logged on the workstation:
Wired 802.1x Authentication filed
Reason: 0x50005
Reason Text: Network Authentication failed due to a problem with the user account
Error Code: 0x40420110

It looks it is not reaching RADIUS server, therefore nothing on the log.

On Brocade VDX switch log:
warning, 802.1x authentication has failed on port TenGigabitEthernet 1/2/3

I hope someone will be able to assist me with this issue.

Thanks,

3 replies

Userlevel 2
Please take a look at page 255 for reference on how to configure dot1x authentication:

https://documentation.extremenetworks.com/networkos/SW/70x/53-1004365-02_L2SwitchingNetworkOS_7.0.1_CG_Aug2016.pdf

Please also verify the dot1x compatibility check passes between the switch and host.

# dot1x test eapol-capable

If you still have issues after, please contact Extreme GTAC to open a case for this issue.

We will need to verify the Radius communication and configuration with the switch which involves a deeper level troubleshooting session.
Does the RADIUS server for dot1x needs to be on the mgmt-vrf?
Userlevel 2
Yes, it uses the mgmt-vrf if you don't configure it to use any other VRF.

You can confirm by doing 'sh run radius'

sw0# sh run radius
radius-server host 10.1.2.3 use-vrf mgmt-vrf
protocol pap key "Yf0BKEhsc83gp+kIoGMQ/g==\n" encryption-level 7
!

Reply