Dot1x Port Autnetication Error

Unanswered Question

I can't get port authentication to work with our ACS 4.0. Cisco 3560 log attached below. I need help!


interface GigabitEthernet0/3

switchport access vlan 10

switchport mode access

mls qos trust dscp

dot1x pae authenticator

dot1x dot1x port-control auto

dot1x timeout server-timeout 60

dot1x reauthentication

dot1x guest-vlan 500

spanning-tree portfast


Global Config

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization network default group radius

dot1x system-auth-control



Any ideas where I need to go to fix would be much appriciated!


Thanks!







Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Wed, 05/14/2008 - 09:41
User Badges:
  • Cisco Employee,

Are you saying authentication fails when you plug in an 802.1X supplicant to port g0/3? If so, what error does ACS report in doing so?


Also, providing a "sho dot1x int g0/3 details" would help to tell what the switches viewpoint of this is after you plug it in as well.


Let me know more details when you can,

Yes authentication fails. In windows it says it is validating user and eventually fails authentication.


PTHA-MDF-SW-04#sh dot1x int gi0/3

Dot1x Info for GigabitEthernet0/3

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 60

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Guest-Vlan = 500



I am not seeing any log entrys in ACS! This is getting to be silly. Why is it so dificult to get a Cisco product to work with a Cisco product. I am about to throw out the ACS box.


Aren't the cisco log enough to at least point me in some direction for troubleshooting?


jafrazie Wed, 05/14/2008 - 10:39
User Badges:
  • Cisco Employee,

If Windows says it's validating identity, then it's not even replied back to the switch. You're not seeing logs in ACS, since the switch isn't sending ACS anything.


What happened here was something like:

1) EAPOL-Start from client (assumed anyway, but might not be enabled on Windows)

2) EAPOL-Identity-Request from switch to client (at this point, Windows will enter the Validating Identity state).

3) EAPOL-Identity-Response from PC to switch

4) Switch initiates RADIUS

5) Numerous steps beyond here depending on the EAP-type, but you're not getting beyond step2 or some reason.


I would look into why the supplicant isn't responding. Could be that it's enabled for EAP-TLS and there's no cert actually on the machine, for example.

Actions

This Discussion