Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dot1x with port security and redundant radius servers

I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.

This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?

Here's the setup and configs:

freeradius 2.1.12-4

cisco 3560

Switch Ports Model              SW Version            SW Image                

------ ----- -----              ----------            ----------              

*    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 

aaa new-model

!

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

interface GigabitEthernet0/1

switchport access vlan 100

switchport mode access

switchport voice vlan 110

authentication event no-response action authorize vlan 901

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

authentication violation protect

mab

dot1x pae authenticator

dot1x timeout quiet-period 10

dot1x timeout tx-period 1

no mdix auto

spanning-tree portfast

!

radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx

radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx

!

!

Here's an authentication string from the radius server:

(there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)

rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160

User-Name = "001372b639a6"

User-Password = "001372b639a6"

Service-Type = Call-Check

Framed-MTU = 1500

Called-Station-Id = "9C-AF-CA-23-D9-01"

Calling-Station-Id = "00-13-72-B6-39-A6"

Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1

NAS-Port-Type = Ethernet

NAS-Port = 50001

NAS-Port-Id = "GigabitEthernet0/1"

NAS-IP-Address = 10.90.100.7

Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default

Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}

Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok

Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop

Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop

Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop

Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL

Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"

Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop

Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP

Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop

Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6

Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'

Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3

Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id

Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id

Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table

Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id

Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id

Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority

Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority

Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3

Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok

Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop

Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop

Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated

Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP

Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default

Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}

Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"

Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"

Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully

Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok

Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default

Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}

Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop

Sending Access-Accept of id 204 to 10.90.100.7 port 1645

Wed Sep 18 10:48:06 2013 : Info: Finished request 0.

Wed Sep 18 10:48:06 2013 : Debug: Going to the next request

Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.

Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77

Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.

rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160

User-Name = "3037a616cd49"

User-Password = "3037a616cd49"

Service-Type = Call-Check

Framed-MTU = 1500

Called-Station-Id = "9C-AF-CA-23-D9-01"

Calling-Station-Id = "30-37-A6-16-CD-49"

Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e

NAS-Port-Type = Ethernet

NAS-Port = 50001

NAS-Port-Id = "GigabitEthernet0/1"

NAS-IP-Address = 10.90.100.7

Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default

Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}

Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok

Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop

Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop

Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop

Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL

Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"

Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop

Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP

Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop

Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49

Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'

Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2

Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id

Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id

Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table

Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id

Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id

Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority

Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority

Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2

Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok

Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop

Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop

Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated

Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP

Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default

Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}

Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"

Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"

Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully

Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok

Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default

Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}

Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop

Sending Access-Accept of id 205 to 10.90.100.7 port 1645

Cisco-AVPair = "device-traffic-class=voice"

Wed Sep 18 10:48:13 2013 : Info: Finished request 1.

Wed Sep 18 10:48:13 2013 : Debug: Going to the next request

Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.

Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84

Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.

Thanks!

5 REPLIES
Bronze

dot1x with port security and redundant radius servers

802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.

Please check the  below links which can be helpful in configurations:

Link-1

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

Silver

dot1x with port security and redundant radius servers

please run

debug radius

debug authentication all

on the switch

Cisco Employee

dot1x with port security and redundant radius servers

Are we pushing vlan's from the radius server. If yes, Is secondary radius server replica of primary? You need to check whether you're pushing the correct vlan or not. This can be checked in "debug radius" that what exactly radius server is pushing in the access-accept.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

dot1x with port security and redundant radius servers

Thanks for the helpful posts.  I am not pushing bland out with the radius server, rather letting the switch assign them through its port config.  I will run those debug commands when I'm back in the office on Monday and let you know what they are.

Thanks

New Member

dot1x with port security and redundant radius servers

535
Views
1
Helpful
5
Replies
CreatePlease login to create content