Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x EAP-TLS Problem

Hi,

I am doing a 802.1x EAP-TLS test by using C2950, Windows 2000 IAS Radius, and Windows 200 CA. After setting up the aaa on the switch, the client always get a deauthorized port status as you can see it on the bottom line 4 debugging output. Also, I have installed the user certificate on the client and set automatic request certificate on the Win2K AD for computer certificate. Attached are the switch config and debug output and hope you guys can give me an advise. Thanks!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

aaa new-model

aaa authentication dot1x default group radius

!

ip subnet-zero

vtp mode transparent

!

interface FastEthernet0/1

no ip address

!

interface FastEthernet0/2

switchport mode access

no ip address

spanning-tree portfast

!

interface FastEthernet0/3

switchport mode access

no ip address

dot1x port-control auto

spanning-tree portfast

!

interface Vlan1

ip address 10.10.10.50 255.255.255.0

no ip route-cache

!

radius-server host 10.10.10.1 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key cisco

!

end

04:30:37: dot1x-core(Fa0/3): EAPOL pkt in

04:30:37: dot1x-core(Fa0/3): 00:00:39:3F:AA:D1 sent EAPOL type=0, EAP code=2, id=1

04:30:37: dot1x-authsm(Fa0/3): state CONNECTING, event INPUT, arg 0x80B9B7CC

04:30:37: dot1x-authsm(Fa0/3): state AUTHENTICATING, event ENTRY, arg 0x80B9B7CC

04:30:37: dot1x-besm(Fa0/3): state IDLE, event INPUT, arg 0x80B9B7CC

04:30:37: dot1x-reauthsm(Fa0/3): state INITIALIZE, event INPUT, arg 0x80B9B7CC

04:30:37: dot1x-core(Fa0/3): control event

04:30:37: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:37: dot1x-besm(Fa0/3): state IDLE, event CONTROL, arg 0x0

04:30:37: dot1x-besm(Fa0/3): state RESPONSE, event ENTRY, arg 0x0

04:30:37: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:37: dot1x-reauthsm(Fa0/3): reauth timer stopped

04:30:37: dot1x-core(Fa0/3): control event

04:30:37: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:37: dot1x-besm(Fa0/3): state RESPONSE, event CONTROL, arg 0x0

04:30:37: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:37: dot1x-reauthsm(Fa0/3): reauth timer stopped

04:30:37: dot1x-backend(Fa0/3): [3] starting aaa sequence

04:30:37: dot1x-backend(Fa0/3): [3] relaying EAP data from supplicant

04:30:37: dot1x-backend(Fa0/3): [3] starting login

04:30:37: dot1x-backend(Fa0/3): [3] login user host/bptec11.ad.test.com, client ID 00-00-39-3F-AA-D1

04:30:37: dot1x-backend(Fa0/3): [3] start_login returned GETDATA

04:30:37: dot1x-core(Fa0/3): RADIUS reply (2) received

04:30:37: dot1x-authsm(Fa0/3): state AUTHENTICATING, event SERVER_REPLY, arg 0x2

04:30:37: dot1x-besm(Fa0/3): state RESPONSE, event SERVER_REPLY, arg 0x2

04:30:37: dot1x-besm(Fa0/3): state REQUEST, event ENTRY, arg 0x2

04:30:37: dot1x-core(Fa0/3): send EAPOL type=0, EAP code=1, id=2

04:30:37: dot1x-reauthsm(Fa0/3): state INITIALIZE, event SERVER_REPLY, arg 0x2

04:30:41: dot1x-core(Fa0/3): EAPOL pkt in

04:30:41: dot1x-core(Fa0/3): 00:00:39:3F:AA:D1 sent EAPOL type=0, EAP code=2, id=2

04:30:41: dot1x-authsm(Fa0/3): state AUTHENTICATING, event INPUT, arg 0x80B9B7CC

04:30:41: dot1x-besm(Fa0/3): state REQUEST, event INPUT, arg 0x80B9B7CC

04:30:41: dot1x-besm(Fa0/3): state RESPONSE, event ENTRY, arg 0x80B9B7CC

04:30:41: dot1x-reauthsm(Fa0/3): state INITIALIZE, event INPUT, arg 0x80B9B7CC

04:30:41: dot1x-core(Fa0/3): control event

04:30:41: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:41: dot1x-besm(Fa0/3): state RESPONSE, event CONTROL, arg 0x0

04:30:41: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:41: dot1x-reauthsm(Fa0/3): reauth timer stopped

04:30:41: dot1x-backend(Fa0/3): [3] relaying EAP data from supplicant

04:30:42: dot1x-backend(Fa0/3): [3] cont_login returned GETDATA

04:30:42: dot1x-core(Fa0/3): RADIUS reply (2) received

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-besm(Fa0/3): state REQUEST, event ENTRY, arg 0x2

04:30:42: dot1x-core(Fa0/3): send EAPOL type=0, EAP code=1, id=3

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-core(Fa0/3): EAPOL pkt in

04:30:42: dot1x-core(Fa0/3): 00:00:39:3F:AA:D1 sent EAPOL type=0, EAP code=2, id=3

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event INPUT, arg 0x80B9B7CC

04:30:42: dot1x-besm(Fa0/3): state REQUEST, event INPUT, arg 0x80B9B7CC

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event ENTRY, arg 0x80B9B7CC

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event INPUT, arg 0x80B9B7CC

04:30:42: dot1x-core(Fa0/3): control event

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event CONTROL, arg 0x0

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:42: dot1x-reauthsm(Fa0/3): reauth timer stopped

04:30:42: dot1x-backend(Fa0/3): [3] relaying EAP data from supplicant

04:30:42: dot1x-backend(Fa0/3): [3] cont_login returned GETDATA

04:30:42: dot1x-core(Fa0/3): RADIUS reply (2) received

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-besm(Fa0/3): state REQUEST, event ENTRY, arg 0x2

04:30:42: dot1x-core(Fa0/3): send EAPOL type=0, EAP code=1, id=5

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-core(Fa0/3): EAPOL pkt in

04:30:42: dot1x-core(Fa0/3): 00:00:39:3F:AA:D1 sent EAPOL type=0, EAP code=2, id=5

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event INPUT, arg 0x80BA0704

04:30:42: dot1x-besm(Fa0/3): state REQUEST, event INPUT, arg 0x80BA0704

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event ENTRY, arg 0x80BA0704

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event INPUT, arg 0x80BA0704

04:30:42: dot1x-core(Fa0/3): control event

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event CONTROL, arg 0x0

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:42: dot1x-reauthsm(Fa0/3): reauth timer stopped

04:30:42: dot1x-backend(Fa0/3): [3] relaying EAP data from supplicant

04:30:42: dot1x-backend(Fa0/3): [3] cont_login returned GETDATA

04:30:42: dot1x-core(Fa0/3): RADIUS reply (2) received

04:30:42: dot1x-authsm(Fa0/3): state AUTHENTICATING, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-besm(Fa0/3): state RESPONSE, event SERVER_REPLY, arg 0x2

04:30:42: dot1x-besm(Fa0/3): state REQUEST, event ENTRY, arg 0x2

04:30:42: dot1x-core(Fa0/3): send EAPOL type=0, EAP code=1, id=6

04:30:42: dot1x-reauthsm(Fa0/3): state INITIALIZE, event SERVER_REPLY, arg 0x2

04:30:43: dot1x-core(Fa0/3): EAPOL pkt in

04:30:43: dot1x-core(Fa0/3): 00:00:39:3F:AA:D1 sent EAPOL type=0, EAP code=2, id=6

04:30:43: dot1x-authsm(Fa0/3): state AUTHENTICATING, event INPUT, arg 0x80B9B7CC

04:30:43: dot1x-besm(Fa0/3): state REQUEST, event INPUT, arg 0x80B9B7CC

04:30:43: dot1x-besm(Fa0/3): state RESPONSE, event ENTRY, arg 0x80B9B7CC

04:30:43: dot1x-reauthsm(Fa0/3): state INITIALIZE, event INPUT, arg 0x80B9B7CC

04:30:43: dot1x-core(Fa0/3): control event

04:30:43: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:43: dot1x-besm(Fa0/3): state RESPONSE, event CONTROL, arg 0x0

04:30:43: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:43: dot1x-reauthsm(Fa0/3): reauth timer stopped

04:30:43: dot1x-backend(Fa0/3): [3] relaying EAP data from supplicant

04:30:43: dot1x-backend(Fa0/3): [3] cont_login returned FAIL

04:30:43: dot1x-backend(Fa0/3): [3] cleaning up AAA context

04:30:43: dot1x-core(Fa0/3): RADIUS reply (1) received

04:30:43: dot1x-authsm(Fa0/3): state AUTHENTICATING, event SERVER_REPLY, arg 0x1

04:30:43: dot1x-besm(Fa0/3): state RESPONSE, event SERVER_REPLY, arg 0x1

04:30:43: dot1x-besm(Fa0/3): state FAIL, event ENTRY, arg 0x1

04:30:43: dot1x-core(Fa0/3): send EAPOL type=0, EAP code=4, id=6

04:30:43: dot1x-besm(Fa0/3): state IDLE, event ENTRY, arg 0x1

04:30:43: dot1x-reauthsm(Fa0/3): state INITIALIZE, event SERVER_REPLY, arg 0x1

04:30:43: dot1x-core(Fa0/3): control event

04:30:43: dot1x-authsm(Fa0/3): state AUTHENTICATING, event CONTROL, arg 0x0

04:30:43: dot1x-authsm(Fa0/3): state HELD, event ENTRY, arg 0x0

04:30:43: dot1x-core(Fa0/3): setting default host access to 1

04:30:43: dot1x-core(Fa0/3): deauthorized port

04:30:43: dot1x-besm(Fa0/3): state IDLE, event CONTROL, arg 0x0

04:30:43: dot1x-reauthsm(Fa0/3): state INITIALIZE, event CONTROL, arg 0x0

04:30:43: dot1x-reauthsm(Fa0/3): reauth timer stopped

2 REPLIES
New Member

Re: 802.1x EAP-TLS Problem

Hi

Did you check the IAS logs ? What did they say ?

Also , what IOS version are you running ? What clients are you using ?

Regards,

Ami

New Member

Re: 802.1x EAP-TLS Problem

Hi,

I am using Win2K Pro client with SP4. I am able to set ip up successfully. Even though the port is authorized for the client to access the network, I got the message below when I do the debug dot1x

[3] Unsuccessfully applied per-user acl

[3] Unsuccessfully applied per-user mac acl

Hope you guys can help. Thanks.

355
Views
0
Helpful
2
Replies
CreatePlease to create content