Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2320
Views
0
Helpful
4
Replies

802.1x authentication fail

tedauction
Level 1
Level 1

‎05-28-2018 04:31 PM - edited ‎03-08-2019 03:09 PM

Hello, I have many Windows 7 client PCs successfully authenticating via 802.1x. on my 'WS-C2960X-48FPD-L  15.0(2)EX4'. This one particular client has identical port configuration to all the others but fails to authenticate the computer using EAP-TLS.

I have checked it's NIC authentication settings are exactly the same as others that do work and I have upgraded the NIC drivers but the problem still persisits. I do not see any logs on my RADIUS server so do not think any 802.1x authentication communiciation is coming through from the client.

Also from the switch logs, all I can see is the EAP request going out from the authenticator switch but no reply coming back at all. Does anyone have any idea why the supplicant client is not sending anything ?

Thank you.

 

 sh authentication session int gi2/0/32
Interface: GigabitEthernet2/0/32
MAC Address: e04f.438c.c624
IP Address: 10.100.4.159
User-Name: e04f438cc624
Status: Authz Failed
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8082200009684DA9F0509
Acct Session ID: 0x00016530
Handle: 0x6E000B21

Runnable methods list:
Method State
mab Failed over
dot1x Failed over

 

debug dot1x all
May 29 11:23:44: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to up
May 29 11:23:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/32, changed state to up

 

*****EAP REQUEST FROM AUTHENTICATOR SWITCH BEGINS:******
May 29 11:23:52.659 NZST: dot1x-sm(Gi2/0/32): Posting EAP_REQ for 0x7A0004AE
May 29 11:23:52.659 NZST: dot1x_auth_bend Gi2/0/32: during state auth_bend_request, got event 7(eapReq)
May 29 11:23:52.659 NZST: @@@ dot1x_auth_bend Gi2/0/32: auth_bend_request -> auth_bend_request
May 29 11:23:52.659 NZST: dot1x-sm(Gi2/0/32): 0x7A0004AE:auth_bend_request_request_action called
May 29 11:23:52.659 NZST: dot1x-sm(Gi2/0/32): 0x7A0004AE:auth_bend_request_enter called
May 29 11:23:52.659 NZST: dot1x-ev(Gi2/0/32): Sending EAPOL packet to e04f.438c.c624
May 29 11:23:52.659 NZST: dot1x-ev(Gi2/0/32): Role determination not required
May 29 11:23:52.659 NZST: dot1x-registry:registry:dot1x_ether_macaddr called
May 29 11:23:52.659 NZST: dot1x-ev(Gi2/0/32): Sending out EAPOL packet
May 29 11:23:52.659 NZST: EAPOL pak dump Tx
May 29 11:23:52.659 NZST: EAPOL Version: 0x3 type: 0x0 length: 0x0005
May 29 11:23:52.659 NZST: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
May 29 11:23:52.659 NZST: dot1x-packet(Gi2/0/32): EAPOL packet sent to client 0x7A0004AE (e04f.438c.c624)

****************EAPOL PACKET HAS NOW BEEN SENT FROM AUTHENTICATOR SWITCH TO SUPPLICANT CLIENT AND TIMEOUT OCCURS******************************

