Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
4
Replies

Need some help with dot1x please

Mariusz Kuriata
Level 1
Level 1

‎02-12-2014 07:57 AM - edited ‎03-10-2019 09:23 PM

Cisco 2950, ACS 5.3

ACS tested, I created a local account on the ACS and enabled authentication on the 2950. All working.

Dot1x - not working

Configuration on the switch:

Switch#sh run | i dot1x

aaa authentication dot1x default group tacacs+

aaa authorization network default group tacacs+

tacacs-server host 172.16.1.175

dot1x system-auth-control

Switch#sh run int f0/2

Building configuration...

Current configuration : 107 b

!

interface FastEthernet0/2

switchport mode access

dot1x port-control auto

spanning-tree portfast

Switch#sh dot1x int f0/2

Supplicant MAC <Not Applicable>

AuthSM State          = CONNECTING

BendSM State          = IDLE

Posture               = N/A

PortStatus            = UNAUTHORIZED

MaxReq                = 2

MaxAuthReq            = 2

HostMode              = Single

Port Control          = Auto

ControlDirection      = Both

QuietPeriod           = 60 Seconds

Re-authentication     = Disabled

ReAuthPeriod          = 3600 Seconds

ServerTimeout         = 30 Seconds

SuppTimeout           = 30 Seconds

TxPeriod              = 30 Seconds

Guest-Vlan            = 0

AuthFail-Vlan         = 0

AuthFail-Max-Attempts = 3

And it stays like that

Debug

01:59:21: dot1x-ev:Received QUEUE EVENT in response to AAA Request

01:59:21: dot1x-ev:Dot1x matching request-response id 4294967283 found

01:59:21: dot1x-ev:Length of recv eap packet from radius = 4

01:59:21: dot1x-ev:Received VLAN Id -1

01:59:22: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up

FastEthernet0/2

02:00:38: dot1x-ev:dot1x_post_message_to_auth_sm: removing supplicant 0015.60c3

8613 SM

02:00:38: dot1x-ev:destroy supplicant block for 0015.60c3.8613

02:00:38: dot1x-ev:Enter function dot1x_aaa_acct_end

02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613

02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613

I would expect my Windows7 client to ask me for a username/pass (dot1x enabled on my NIC card)

Labels:
0 Helpful
4 Replies 4

Mariusz Kuriata
Level 1
Level 1

‎02-12-2014 07:59 AM

On ACS I can see

13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets

Which is not true as I can telnet to this switch using a Tacacs account

I also added a username/pass to my NIC settings. Windows says: 'authentication failed'

0 Helpful

hdussa
Level 1
Level 1
In response to Mariusz Kuriata

‎02-13-2014 01:36 AM

You need to configure RADIUS for dot1x.

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server timeout 3

radius-server key blabla
!

0 Helpful

Naveen Kumar
Level 4
Level 4

‎02-13-2014 11:52 PM

Please have a look on a very good docs for 802.1x authentication, configuration and verification commands:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116506-configure-acs-00.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents