09-17-2003 04:10 AM - edited 03-10-2019 07:29 AM
Hi!
I tried to set up 802.1X authentication for W2k (with Q313664_W2K_SP4_X86_EN.exe applied) and 3550 EMI with CS ACS 3.1, but it doesn't work (both EAP-MD5 and PEAP). The PEAP-user 'test2' is in the Win2K database on the same machine as RADIUS server (no domain controller involved. I can successfully telnet to the 3550 as 'test2', but when I try 802.X I see in the Failed Attempts Report an authentication failure with the Authen-Failure-Code=Unknown. In this report I also see the correct (Default) group assigned and client's MAC in the Caller-ID field.
I believe that ACS and 3550 configurations are ok, but something is wrong with the authentication.
The Default CS ACS group is set up with only 3 attributes: 64(Tunnel-Type) = VLAN, 65(Tunnel-Medium-Type) = 802, 81(Tunnel-Private-Group-ID) = 100.
Please help or point me to a HOWTO document on how to troubleshoot 802.1X with the debug output like this (PEAP case):
Sep 17 15:06:59.775 MSK: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/2
Sep 17 15:06:59.775 MSK: dot1x-ev:Received pkt saddr =00a0.c9a7.dedf , daddr = 0180.c200.0003,pae-ether-type = 34958
Sep 17 15:06:59.775 MSK: dot1x-ev:Couldn't find a supplicant block for mac 00a0.c9a7.dedf
Sep 17 15:06:59.779 MSK: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 11EF8C8
Sep 17 15:06:59.779 MSK: dot1x_auth Fa0/2: initial state auth_initialize has enter
Sep 17 15:06:59.779 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_initialize_enter called
Sep 17 15:06:59.779 MSK: dot1x-ev:auth_initialize_enter:00a0.c9a7.dedf: Current ID=0
Sep 17 15:06:59.779 MSK: dot1x_auth Fa0/2: during state auth_initialize, got event 0(cfg_auto)
Sep 17 15:06:59.779 MSK: @@@ dot1x_auth Fa0/2: auth_initialize -> auth_disconnected
Sep 17 15:06:59.779 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_disconnected_enter_action called
Sep 17 15:06:59.779 MSK: dot1x-sm:
dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZED
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/2
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUTHORIZED
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_update_port_status: using mac 00a0.c9a7.dedf to send port to unauthorized on vlan 0
Sep 17 15:06:59.779 MSK: dot1x-ev:Found a supplicant block for mac 00a0.c9a7.dedf 11F1160
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0
Sep 17 15:06:59.779 MSK: dot1x-ev: GuestVlan configured=0
Sep 17 15:06:59.779 MSK: dot1x-ev:supplicant 00a0.c9a7.dedf is last
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/2
Sep 17 15:06:59.779 MSK: dot1x_auth Fa0/2: idle during state auth_disconnected
Sep 17 15:06:59.779 MSK: @@@ dot1x_auth Fa0/2: auth_disconnected -> auth_connecting
Sep 17 15:06:59.779 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_connecting_enter called
Sep 17 15:06:59.779 MSK: dot1x_bend Fa0/2: initial state dot1x_bend_initialize has enter
Sep 17 15:06:59.779 MSK: dot1x-sm:Dot1x Initialize State Entered
Sep 17 15:06:59.779 MSK: dot1x_bend Fa0/2: initial state dot1x_bend_initialize has idle
Sep 17 15:06:59.779 MSK: dot1x_bend Fa0/2: during state dot1x_bend_initialize, got event 16383(idle)
Sep 17 15:06:59.779 MSK: @@@ dot1x_bend Fa0/2: dot1x_bend_initialize -> dot1x_bend_idle
Sep 17 15:06:59.779 MSK: dot1x-sm:Dot1x Idle State Entered
Sep 17 15:06:59.779 MSK: dot1x-ev:Created port supplicant block 00a0.c9a7.dedf expected_id=1 current_id=1
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/2
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/2
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 00a0.c9a7.dedf
Sep 17 15:06:59.779 MSK: dot1x-ev:dot1x_tx_eap: EAP Ptk
Sep 17 15:06:59.779 MSK: dot1x-ev:EAP-code=REQUEST
Sep 17 15:06:59.779 MSK: dot1x-ev:EAP Type= IDENTITY
Sep 17 15:06:59.779 MSK: dot1x-ev:ID=0
Sep 17 15:06:59.779 MSK: dot1x-registry:registry:dot1x_ether_macaddr called
Sep 17 15:06:59.783 MSK: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/2
Sep 17 15:06:59.783 MSK: dot1x-ev:Received pkt saddr =00a0.c9a7.dedf , daddr = 0180.c200.0003,pae-ether-type = 34958
Sep 17 15:06:59.783 MSK: dot1x-ev:Found a supplicant block for mac 00a0.c9a7.dedf 11F1160
Sep 17 15:06:59.783 MSK: dot1x-packet:Received an EAP packet on interface FastEthernet0/2
Sep 17 15:06:59.783 MSK: dot1x_auth Fa0/2: during state auth_connecting, got event 6(rxRespId)
Sep 17 15:06:59.783 MSK: @@@ dot1x_auth Fa0/2: auth_connecting -> auth_authenticating
Sep 17 15:06:59.783 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_connecting_exit alled
Sep 17 15:06:59.783 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_authenticating_enter called
Sep 17 15:06:59.783 MSK: dot1x-ev:sending AUTH_START to BEND for supp_info=11F1160
Sep 17 15:06:59.783 MSK: dot1x-sm:Fa0/2:00a0.c9a7.dedf:auth_connecting_authenticating_action called
Sep 17 15:06:59.783 MSK: dot1x-ev:Received AuthStart from Authenticator for supp_info=11F1160
Sep 17 15:06:59.783 MSK: dot1x_bend Fa0/2: during state dot1x_bend_idle, got event 1(auth_start)
Sep 17 15:06:59.783 MSK: @@@ dot1x_bend Fa0/2: dot1x_bend_idle -> dot1x_bend_response
Sep 17 15:06:59.783 MSK: dot1x-sm:Dot1x Response State Entered for supp_info=11F1160 hwidb=EA9724, swidb=EAAA58 on intf=Fa0/2
Sep 17 15:06:59.783 MSK: dot1x-ev:Managed Timer in sub-block attached as leaf to master
Sep 17 15:06:59.783 MSK: dot1x-sm:Started the ServerTimeout Timer
Sep 17 15:06:59.783 MSK: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 10
Sep 17 15:06:59.783 MSK: dot1x-ev:Got a Request from SP to send it to Radius with id 1
Sep 17 15:06:59.783 MSK: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
Sep 17 15:06:59.783 MSK: dot1x-ev:Inserted the request on to list of pending requests
Sep 17 15:06:59.787 MSK: dot1x-ev:Found a free slot at slot 0
Sep 17 15:06:59.787 MSK: dot1x-ev:Found a free slot at slot 0
Sep 17 15:06:59.787 MSK: dot1x-ev:Request id = 1 and length = 10
Sep 17 15:06:59.787 MSK: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/2
Sep 17 15:06:59.787 MSK: dot1x-ev:Username is test2
Sep 17 15:06:59.787 MSK: dot1x-ev:MAC Address is 00a0.c9a7.dedf
Sep 17 15:06:59.787 MSK: AAA: parse name=FastEthernet0/2 idb type=-1 tty=-1
Sep 17 15:06:59.787 MSK: AAA: name=FastEthernet0/2 flags=0x15 type=7 shelf=0 slot=0 adapter=0 port=2 channel=0
Sep 17 15:06:59.787 MSK: AAA: parse name=<no string> idb type=-1 tty=-1
Sep 17 15:06:59.787 MSK: AAA/MEMORY: create_user (0x11F1700) user='test2' ruser='test2' port='FastEthernet0/2' rem_addr='' authen_type=EAP service=802.1x priv=1
Sep 17 15:06:59.787 MSK: dot1x-ev:MAC Address copied is 00a0.c9a7.dedf
Sep 17 15:06:59.787 MSK: AAA/AUTHEN/START (3235410336): port='FastEthernet0/2' list='Dot1x Acc List' action=LOGIN service=802.1x
Sep 17 15:06:59.787 MSK: AAA/AUTHEN/START (3235410336): using "default" list
Sep 17 15:06:59.787 MSK: AAA/AUTHEN/START (3235410336): Method=radius (radius)
Sep 17 15:06:59.787 MSK: RADIUS: ustruct sharecount=1
