Switching

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Expand all | Collapse all

Wired 802.1x with Windows Server 2012?

  • 1.  Wired 802.1x with Windows Server 2012?

    Posted 03-21-2022 05:29
    Hi all,


    Is there any one here can give some url how to configure Windows server 2012 if i want test it for wired 802.1x? Currently i'm try to replicate as JNCIE-ENT self bundle in my virtual lab. Is it same step if i follow the url below or u have another url that easy and more clear to follow.


    http://elder-usr.blogspot.com/2017/04/implementing-8021x-windows-2012r2-cisco.html


    Thanks and appreciate any feedback


  • 2.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-22-2022 16:01
    Hey Kronicklez, 

    Is there any way to get in touch with you outisde of these forums? I have a few questions regarding some of your earlier posts on MX480 AMS NAT.

    ------------------------------
    CHUCK GREVE
    ------------------------------



  • 3.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-22-2022 16:03
    Hi @CHUCK GREVE, you have the option to send private messages to other members once you have added them as a contact. You can do this by visiting other members' profiles.​

    ------------------------------
    Michael Pappas
    ------------------------------



  • 4.  RE: Wired 802.1x with Windows Server 2012?

     
    Posted 03-23-2022 09:22
    Hi 
    I always follow https://youtu.be/6Oy3Rnle4CQ
    There're 3 part. It's quite clear and easy to understand

    Hope this help!


    ------------------------------
    Wipawee Paiboonsematus
    ------------------------------



  • 5.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-23-2022 15:18
    Hi Bro Lomo,


    Very2 appreciate that url. It very clear the guide. Let me try first.


    Thanks again.


  • 6.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-26-2022 12:03
    Hi Lomo,

    I'm already follow exactly as per youtube url but still fail authentcate dot1x. It said "authenticated failed". By the way i'm using vQFX as switch and simulate in Eve-NG. Do u know whether it due to vQFX limitation?


    Thank and appreciate anyone feedback.


  • 7.  RE: Wired 802.1x with Windows Server 2012?

     
    Posted 03-28-2022 05:41
    Hi 
    Please share me a log message on event viewer to see more details due to authentication failed

    ------------------------------
    Wipawee Paiboonsematus
    ------------------------------



  • 8.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-28-2022 09:44
    Hi @Lomo


    Below is my vQFX config. Regarding the log message i will send later.

    {master:0}[edit system]
    root@EX1# run show configuration system radius-server | display set
    set system radius-server 10.10.10.1 port 1812
    set system radius-server 10.10.10.1 secret "$9$CIeqpORreW-VYhSVYgojiAp0BhSlKMXNd"
    set system radius-server 10.10.10.1 timeout 3
    set system radius-server 10.10.10.1 retry 3
    set system radius-server 10.10.10.1 source-address 10.100.0.1


    root@EX1# run show configuration interfaces xe-0/0/2.0 | display set
    set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members user

    set access radius-server 10.10.10.1 port 1812
    set access radius-server 10.10.10.1 secret "$9$YN4JD.PQ9A0ikA0BIrl24aZikmfT3/C"
    set access radius-server 10.10.10.1 source-address 10.100.100.254
    set access profile dot1xgroup authentication-order radius
    set access profile dot1xgroup radius authentication-server 10.10.10.1


    root@EX1# run show configuration protocols dot1x | display set
    set protocols dot1x authenticator authentication-profile-name dot1xgroup
    set protocols dot1x authenticator interface xe-0/0/2.0 supplicant multiple
    set protocols dot1x authenticator interface xe-0/0/2.0 guest-vlan guest
    deactivate protocols dot1x authenticator interface xe-0/0/2.0 guest-vlan
    set protocols dot1x authenticator interface xe-0/0/2.0 server-fail vlan-name guest
    deactivate protocols dot1x authenticator interface xe-0/0/2.0 server-fail ​​


  • 9.  RE: Wired 802.1x with Windows Server 2012?

     
    Posted 03-29-2022 05:50

    Hi 
    set protocols dot1x authenticator interface xe-0/0/2.0 guest-vlan guest < this line can delete 
    set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members user < this line can delete 

    and please show the output of "
    show dot1x interface ge-0/0/1.0 detail" and "event viewer is really important"
    some authentication filed can be due due to mis-configuration on wired client (802.1x setup). Is it a windows client and which windows version?



