05-14-2008 09:36 AM - edited 03-09-2019 08:42 PM
I can't get port authentication to work with our ACS 4.0. Cisco 3560 log attached below. I need help!
interface GigabitEthernet0/3
switchport access vlan 10
switchport mode access
mls qos trust dscp
dot1x pae authenticator
dot1x dot1x port-control auto
dot1x timeout server-timeout 60
dot1x reauthentication
dot1x guest-vlan 500
spanning-tree portfast
Global Config
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization network default group radius
dot1x system-auth-control
Any ideas where I need to go to fix would be much appriciated!
Thanks!
05-14-2008 09:41 AM
Are you saying authentication fails when you plug in an 802.1X supplicant to port g0/3? If so, what error does ACS report in doing so?
Also, providing a "sho dot1x int g0/3 details" would help to tell what the switches viewpoint of this is after you plug it in as well.
Let me know more details when you can,
05-14-2008 09:56 AM
Yes authentication fails. In windows it says it is validating user and eventually fails authentication.
PTHA-MDF-SW-04#sh dot1x int gi0/3
Dot1x Info for GigabitEthernet0/3
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 60
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Guest-Vlan = 500
I am not seeing any log entrys in ACS! This is getting to be silly. Why is it so dificult to get a Cisco product to work with a Cisco product. I am about to throw out the ACS box.
Aren't the cisco log enough to at least point me in some direction for troubleshooting?
05-14-2008 10:39 AM
If Windows says it's validating identity, then it's not even replied back to the switch. You're not seeing logs in ACS, since the switch isn't sending ACS anything.
What happened here was something like:
1) EAPOL-Start from client (assumed anyway, but might not be enabled on Windows)
2) EAPOL-Identity-Request from switch to client (at this point, Windows will enter the Validating Identity state).
3) EAPOL-Identity-Response from PC to switch
4) Switch initiates RADIUS
5) Numerous steps beyond here depending on the EAP-type, but you're not getting beyond step2 or some reason.
I would look into why the supplicant isn't responding. Could be that it's enabled for EAP-TLS and there's no cert actually on the machine, for example.
05-14-2008 10:52 AM
The windows machine I am testing with is setup to use MD5-Challenge. I have double checked the key. Doesn't the cisco log tell us anything? I am like stuck with no troubleshooting steps to get this working.
Thanks for the help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: