Solved: We need to see more of the

icehckyplyr22 · ‎03-14-2014

I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius serv...

Switch info:

sw-ConfB>sho ver

Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)

Port config:

interface FastEthernet0/11

switchport mode access

authentication event fail action authorize vlan 900

authentication event no-response action authorize vlan 900

authentication port-control auto

dot1x pae authenticator

dot1x timeout tx-period 5

Radius Server Info:

radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!

Kinda lost why not Radius packet even comes from the switch. Any tips?

Jatin Katyal · ‎03-17-2014

As per the debugs, it seems that the supplicant connected on the switch port doesn't support dot1x and MAB is not configured on the switchport so no method left to try and you got the GUEST vlan.

Mar 3 04:37:47.963: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client

At this point, the radius didn't even come in picture. Please ensure that the end client is correctly configured for the dot1x settings.

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

View solution in original post

Amjad Abdullah · ‎03-16-2014

Do you have aaa new-model enabled?

If yes, what aaa authenticatoin configuraiton you have? and what device group config (if any) are available?
There must be a piece of config that directs dot1x request to the radius serever.

for examlpe: aaa authentication dot1x...etc.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

icehckyplyr22 · ‎03-16-2014

sw-ConfB#sho ru
Building configuration...

Current configuration : 6301 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw-ConfB
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
!

!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
aaa session-id common
system mtu routing 1500
!
!
!
!
crypto pki trustpoint TP-self-signed-706182400
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-706182400
revocation-check none
rsakeypair TP-self-signed-706182400
!
!
crypto pki certificate chain TP-self-signed-706182400
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/2
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/3
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/4
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/5
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/6
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/7
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/8
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/9
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface FastEthernet0/12
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
!
interface GigabitEthernet0/1
switchport trunk native vlan 200
switchport trunk allowed vlan 100,200,900
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 10.0.1.3 255.255.255.0
!
interface Vlan200
ip address 10.0.2.4 255.255.255.0
!
interface Vlan900
ip address 10.0.9.4 255.255.255.0
!
ip default-gateway 10.0.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
radius-server retransmit 5
radius-server key secret
radius-server vsa send authentication
!

Jatin Katyal · ‎03-17-2014

As per the debugs, it seems that the supplicant connected on the switch port doesn't support dot1x and MAB is not configured on the switchport so no method left to try and you got the GUEST vlan.

Mar 3 04:37:47.963: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client

At this point, the radius didn't even come in picture. Please ensure that the end client is correctly configured for the dot1x settings.

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

icehckyplyr22 · ‎03-17-2014

The client is a Windows 7 x 64 Pro machine. What is MAB?

Jatin Katyal · ‎03-17-2014

In Short MAB enables port-based access control using the MAC address of the endpoint. If the endpoint connected to a switch port doesn't support dot1x. It failover to Machine authentication bypass. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it. For MAB to work the radius server or the external database like LDAP integrated with radius server should have MAC address added as a username and password of the endpoint.

For more info, you may visit the MAB deployment guide.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000125

Regards,

Jatin Katyal

*Please rate helpful posts*

~Jatin

icehckyplyr22 · ‎03-17-2014

Well you were spot on! I researched a bit more and found the service "Wired Auto Config" to be set to manual and turned off! Once I turned it on, reset the NIC boom it worked! Thanks again! Now I got some good debug commands :)

Quick question port 11 is the one I have been testing on, I removed "switchport access vlan 900" from this port config, shouldn't I do so from the others as well?

Javier Henderson · ‎03-16-2014

We need to see more of the configuration, specifically the AAA section, starting with a line that should read "aaa new-model", and all the subsequent lines that start with "aaa ..."

Javier Henderson

Cisco Systems

Jatin Katyal · ‎03-16-2014

I'd be interested to look at the following outputs debug radius debug aaa authentication term mon bounce the port and collect the debugs.

Also get the output of show run l in aaa

Regards,

Jatin katyal

**Do rate helpful posts**

~Jatin

icehckyplyr22 · ‎03-16-2014

sw-ConfB#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging is off

sw-ConfB#debug aaa authentication
AAA Authentication debugging is on

port bounce

*Mar 3 04:37:32.595: %AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:34.525: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
sw-ConfB#
*Mar 3 04:37:47.963: %DOT1X-5-FAIL: Authentication failed for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID
*Mar 3 04:37:47.963: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d4be.d907.9637) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:47.963: %AUTHMGR-5-VLANASSIGN: VLAN 900 assigned to Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
*Mar 3 04:37:48.978: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up
*Mar 3 04:37:49.004: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6

802.1x port authentication not working