cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
582
Views
0
Helpful
4
Replies

Dot1x Port Autnetication Error

david.santel
Level 1
Level 1

I can't get port authentication to work with our ACS 4.0. Cisco 3560 log attached below. I need help!

interface GigabitEthernet0/3

switchport access vlan 10

switchport mode access

mls qos trust dscp

dot1x pae authenticator

dot1x dot1x port-control auto

dot1x timeout server-timeout 60

dot1x reauthentication

dot1x guest-vlan 500

spanning-tree portfast

Global Config

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization network default group radius

dot1x system-auth-control

Any ideas where I need to go to fix would be much appriciated!

Thanks!

4 Replies 4

jafrazie
Cisco Employee
Cisco Employee

Are you saying authentication fails when you plug in an 802.1X supplicant to port g0/3? If so, what error does ACS report in doing so?

Also, providing a "sho dot1x int g0/3 details" would help to tell what the switches viewpoint of this is after you plug it in as well.

Let me know more details when you can,

Yes authentication fails. In windows it says it is validating user and eventually fails authentication.

PTHA-MDF-SW-04#sh dot1x int gi0/3

Dot1x Info for GigabitEthernet0/3

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 60

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Guest-Vlan = 500

I am not seeing any log entrys in ACS! This is getting to be silly. Why is it so dificult to get a Cisco product to work with a Cisco product. I am about to throw out the ACS box.

Aren't the cisco log enough to at least point me in some direction for troubleshooting?

If Windows says it's validating identity, then it's not even replied back to the switch. You're not seeing logs in ACS, since the switch isn't sending ACS anything.

What happened here was something like:

1) EAPOL-Start from client (assumed anyway, but might not be enabled on Windows)

2) EAPOL-Identity-Request from switch to client (at this point, Windows will enter the Validating Identity state).

3) EAPOL-Identity-Response from PC to switch

4) Switch initiates RADIUS

5) Numerous steps beyond here depending on the EAP-type, but you're not getting beyond step2 or some reason.

I would look into why the supplicant isn't responding. Could be that it's enabled for EAP-TLS and there's no cert actually on the machine, for example.

The windows machine I am testing with is setup to use MD5-Challenge. I have double checked the key. Doesn't the cisco log tell us anything? I am like stuck with no troubleshooting steps to get this working.

Thanks for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: