01-16-2014 01:32 AM - edited 03-07-2019 05:36 PM
i'm trying to do dot1x auth with Win8K NPS and Cisco 2960 ios V15
laptops connecting to the switch always failed authentication
NPS logs does not show any communication from the switch
if i try to do a manual test
test aaa group radius server x.z.64.30 username password legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Test-SW1#
*Mar 3 22:54:22.112: RADIUS: Pick NAS IP for u=0x3AC1560 tableid=0 cfg_addr=0.0
.0.0
*Mar 3 22:54:22.112: RADIUS(00000000): Config NAS IPv6: ::
*Mar 3 22:54:22.112: RADIUS: ustruct sharecount=1
*Mar 3 22:54:22.112: Radius: radius_port_info() success=0 radius_nas_port=1
*Mar 3 22:54:22.112: RADIUS/ENCODE: Best Local IP-Address x.z.100.216 for Rad
ius-Server 10.10.64.30
*Mar 3 22:54:22.112: RADIUS(00000000): Sending a IPv4 Radius Packet
*Mar 3 22:54:22.112: RADIUS(00000000): Started 4 sec timeout
*Mar 3 22:54:22.121: RADIUS: Received from id 1645/122 x.10.z.30:1645, Access
-Accept, len 96
*Mar 3 22:54:22.121: RADIUS: saved authorization data for user 3AC1560 at 3A6B9
10
but when i try to connect a laptop to the switch
here is Radius debug
------------------
*Mar 3 22:43:38.589: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.7edb.a
f34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001230F2D2BE4
*Mar 3 22:43:38.589: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication s
erver type *invalid_group_handle*
*Mar 3 22:43:38.597: %DOT1X-5-FAIL: Authentication failed for client (0024.7edb
.af34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001230F2D2BE4
*Mar 3 22:43:38.597: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1
x' for client (0024.7edb.af34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001
230F2D2BE4
*Mar 3 22:43:38.597: %AUTHMGR-5-FAIL: Authorization failed or unapplied for cli
ent (0024.7edb.af34) on Interface Fa0/20 AuditSessionID 0A0A3FD8000001230F2D2BE4
*Mar 3 22:43:40.560: %LINK-3-UPDOWN: Interface FastEthernet0/20, changed state
to up
*Mar 3 22:43:41.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0/20, changed state to up
-------------------------
please help
06-14-2017 07:34 AM
I'm with this same problem. Could anyone help me, please?
----------------------------
Configs:
Server NPS W2016
Switch WS-C2960+24PC-L v.15.0(2)SE5
------------------------------
Cisco Switch configuration:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login gerencia group radius
aaa authentication dot1x default group dot1xwired
aaa authorization network default group dot1xwired
aaa authorization auth-proxy default group dot1xwired
aaa accounting update periodic 60
aaa accounting dot1x default start-stop group dot1xwired
aaa accounting connection infra start-stop group radius
aaa accounting system default start-stop group dot1xwired
!
authentication mac-move permit
!
!!
interface Vlan600
description MNG
ip address 3.3.3.3 255.255.254.0
!
ip device tracking probe delay 10
ip device tracking
!
dot1x system-auth-control
!
ip radius source-interface Vlan600
!
radius server gerencia
address ipv4 2.2.2.2 auth-port 1645 acct-port 1646
key xxxxx
!
radius server dot1xwired
address ipv4 1.1.1.1 auth-port 1645 acct-port 1646
key xxxxx
--------------
Interface config:
interface FastEthernet0/11
description PORTA_DE_ACESSO
switchport access vlan 100
switchport mode access
switchport voice vlan 11
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
__________________________________________
See the debug:
Jun 14 11:10:45: %AUTHMGR-5-START: Starting 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Jun 14 11:10:45: %DOT1X-5-FAIL: Authentication failed for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:10:45: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:10:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up
SWA01_CCO_X#
Jun 14 11:10:57: %DOT1X-5-FAIL: Authentication failed for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:10:57: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
SWA01_CCO_X#
Jun 14 11:11:22: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
Jun 14 11:11:22: %DOT1X-5-FAIL: Authentication failed for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Jun 14 11:11:22: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b25.e12d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Jun 14 11:11:22: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (e411.5b25.e12
SWA01_CCO_X#d) on Interface Fa0/11 AuditSessionID 0A9021FE000000A203E8DA7F
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide