dot1x Authentication on 3750

Unanswered Question
Oct 7th, 2009
User Badges:

I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"


Thank you

Daniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Wed, 10/07/2009 - 01:08
User Badges:
  • Silver, 250 points or more

Did you define the radius source int on the switch?

something like this -

ip radius source-interface vlan1


the source ip address of the switch as seen by the radius packet should be same as the "radius agent ip address" configured on the radius server.


lhconsulting Wed, 10/07/2009 - 01:21
User Badges:

no i did not bevore but i tried right now with no difference.


The source ip address of the switch is configured correctly on the radius server.


When i use a sniffer on the radius i can see the "Access-Request" from the switch with a correct source ip.

The radius processes the request and sends a Access-Reject to the correct ip-address but the then gets a Destination unreachable (Port unreachable)

So the radius is working properly and the ip of the switch is correct but the switch has not open the udp-port for the answer-packet.

But i can ping the switch from radius server.

IAN WHITMORE Wed, 10/12/2011 - 07:05
User Badges:
  • Silver, 250 points or more

Sorry to bump such an old post but I'm having exactly the same issueon my 6500.


Here's the TCP dump:


14:59:28.545965 IP 192.168.254.2.21645 > MGMT4: RADIUS, Access Request (1), id: 0x4d length: 90

14:59:28.548010 IP MGMT4 > 192.168.254.2.21645: RADIUS, Access Accept (2), id: 0x4d length: 45

14:59:28.548479 IP 192.168.254.2 > MGMT4: ICMP 192.168.254.2 udp port 21645 unreachable, length 36


14:59:39.511112 IP 192.168.254.2.21645 > MGMT4: RADIUS, Access Request (1), id: 0x4d length: 90

14:59:39.512950 IP MGMT4s > 192.168.254.2.21645: RADIUS, Access Accept (2), id: 0x4d length: 45

14:59:39.513435 IP 192.168.254.2 > MGMT4: ICMP 192.168.254.2 udp port 21645 unreachable, length 36


14:59:49.603144 IP 192.168.254.2.21645 > MGMT4: RADIUS, Access Request (1), id: 0x4d length: 90

14:59:49.604842 IP MGMT4 > 192.168.254.2.21645: RADIUS, Access Accept (2), id: 0x4d length: 45

14:59:49.605165 IP 192.168.254.2 > MGMT4: ICMP 192.168.254.2 udp port 21645 unreachable, length 36


Could it be a bug?


Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1)

wasmer_anne@hot... Wed, 10/12/2011 - 09:20
User Badges:

Should the switch not send a access accept and NOT an access reject as you suggested? The access reject would point towards a config issue on the RADIUS server.

IAN WHITMORE Thu, 10/13/2011 - 08:15
User Badges:
  • Silver, 250 points or more

Well, whether or not it send access-accept or access-reject is not the problem. The problem is a communication error because it can't reach the switch. We both have the same problem of the port being unreachable. In lh consultings case it was also an access-reject. In my case it's an access-accept.


But if the switch can rach the radius server on the same LAN, with no ACLs and no firewall, why can't the server reply to the switch port? That is the question here.


I'm wondering if its a bug.

Matthew Needs Tue, 09/18/2012 - 00:46
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, May 2015

Hi All. Im having a very similar problem on a 6500.


6509 Loop0 - 172.16.17.1 (Radius Source)

Radius Server - 192.168.1.101 (TekRadius)

6509 SVI Interface - 192.168.1.252 (LAN Interface)


Using Wireshark I can see the radius communication to and from the correct IP addresses. But then I see port 21645 unreachable coming from the 6509's VLAN interface? Did you guys ever have any luck with this?


1001 132.049236000 172.16.17.1 192.168.1.101 RADIUS 130 Access-Request(1) (id=219, l=88)

1002 132.062993000 192.168.1.101 172.16.17.1 RADIUS 100 Access-Accept(2) (id=219, l=58)

1003 132.063590000 192.168.1.252 192.168.1.101 ICMP 70 Destination unreachable (Port unreachable)


Thanks very much


Matt

ayden_beeson86 Thu, 09/27/2012 - 00:16
User Badges:

Did any of you get anywhere with this problem?


I'm trying to test this with a 3750 running 122-25 SEE3, im upgrading it to 122-52 SE at the moment to see if that helps...


If it turns out its an IOS bug i have wasted a few days on....


EDIT: Matt, looking at yours, the return does not match the original.


Try setting the ip radius-server source to whatever the interface is its coming in on (vlan #) and see if that helps (it didnt fix mine, but its a start)

ayden_beeson86 Thu, 09/27/2012 - 01:08
User Badges:

hey guys,


I have upgraded my switch to 12.2.52 and its now working properly!


I did have to reconfigure it as its now "Flex auth", and dont forget to add the pae authenticator on the interface, its not added by default now in case you dont want dot1x via radius (mac based and webauth is available too)

Actions

This Discussion