08-03-2015 06:18 AM - edited 03-10-2019 10:57 PM
Setup
Cisco Catalyst 2960-S running 15.0.2-SE8
Radius Server running freeRadius on Centos 6.4
Client(Supplicant) running Windows 7
When Windows client is connected to switch port(port 12 in my configuration) that has 802.1x authentication enabled, Wireshark show Catalyst is sending EAP Request and client responds with EAP Response. But the request to Radius server is not made. The test utility for radius "test aaa group radius testuser password new-code" works.
Below is my running config. Any advice would be greatly appreciated.
myswitch#show running-
myswitch#show running-config
Building configuration...
Current configuration : 2094 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Z1z6$kqvVYRQdVRZ0h8aDTV5DR0 enable password password !
!
!
aaa new-model
!
!
aaa authentication dot1x group group radius aaa accounting dot1x default start-stop group radius !
!
!
aaa session-id common
switch 1 provision ws-c2960s-24ts-l
!
!
!
!
!
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending interface FastEthernet0 no ip address shutdown !
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.1.2.12 255.255.255.0
!
ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging host 10.1.2.1 transport tcp port 514 radius-server host 10.1.2.1 auth-port 1812 acct-port 1646 timeout 3 retransmit 3 key testing123 !
line con 0
line vty 0 4
password password
line vty 5 15
password password
!
end
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
Solved! Go to Solution.
08-04-2015 01:35 AM
Did you run wireshark on the server seeing that the request arrived from the switch? If so did you make sure there is a response from the server? For Windows Server NPS (I've never tried Centos), you need to make sure that the request is associated to a policy which then either authenticates or denies access. Usually it's a matter of attributes such as Vendor.
As for the configuration, it seems to me a bit off for the AAA. Try removing the:
"aaa authentication dot1x group group radius" line and using this instead:
"aaa authentication dot1x default group radius". After the word dot1x you're meant to supply either an authentication list or the word default if you don't want to use a list.
08-04-2015 01:19 AM
hello,
i have a solution 802.1x but radius server is Cisco ISE.
in my case , config switch contain:
aaa new-model
!
!
aaa authentication banner ^Accessing AAA-Servers^C
aaa authentication fail-message ^AAA Authentication FAILED.^C
aaa authentication login default group tacacs+ local
aaa authentication login NOTACACS local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius local
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting suppress null-username
aaa accounting nested
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group radius
!
!
!
aaa session-id common
....
!
ip radius source-interface Vlan(managment) vrf default
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 25 access-request include
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 XXXXXX
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 XXXXXX
radius-server key 7 XXXXXX
radius-server vsa send accounting
radius-server vsa send authentication
!
I hope this helps
regards
08-13-2015 03:08 PM
This discussion has been reposted from LAN, Switching and Routing to the AAA, Identity and NAC community.
08-04-2015 01:35 AM
Did you run wireshark on the server seeing that the request arrived from the switch? If so did you make sure there is a response from the server? For Windows Server NPS (I've never tried Centos), you need to make sure that the request is associated to a policy which then either authenticates or denies access. Usually it's a matter of attributes such as Vendor.
As for the configuration, it seems to me a bit off for the AAA. Try removing the:
"aaa authentication dot1x group group radius" line and using this instead:
"aaa authentication dot1x default group radius". After the word dot1x you're meant to supply either an authentication list or the word default if you don't want to use a list.
08-04-2015 01:08 PM
Glad things worked out :)
08-04-2015 01:05 PM
This is the running config that seems to work
myswitch#show running-config
Building configuration...
Current configuration : 3849 bytes
!
! Last configuration change at 05:17:41 UTC Mon Jan 2 2006
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Z1z6$kqvVYRQdVRZ0h8aDTV5DR0
enable password password
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c2960s-24ts-l
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
switchport mode access
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
authentication port-control auto
authentication violation replace
dot1x pae authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.1.2.12 255.255.255.0
!
ip http server
ip http secure-server
!
ip radius source-interface GigabitEthernet1/0/1
logging trap warnings
logging host 10.1.2.1 transport tcp port 514
!
!
radius-server host 10.1.2.1 auth-port 1812 timeout 3 retransmit 3 key testing123
!
!
!
line con 0
line vty 0 4
password password
line vty 5 15
password password
!
end
08-09-2015 12:25 PM
Note that 2960S is not device of Small Business product line, so you are off-topic here. This thread should be moved to AAA, Identity and NAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide