02-12-2014 07:57 AM - edited 03-10-2019 09:23 PM
Cisco 2950, ACS 5.3
ACS tested, I created a local account on the ACS and enabled authentication on the 2950. All working.
Dot1x - not working
Configuration on the switch:
Switch#sh run | i dot1x
aaa authentication dot1x default group tacacs+
aaa authorization network default group tacacs+
tacacs-server host 172.16.1.175
dot1x system-auth-control
Switch#sh run int f0/2
Building configuration...
Current configuration : 107 b
!
interface FastEthernet0/2
switchport mode access
dot1x port-control auto
spanning-tree portfast
Switch#sh dot1x int f0/2
Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
Posture = N/A
PortStatus = UNAUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3
And it stays like that
Debug
01:59:21: dot1x-ev:Received QUEUE EVENT in response to AAA Request
01:59:21: dot1x-ev:Dot1x matching request-response id 4294967283 found
01:59:21: dot1x-ev:Length of recv eap packet from radius = 4
01:59:21: dot1x-ev:Received VLAN Id -1
01:59:22: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
FastEthernet0/2
02:00:38: dot1x-ev:dot1x_post_message_to_auth_sm: removing supplicant 0015.60c3
8613 SM
02:00:38: dot1x-ev:destroy supplicant block for 0015.60c3.8613
02:00:38: dot1x-ev:Enter function dot1x_aaa_acct_end
02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613
02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613
I would expect my Windows7 client to ask me for a username/pass (dot1x enabled on my NIC card)
02-12-2014 07:59 AM
On ACS I can see
13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets
Which is not true as I can telnet to this switch using a Tacacs account
I also added a username/pass to my NIC settings. Windows says: 'authentication failed'
02-13-2014 01:36 AM
You need to configure RADIUS for dot1x.
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server timeout 3
radius-server key blabla
!
02-13-2014 11:52 PM
Please have a look on a very good docs for 802.1x authentication, configuration and verification commands:
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116506-configure-acs-00.html
02-20-2014 03:14 AM
Please go through the link below may help you to get verified.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: