Mac Authentication bypass using ACS 4.1 Appliance and 3560 Switch

Unanswered Question
Nov 25th, 2009

Hi,

I am trying to use Mac authetication bypass for dynamic vlan assignment but I couldn't even authenticate using ACS until now.

Here is my config :

Interface Config:

switchport access vlan 47
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication

AAA and Radius config:

aaa new-model
aaa authentication login default line
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

radius-server host 10.1.18.40 auth-port 1645 acct-port 1646 key secretkey
radius-server host 10.1.18.41 auth-port 1645 acct-port 1646 key secretkey
radius-server source-ports 1645-1646
radius-server key secretkey

On the ACS, I have configured AAA client for the switch to use RADIUS IETF. I have added the a user using the mac address of the PC I am testing as in the below format:

username : 002264b776e2

password : 002264b776e2

I have disabled the 802.1x on the Windows XP PC that I am testing. But it is not being authenticated. I have checked the shared key to make sure I have entered them correctly on both ACS and the swith.

Here is the debug output from the switch:

062524: Nov 25 13:23:41: RADIUS:  AAA Unsupported     [161] 16 
062525: Nov 25 13:23:41: RADIUS:   46 61 73 74 45 74 68 65 72 6E 65 74 30 2F        [FastEthernet0/]
062526: Nov 25 13:23:41: RADIUS(00000652): Storing nasport 50014 in rad_db
062527: Nov 25 13:23:41: RADIUS(00000652): Config NAS IP: 0.0.0.0
062528: Nov 25 13:23:41: RADIUS/ENCODE(00000652): acct_session_id: 1618
062529: Nov 25 13:23:41: RADIUS(00000652): sending
062530: Nov 25 13:23:41: RADIUS/ENCODE: Best Local IP-Address 10.1.16.37 for Radius-Server 10.1.18.40
062531: Nov 25 13:23:41: RADIUS(00000652): Send Access-Request to 10.1.18.40:1645 id 1645/63, len 138
062532: Nov 25 13:23:41: RADIUS:  authenticator DD AF 86 D4 77 7D 84 B0 - 0A CE 11 D3 DF 90 AE AD
062533: Nov 25 13:23:41: RADIUS:  User-Name           [1]   14  "002264b776e2"
062534: Nov 25 13:23:41: RADIUS:  User-Password       [2]   18  *
062535: Nov 25 13:23:41: RADIUS:  Service-Type        [6]   6   Call Check                [10]
062536: Nov 25 13:23:41: RADIUS:  Framed-MTU          [12]  6   1500                     
062537: Nov 25 13:23:41: RADIUS:  Called-Station-Id   [30]  19  "00-1E-14-C4-7C-90"
062538: Nov 25 13:23:41: RADIUS:  Calling-Station-Id  [31]  19  "00-22-64-B7-76-E2"
062539: Nov 25 13:23:41: RADIUS:  Message-Authenticato[80]  18 
062540: Nov 25 13:23:41: RADIUS:   20 DD 3B A9 8E 96 13 5D F4 B2 B6 BF 08 90 33 9F  [ ?;????]??????3?]
062541: Nov 25 13:23:41: RADIUS:  NAS-Port-Type       [61]  6   Eth                       [15]
062542: Nov 25 13:23:41: RADIUS:  NAS-Port            [5]   6   50014                    
062543: Nov 25 13:23:41: RADIUS:  NAS-IP-Address      [4]   6   10.1.16.37               
062544: Nov 25 13:23:47: RADIUS: Retransmit to (10.1.18.40:1645,1646) for id 1645/63
062545: Nov 25 13:23:53: RADIUS: Retransmit to (10.1.18.40:1645,1646) for id 1645/63
062546: Nov 25 13:23:58: RADIUS: Retransmit to (10.1.18.40:1645,1646) for id 1645/63
062547: Nov 25 13:24:04: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.18.40:1645,1646 is not responding.
062548: Nov 25 13:24:04: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.18.40:1645,1646 has returned.
062549: Nov 25 13:24:04: RADIUS: Fail-over to (10.1.18.41:1645,1646) for id 1645/63
062550: Nov 25 13:24:04: RADIUS/ENCODE: Best Local IP-Address 10.1.16.37 for Radius-Server 10.1.18.41
062551: Nov 25 13:24:09: RADIUS: Retransmit to (10.1.18.41:1645,1646) for id 1645/63
062552: Nov 25 13:24:15: RADIUS: Retransmit to (10.1.18.41:1645,1646) for id 1645/63
062553: Nov 25 13:24:21: RADIUS: Retransmit to (10.1.18.41:1645,1646) for id 1645/63
062554: Nov 25 13:24:26: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.18.41:1645,1646 is not responding.
062555: Nov 25 13:24:26: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.18.41:1645,1646 has returned.
062556: Nov 25 13:24:26: RADIUS: No response from (10.1.18.41:1645,1646) for id 1645/63
062557: Nov 25 13:24:26: RADIUS/DECODE: parse response no app start; FAIL
062558: Nov 25 13:24:26: RADIUS/DECODE: parse response; FAIL

On the ACS logs I have the below messages in the failed attempts logs:

25/11/200913:24:09Bad request from NAS......(Unknown)Invalid message authenticator in EAP request......10.1.16.37..........XXX-NW-DEVICES-2XXX-Access-Sw

I know I am doing something wrong or something is missing but couldn't find what. Any ideas would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.zont Fri, 11/27/2009 - 07:06

Hi,

I have put the switch in to not assigned group.

Now I am having the below error message on ACS:

27/11/200916:04:23Authen failed002264b776e2Test Group 700-22-64-B7-76-E2(Default)Internal error....5001410.1.16.37..........XXX-NW-DEVICES-2..

I am sure that I have enteres the secret key correcly.

Any other ideas ?

kush.sri2001 Mon, 11/30/2009 - 21:21

Hi,

The Internal Error can come due to many reasons like ACS Appliance agent installed on an unsupported version of the Operating System or not installed properly.

Have you created the entry of the MAC address in the ACS Internal Database or in the Active Directory? If it's in the Active Directory, if possible create a test user in the ACS database and then test with it.

You can use the command "test aaa group radius (username) (password) legacy" while doing the testing. This is a test command used to check the authentication from the radius server from the IOS devices.

For more information about  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/remote_agent/rawi.html

Regards

Kushagra Srivastava Thu, 11/26/2009 - 14:49

Hi,

The error "Bad request from NAS" comes because of a radius shared secret key mismatch.

If you have entered the AAA client entry for the switch in a particular Network Device Group (NDG) on the ACS, please move it in the Not Assigned group.

Also make sure we have not copied and pasted the shared secret key on the device and the ACS but manually typed it in.

Regards,

Actions

This Discussion