dot1x authentication doesn't work on CatOS

dimensyssrl · ‎07-30-2009

Hello all.

I'm trying dot1x configuration, from our switches to a windows radius server.

It works properly from ios switches, with this configuration:

aaa authentication dot1x default group radius

aaa accounting dot1x default start-stop group radius

!

dot1x system-auth-control

!

interface FastEthernet0/25

description TEST DOT1X

dot1x pae authenticator

dot1x port-control auto

but it doesn't work from catos (6509) switch, with this configuration:

set radius server 172.16.1.1 primary

set radius key <removed>

set dot1x system-auth-control enable

set port dot1x 7/14 port-control auto

!

into windows logs, I can see an identical log, for successful ios authentication and for unauthorized catos connection...

Where I'm wrong?

Thanks

Daniele

Amit Singh · ‎07-30-2009

Could you please paste the following output :

A. " Show version"

B. " Show radius "

C. " Shows dot1x "

-amit singh

dimensyssrl · ‎07-30-2009

show version

WS-C6509-E Software, Version NmpSW: 8.6(4)

NMP S/W compiled on Dec 12 2007, 23:05:14

System Bootstrap Version: 7.1(1)

System Boot Image File is 'bootflash:cat6000-sup2k9.8-6-4.bin'

System Configuration register is 0x2

Hardware Version: 1.1 Model: WS-C6509-E Serial #: SMG0911N055

PS1 Module: WS-CAC-3000W Serial #: SNI0913AL64

Mod Port Model Serial # Versions

--- ---- ------------------- ----------- --------------------------------------

1 2 WS-X6K-SUP2-2GE SAL08517Q91 Hw : 5.1

Fw : 7.1(1)

Fw1: 6.1(3)

Sw : 8.6(4)

Sw1: 8.6(4)

WS-F6K-PFC2 SAL0852854Z Hw : 3.5

Sw :

3 48 WS-X6148A-GE-45AF SAD09260607 Hw : 1.1

Fw : 8.4(1)

Sw : 8.6(4)

4 48 WS-X6148A-GE-45AF SAL11434VMT Hw : 2.3

Fw : 8.4(1)

Sw : 8.6(4)

5 48 WS-X6148A-GE-45AF SAL1245993P Hw : 2.4

Fw : 8.4(1)

Sw : 8.6(4)

9 16 WS-X6516A-GBIC SAL1049A2QP Hw : 4.5

Fw : 7.2(1)

Sw : 8.6(4)

15 1 WS-F6K-MSFC2 SAL090205QF Hw : 2.8

Fw : 12.1(27b)E4

Sw : 12.1(27b)E4

DRAM FLASH NVRAM

Module Total Used Free Total Used Free Total Used Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1 262144K 96245K 165899K 31232K 30959K 273K 512K 140K 372K

Uptime is 401 days, 7 hours, 30 minutes

Active RADIUS Server : 172.16.1.1

RADIUS Deadtime : 0 minutes

RADIUS Key :

RADIUS Retransmit : 25

RADIUS Timeout : 5 seconds

Framed-Ip Address Transmit : Disabled

RADIUS Framed MTU : 1500 bytes

RADIUS Keepalive : Disabled

RADIUS Keepalive Timer : 300 seconds

RADIUS Autoinitialize Critical: Disabled

RADIUS-Server Status Auth Acct Resolved Operational

port port IP Address State

-------------------------------- ------- ---- ---- --------------- -----------

172.16.1.1 primary 1812 1813 -

PAE Capability Authenticator Only

Protocol Version 1

system-auth-control enabled

max-req 2

max-reauth-req 2

quiet-period 60 seconds

radius-accounting disabled

radius-vlan-assignment enabled

re-authperiod 3600 seconds

server-timeout 30 seconds

shutdown-timeout 300 seconds

supp-timeout 30 seconds

tx-period 30 seconds

critical-recovery-delay 100 milliseconds

thanks

Daniele

dimensyssrl · ‎07-30-2009

others (maybe useful) informations

into radius log I can see two different logs, this is from the connection into ios switch (OK)

