Port Authentication via Dot1x on 3560's via ACS 3.0

Unanswered Question

I can't get port authentication to work.

ACS 3.0 using Radius

Cat 3560's

Windows EAP Type = MD5 Challenge


I get prompted to enter my password and it fails authentication. I am thinking something is mis-configured on the ACS 3.0. I am only trying it to get it to work on 1 port with one user at this point. Any ideas?


Cisco Config:

aaa authentication dot1x default group radius

radius-server host 10.20.1.25 auth-port 1645 acct-port 1646

radius-server key xxx


dot1x system-auth-control


interface GigabitEthernet0/3

switchport access vlan 10

switchport mode access

mls qos trust dscp

dot1x system-auth-control auto

spanning-tree portfast


ACS LOG:

05/05/2008 16:57:50 Bad request from NAS .. .. .. (Unknown) Invalid message authenticator in EAP request .. .. .. 10.20.1.18 .. .. .. .. .. MDF-SW-04 Radius


I get the above error when the switch is trying to authenticate me. Then windows errors out and says Authentication Failed.


Any ideas where I need to start troubleshooting this?


Thanks for the help!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 05/06/2008 - 07:38
User Badges:
  • Red, 2250 points or more

David,

Sometimes the "Invalid message authenticator in EAP request" error message can occur due to mis-matched shared secret keys.


Please try resetting the shared password on the switch and the ACS to something simple like cisco123.




Regards,

~JG

Do rate helpful posts

Below is the info from debug aaa authentication. Any ideas?




bend_idle_request_action called

110512: .May 6 09:08:42.196 UTC: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role

determination not required on GigabitEthernet0/3.

110513: .May 6 09:08:42.196 UTC: dot1x-packet:dot1x_mgr_process_eapol_pak: queu

ing an EAPOL pkt on Authenticator Q

110514: .May 6 09:08:42.196 UTC: dot1x-ev:Enqueued the eapol packet to the glob

al authenticator queue

110515: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAPOL frame on interf

ace GigabitEthernet0/3

110516: .May 6 09:08:42.196 UTC: dot1x-ev:Received pkt saddr =00e0.b8a9.2085 ,

daddr = 0180.c200.0003,

pae-ether-type = 888e.0100.000f

110517: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAP packet on interfa

ce GigabitEthernet0/3

110518: .May 6 09:08:42.196 UTC: EAPOL pak dump rx

110519: .May 6 09:08:42.196 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x000F

110520: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAP packet on the Gig

abitEthernet0/3 from mac 00e0.b8a9.2085

110521: .May 6 09:08:42.196 UTC: dot1x-sm:Posting EAPOL_EAP on Client=37E05D8

110522: .May 6 09:08:42.196 UTC: dot1x_auth_bend Gi0: during state auth_ben

d_request, got event 6(eapolEap)

110523: .May 6 09:08:42.196 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_request ->

auth_bend_response

b8a9.2085:auth_aborting_enter called

110855: .May 6 09:10:47.381 UTC: dot1x-sm:Posting AUTH_ABORT on Client=37E05D8

110856: .May 6 09:10:47.381 UTC: dot1x_auth_bend Gi0: during state auth_ben

d_response, got event 1(authAbort)

110857: .May 6 09:10:47.381 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_response ->

auth_bend_initialize

110858: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_respon

se_exit called

110859: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_initia

lize_enter called

110860: .May 6 09:10:47.381 UTC: dot1x_auth_bend Gi0: idle during state aut

h_bend_initialize

110861: .May 6 09:10:47.381 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_initialize

-> auth_bend_idle

110862: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_idle_e

nter called

110863: .May 6 09:10:47.381 UTC: dot1x-sm:Posting !AUTH_ABORT on Client=37E05D8

110864: .May 6 09:10:47.381 UTC: dot1x_auth Gi0: during state auth_aborting

, got event 20(no_eapolLogoff_no_authAbort)

110865: .May 6 09:10:47.381 UTC: @@@ dot1x_auth Gi0: auth_aborting -> auth_rest

art

110866: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_aborting_ex

it called

110867: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_restart_ent

er called

110868: .May 6 09:10:47.381 UTC: dot1x-ev:Resetting the client 00e0.b8a9.2085

110869: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_aborting_re

start_action called

110870: .May 6 09:10:47.381 UTC: dot1x-sm:Posting !EAP_RESTART on Client=37E05D

8

110871: .May 6 09:10:47.381 UTC: dot1x_auth Gi0: during state auth_restart,

got event 6(no_eapRestart)

110872: .May 6 09:10:47.381 UTC: @@@ dot1x_auth Gi0: auth_restart -> auth_conne

cting

110873: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_connecting_

enter called

110874: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_restart_con

necting_action called

110875: .May 6 09:10:48.413 UTC: dot1x-packet:Received an EAP request packet fr

om EAP for mac 00e0.b8a9.2085

110876: .May 6 09:10:48.413 UTC: dot1x-sm:Posting RX_REQ on Client=37E05D8

110877: .May 6 09:10:48.413 UTC: dot1x_auth Gi0: during state auth_connecti

ng, got event 10(eapReq_no_reAuthMax)

110878: .May 6 09:10:48.413 UTC: @@@ dot1x_auth Gi0: auth_connecting -> auth_au

thenticating

110879: .May 6 09:10:48.413 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_authenticat

ing_enter called

110880: .May 6 09:10:48.413 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_connecting_

authenticating_action called

Anybody have any ideas what the log below is telling me?



Log Buffer (32768 bytes):


112712: .May 6 10:51:16.668 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to down

112713: .May 6 10:51:19.235 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to up

112714: .May 6 10:51:28.589 UTC: AAA/BIND(00000047): Bind i/f

112715: .May 6 10:51:28.589 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de

fault'

112716: .May 6 10:51:59.610 UTC: AAA/BIND(00000047): Bind i/f

112717: .May 6 10:51:59.610 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de

fault'

112718: .May 6 10:52:20.741 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.20.1.2

5:1645,1646 is not responding.

112719: .May 6 10:52:20.741 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.20.1.

25:1645,1646 has returned.

112720: .May 6 10:52:31.663 UTC: AAA/BIND(00000047): Bind i/f

112721: .May 6 10:52:31.663 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de

fault'

This is a fresh log. Start of authentication to finish. Any ideas why its failing?


Log Buffer (32768 bytes):


112924: .May 6 11:22:15.538 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to down

112925: .May 6 11:22:18.146 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to up

112926: .May 6 11:22:32.315 UTC: AAA/BIND(0000004B): Bind i/f

112927: .May 6 11:22:32.315 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112928: .May 6 11:23:03.345 UTC: AAA/BIND(0000004B): Bind i/f

112929: .May 6 11:23:03.345 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112930: .May 6 11:23:24.619 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.20.1.2

5:1812,1813 is not responding.

112931: .May 6 11:23:24.619 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.20.1.

25:1812,1813 has returned.

112932: .May 6 11:23:33.351 UTC: %SM-4-BADEVENT: Event 'authTimeout' is invalid

for the current state 'auth_aborting': dot1x_auth Gi0

-Traceback= B6D4C4 18F7B4 306584 304984 304F2C 8D9B24 8D00EC

112933: .May 6 11:23:35.406 UTC: AAA/BIND(0000004B): Bind i/f

112934: .May 6 11:23:35.406 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112935: .May 6 11:24:06.428 UTC: AAA/BIND(0000004B): Bind i/f

112936: .May 6 11:24:06.428 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112937: .May 6 11:24:38.481 UTC: AAA/BIND(0000004B): Bind i/f

112938: .May 6 11:24:38.481 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

Actions

This Discussion