May 29 14:04:12.943 NZST: dot1x-ev(Gi2/0/32): Received an EAP Timeout
May 29 14:04:12.943 NZST: dot1x-sm(Gi2/0/32): Posting EAP_TIMEOUT for 0xC100074A
May 29 14:04:12.943 NZST: dot1x_auth_bend Gi2/0/32: during state auth_bend_request, got event 12(eapTimeout)
May 29 14:04:12.943 NZST: @@@ dot1x_auth_bend Gi2/0/32: auth_bend_request -> auth_bend_timeout
May 29 14:04:12.943 NZST: dot1x-sm(Gi2/0/32): 0xC100074A:auth_bend_timeout_enter called
May 29 14:04:12.943 NZST: dot1x-sm(Gi2/0/32): 0xC100074A:auth_bend_request_timeout_action called
May 29 14:04:12.943 NZST: dot1x_auth_bend Gi2/0/32: idle during state auth_bend_timeout
May 29 14:04:12.943 NZST: @@@ dot1x_auth_bend Gi2/0/32: auth_bend_timeout -> auth_bend_idle
May 29 14:04:12.943 NZST: dot1x-sm(Gi2/0/32): 0xC100074A:auth_bend_idle_enter called
May 29 14:04:12.947 NZST: dot1x-sm(Gi2/0/32): Posting AUTH_TIMEOUT on Client 0xC100074A
May 29 14:04:12.947 NZST: dot1x_auth Gi2/0/32: during state auth_authenticating, got event 14(authTimeout)
May 29 14:04:12.947 NZST: @@@ dot1x_auth Gi2/0/32: auth_authenticating -> auth_authc_result
May 29 14:04:12.947 NZST: dot1x-sm(Gi2/0/32): 0xC100074A:auth_authenticating_exit called
May 29 14:04:12.947 NZST: dot1x-sm(Gi2/0/32): 0xC100074A:auth_authc_result_enter called
May 29 14:04:12: %DOT1X-5-FAIL: Authentication failed for client (e04f.438c.c624) on Interface Gi2/0/32 AuditSessionID C0A8082200009861DB317E7C
May 29 14:04:12.947 NZST: dot1x-ev(Gi2/0/32): Sending event (2) to Auth Mgr for e04f.438c.c624
May 29 14:04:12: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (e04f.438c.c624) on Interface Gi2/0/32 AuditSessionID C0A8082200009861DB317E7C
May 29 14:04:12.947 NZST: dot1x-ev(Gi2/0/32): Received Authz fail for the client 0xC100074A (e04f.438c.c624)
May 29 14:04:12.947 NZST: dot1x-ev(Gi2/0/32): Deleting client 0xC100074A (e04f.438c.c624)
May 29 14:04:12: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (e04f.438c.c624) on Interface Gi2/0/32 AuditSessionID C0A8082200009861DB317E7C
May 29 14:04:12: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (e04f.438c.c624) on Interface Gi2/0/32 AuditSessionID C0A8082200009861DB317E7C
May 29 14:04:12: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (e04f.438c.c624) on Interface Gi2/0/32 AuditSessionID C0A8082200009861DB317E7C
May 29 14:04:12.950 NZST: dot1x-sm(Gi2/0/32): Posting_AUTHZ_FAIL on Client 0xC100074A
May 29 14:04:12.950 NZST: dot1x_auth Gi2/0/32: during state auth_authc_result, got event 22(authzFail)
May 29 14:04:12.950 NZST: @@@ dot1x_auth Gi2/0/32: auth_authc_result -> auth_held
May 29 14:04:12.950 NZST: dot1x-ev:Delete auth client (0xC100074A) message
May 29 14:04:12.950 NZST: dot1x-ev:Auth client ctx destroyed
May 29 14:04:12.950 NZST: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

 

 

This is the interface config (which is proven working with many other clients):

interface GigabitEthernet2/0/32
description User_Desktop/VoIP_802_1x
switchport access vlan 54
switchport mode access
switchport voice vlan 154
ip flow monitor NETFLOW-TRAFFIC sampler NETFLOW-SAMPLER input
srr-queue bandwidth share 1 20 20 60
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 54
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy input Marking
end

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎05-29-2018 12:51 AM

Hello,

 

odd, since all the other clients appear to be working fine with the same settings. Either way, one thing you could try is change the authentication order on that particular port:

 

--> no authentication order mab dot1x

--> authentication order dot1x mab

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎05-30-2018 09:49 AM

Hi

In addition to what Georg said, can you verify you have same level of patches applied on working and not working machine?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Tubster123
Level 1
Level 1

‎05-31-2018 11:04 AM - edited ‎05-31-2018 11:06 AM

Hello,

strange how no response from the client.  Maybe look for issues with the Wired AutoConfig Service on the client? Or try with the Anyconnect Supplicant?

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Tubster123

‎06-01-2018 07:37 PM

You can try with anyconnect. To found out why you're having issues with this machine, have you checked that all patches are at the same level with working machines?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card