Sep 17 15:06:59.787 MSK: RADIUS: added cisco VSA 2 len 15 "FastEthernet0/2"
Sep 17 15:06:59.787 MSK: RADIUS: EAP-login: NAS Port = 00-a0-c9-a7-de-df RemAddr =00a0.c9a7.dedf
Sep 17 15:06:59.787 MSK: RADIUS: EAP-login: length of radius packet = 123 code = 1
Sep 17 15:06:59.787 MSK: RADIUS: Initial Transmit FastEthernet0/2 id 3 xxx.yyy.83.51:1812, Access-Request, len 123
Sep 17 15:06:59.787 MSK: Attribute 4 6 C1E85334
Sep 17 15:06:59.787 MSK: Attribute 26 23 0000000902114661
Sep 17 15:06:59.787 MSK: Attribute 61 6 00000000
Sep 17 15:06:59.787 MSK: Attribute 1 7 74657374
Sep 17 15:06:59.787 MSK: Attribute 6 6 00000002
Sep 17 15:06:59.787 MSK: Attribute 12 6 000005DC
Sep 17 15:06:59.787 MSK: Attribute 31 19 30302D61
Sep 17 15:06:59.791 MSK: Attribute 79 12 0200000A
Sep 17 15:06:59.791 MSK: Attribute 80 18 658AE09C
Sep 17 15:06:59.843 MSK: RADIUS: Received from id 3 193.232.83.51:1812, Access-Challenge, len 78
Sep 17 15:06:59.843 MSK: Attribute 79 8 01DB0006
Sep 17 15:06:59.843 MSK: Attribute 24 32 43495343
Sep 17 15:06:59.843 MSK: Attribute 80 18 D455DBCA
Sep 17 15:06:59.843 MSK: RADIUS: EAP-login: length of eap packet = 6
Sep 17 15:06:59.843 MSK: RADIUS: EAP-login: got challenge from radius
Sep 17 15:06:59.843 MSK: AAA/AUTHEN (3235410336): status = GETDATA
Sep 17 15:06:59.843 MSK: dot1x-ev:going to send to backend on SP, length = 6
Sep 17 15:06:59.843 MSK: dot1x-ev:Received VLAN is No Vlan
Sep 17 15:06:59.843 MSK: dot1x-ev:Enqueued the response to BackEnd
Sep 17 15:06:59.843 MSK: dot1x-ev:Sent to Bend
Sep 17 15:06:59.843 MSK: dot1x-ev:Received QUEUE EVENT in response to AAA Request
Sep 17 15:06:59.843 MSK: dot1x-ev:Dot1x matching request-response found
Sep 17 15:06:59.843 MSK: dot1x-ev:Length of recv eap packet from radius = 6
Sep 17 15:06:59.843 MSK: dot1x-ev:Received VLAN Id -1
Sep 17 15:06:59.843 MSK: dot1x_bend Fa0/2: during state dot1x_bend_response, got event 0(areq)
Sep 17 15:06:59.843 MSK: @@@ dot1x_bend Fa0/2: dot1x_bend_response -> dot1x_bend_request
Sep 17 15:06:59.843 MSK: dot1x-sm:Dot1x Request State Entered
Sep 17 15:06:59.843 MSK: dot1x-ev:dot1x_bend_request_enter:00a0.c9a7.dedf: Current ID=219
// truncated
09-22-2003 05:00 AM
what messages are you getting on your radius server, looks like down at the bottom of this trace you are actually talking to radius server, but it is sending an invalid vlan back to switch. You may try switching to acs 3.2 also, there were a few problems with it an dot1x, don't remember what they were though.
09-22-2003 05:52 AM
Thanks for the replay.
I'll retry with ACS 3.2 next week.
One more question about 802.1X with VLAN assignment on W2k clients. Could you please tell me what works for now and what doesn't: 1) DHCP address assignment; 2) roaming profiles and login scripts.
Thanks again,
Oleg Tipisov,
REDCENTER,
Moscow
09-22-2003 06:35 AM
none of the above, however I have a new microsoft patch that I am trying this week that is supposed to solve those issues.
09-24-2003 06:44 AM
tried the new microsoft patch and it actually worked
09-24-2003 09:35 PM
And where can I get it ?
09-25-2003 05:41 AM
the 2000 version hasn't been released to the public, but the xp version has, I would try contacting microsoft and see if they will give it to you.
10-04-2003 02:02 AM
Can U send me the patch on the microsoft patch that work for PEAP on which microsoft?? XP oe Windows 2k. my email is id higeeks@hotmail.com
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: