Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

Hello

[Env on my lab investigation]

supplicant - W7 with cert

authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/

authentication server 2x - W2008/NPS like a RADIUS server

[Config some part of authenticator]

interface FastEthernet0/1

switchport access vlan 34

switchport mode access

authentication event fail retry 1 action authorize vlan 47

authentication event server dead action authorize vlan 35

authentication event no-response action authorize vlan 47

authentication event server alive action reinitialize

authentication port-control auto

dot1x pae authenticator

dot1x timeout quiet-period 15

dot1x timeout tx-period 15

spanning-tree portfast

[Symptoms]

After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.

[Summary]

The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!

[The question]

What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?

Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .

[Logs]

During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:

1. supplicant and authenticator orderflow at wireshar:

- supplicant EAPOL Start

- authenticator EAP Request Identity

- supplicat  Response Identity, 3 times

- supplicant EAPOL Start

- authenticator EAP Failure

- authenticator EAP Request Identity x2

- supplicat  Response Identity x2

and again, more detail about flow from whireshar chart at the end

2. authenticator console saw like this:

*Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2

*Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2

*Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2

krasw8021x>

*Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2

*Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2

*Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2

......

and finaly

*Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914

*Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914

*Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

3. Authentication server:

- NPS doesn'e recived any RADIUS Access-Request/Response.

[supplicant EAPOL flow chart, source wireshark]

|Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
|         |                   | Nearest           |                   
|0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|0,051    |                   |         Start     |                   |EAPOL: Start
|         |                   |(0)      <------------------  (0)      |
|0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------  (0)      |
|0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------  (0)      |
|18,063   |                   |         Start     |                   |EAPOL: Start
|         |                   |(0)      <------------------  (0)      |
|18,065   |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------>  (0)      |                   |
|18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------  (0)      |
|18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------  (0)      |
|37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
|         |(0)      ------------------>  (0)      |                   |
|67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
|         |(0)      ------------------>  (0)      |                   |
|98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
|         |(0)      ------------------>  (0)      |                   |
|129,684  |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------>  (0)      |                   |
|144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|190,996  |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------>  (0)      |                   |
|206,002  |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------>  (0)      |                   |
|206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |
|242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------>  (0)      |                   |




/regards Piter 
1 REPLY
New Member

Re: 802.1x EAP-TLS with NPS/W2008 - Authentication result 'time

Hi,

Did you ever try to configure re-authentication?

Is the client is up and running if you connect it to the switch?

Sent from Cisco Technical Support iPad App

1518
Views
0
Helpful
1
Replies