"BLADE2","IAS",07/29/2009,16:39:50,1,"DOMAIN\admin","DOMAIN.LOCAL/CED/Administrator (No GPO)/admin","00-1A-6D-09-7C-99","00-16-D3-32-58-C4",,,,"10.168.248.50",50025,9,"10.168.248.50","switch-50",,,15,,,2,11,"Connections to other access servers",0,"311 1 172.16.1.1 07/27/2009 16:06:44 306",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"dot1x",1,,,,

this is the log that appears when I try to connect, with the same pc, into catos switch

"BLADE2","IAS",07/30/2009,12:18:47,11,,"DOMAIN\Admin",,,,,,,,9,"10.168.248.33","cat6509",,,,,,,,,0,"311 1 172.16.1.1 07/27/2009 16:06:44 541",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"dot1x",1,,,,

dimensyssrl · ‎07-30-2009

how can I debug radius with catos?

dimensyssrl · ‎07-30-2009

I've debugged dot1x and radius, but resulting logs are not easy and useful...

dot1x_inband : received an EAPOL from mNo = 3, pNo = 37 2009 Jul 30 15:05:36.550 Europe +02:00

dot1x_rx : Received EAPOL frame 2009 Jul 30 15:05:36.630 Europe +02:00

dot1x_inband : received an EAPOL from mNo = 3, pNo = 37 2009 Jul 30 15:05:36.730 Europe +02:00

dot1x_rx : Received EAPOL frame 2009 Jul 30 15:05:36.810 Europe +02:00 Current Last Accessed server 172.16.1.1

2009 Jul 30 15:05:36.900 Europe +02:00

dot1x_rad: packet 0x84e4fa90 addr 172.16.1.1 2009 Jul 30 15:05:36.990 Europe +02:00

dot1x_rad: RadiusSendQuery: server - 172.16.1.1 2009 Jul 30 15:05:37.080 Europe +02:00

dot1x_rad: RadiusSendQuery: authport - 16452009 Jul 30 15:05:37.200 Europe +02:00 Current Last Accessed server 172.16.1.1

2009 Jul 30 15:05:37.280 Europe +02:00

dot1x_rad: Valid radius pkt is received from server 172.16.1.1

dot1x_rad: Dump of reply packet : Len = 90

84e2cdd0 0B DB 00 5A 9B 62 A1 2A A5 A8 75 71 6C C8 9B 32 ...Z.b.*..uql..2

84e2cde0 EF 46 E3 AD 1B 06 00 00 00 1E 4F 08 01 07 00 06 .F........O.....

84e2cdf0 19 20 18 26 34 0A 04 01 00 00 01 37 00 01 02 00 . .&4......7....

84e2ce00 C0 A8 32 20 00 00 00 00 00 00 00 00 00 00 00 00 ..2 ............

84e2ce10 00 00 00 04 70 6B FD 2F 50 12 1D 98 02 51 CB 31 ....pk./P....Q.1

84e2ce20 44 42 C3 95 49 04 EE 8E E2 FF DB..I.....

2009 Jul 30 15:05:38.050 Europe +02:00

Resp received for ID = 2192009 Jul 30 15:05:38.120 Europe +02:00

dot1x_rad: Entering RadiusCheckMsgAuthAndAuth()2009 Jul 30 15:05:38.220 Europe +02:00

dot1x_rad: RadiusCheckMsgAuthAndAuth() is successful2009 Jul 30 15:05:38.350 Europe +02:00

dot1x_inband : received an EAPOL from mNo = 3, pNo = 37 2009 Jul 30 15:05:38.450 Europe +02:00

dot1x_rx : Received EAPOL frame 2009 Jul 30 15:05:38.530 Europe +02:00

dot1x_rad: packet 0x84e4fa90 addr 172.16.1.1 2009 Jul 30 15:05:38.620 Europe +02:00

dot1x_rad: RadiusSendQuery: server - 172.16.1.1 2009 Jul 30 15:05:38.710 Europe +02:00

dot1x_rad: RadiusSendQuery: authport - 1645

dimensyssrl · ‎08-19-2009

anyone can help me?