    ------------------------------
    Wipawee Paiboonsematus
    ------------------------------



  • 10.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-29-2022 10:57
    Hi lomo,


    The line config already deactivate so no issue. The client i'm test using Windows 7-Pro 32bit and Windows 10. The result still same. The vent viewer u referring to client right?


    Thanks


  • 11.  RE: Wired 802.1x with Windows Server 2012?

     
    Posted 03-30-2022 05:29
    Hi 
    Event viewer is on MS server. You will see client request and the details both authentication success/failed



    ------------------------------
    Wipawee Paiboonsematus
    ------------------------------



  • 12.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-28-2022 09:45
    Hi,

    Can you share you configuration on the switch-side, so we can see if something is missing.

    Br
    Robert


  • 13.  RE: Wired 802.1x with Windows Server 2012?

     
    Posted 03-31-2022 05:25
    Hi 
    I would recommend to take a look on event viewer first. It tells you everything 
    I already check your configuration. It looks good.
    I have no 802.1x in my configuration right now. or please follow Junos® OS User Access and Authentication Administration Guide for Junos OS (juniper.net) to recheck your configuration

    ------------------------------
    Wipawee Paiboonsematus
    ------------------------------



  • 14.  RE: Wired 802.1x with Windows Server 2012?

    Posted 03-31-2022 09:27
    Hi Lomo,


    After do some test with freeradius then it work. So look like the url youtube is cannot work with juniper or have something missing step on windows server in that video.


    Thanks


  • 15.  RE: Wired 802.1x with Windows Server 2012?

    Posted 04-06-2022 05:41
    Hi,

    Not sure if this is completely what you are looking for. It depends on what you would like to authenticate.
    For this example, it will auth the client certificate that has been issued via AD-enrollment.
    EX-switch config:
    Radius settings:
    set access radius-server 10.50.0.68 secret "X"
    set access radius-server 10.50.0.68 timeout 5
    set access radius-server 10.50.0.68 retry 10
    set access radius-server 10.50.0.68 source-address 10.17.0.90
    set access profile profile1 authentication-order radius
    set access profile profile1 radius authentication-server 10.50.0.68

    Port and 802.1x
    set interfaces interface-range User_802_1X_POC member ge-2/0/3
    set interfaces interface-range User_802_1X_POC description "Enforce 802.1x machine auth"
    set protocols dot1x authenticator authentication-profile-name profile1
    set protocols dot1x authenticator interface User_802_1X_POC supplicant multiple
    set protocols dot1x authenticator interface User_802_1X_POC retries 2
    set protocols dot1x authenticator interface User_802_1X_POC quiet-period 15
    set protocols dot1x authenticator interface User_802_1X_POC transmit-period 7
    set protocols dot1x authenticator interface User_802_1X_POC reauthentication 7200
    set protocols dot1x authenticator interface User_802_1X_POC server-timeout 5
    set protocols dot1x authenticator interface User_802_1X_POC maximum-requests 3
    set protocols dot1x authenticator interface User_802_1X_POC guest-vlan GUESTVLAN
    set protocols dot1x authenticator interface User_802_1X_POC server-reject-vlan GUESTVLAN
    set protocols dot1x authenticator interface User_802_1X_POC server-fail use-cache
    set protocols dot1x authenticator interface User_802_1X_POC server-fail-voip permit

    The radius used is Microsoft NPS on Win2019. The radius will send the user-vlan to the authenticated computer.
    Overall details:
    Conditions:
    NAS Port Type: Ethernet
    Machine Groups. DOMAIN\Domain Computers

    Extensible auth proto method: Microsoft: Protected EAP (PEAP)
    NAS port type: ethernet
    Auth method: EAP
    Framed-proto: PPP
    Service-type: Framed
    Encryption: Enabled
    ...and here is added attributes that should be sent to the switch. These are configured on the radius as well, pre-defined options with custom vlan name (not vlan tag).
    Tunnel-Medium-Type: 802
    Tunnel-Pvt-Group-ID. MyUserVLAN
    Tunnel-type: Virtual LANs (VLAN)

    I hope this will help. There is a lot of information out there but not that easy to map everything together for a particular use-case.

    //Rob





  • 16.  RE: Wired 802.1x with Windows Server 2012?

    Posted 04-06-2022 12:28
    Hi RJ,


    I think no issue configuration on junos portion. I just wan to know configuring on windows server part because based on youtube url it just simple but not sure whether it just for cisco with windows server only.


    Thanks