Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

%DOT1X-5-FAIL: Authentication failed for client

Hi

 

I have the following problem to configure 802.1x.

 

Deubug shows the following:

 

Nov  6 16:44:55.732: RADIUS/ENCODE(00000095):Orig. component type = Exec
Nov  6 16:44:55.732: RADIUS(00000095): Config NAS IP: 10.100.52.10
Nov  6 16:44:55.732: RADIUS(00000095): Config NAS IPv6: ::
Nov  6 16:44:55.732: RADIUS(00000095): sending
Nov  6 16:44:55.732: RADIUS(00000095): Sending a IPv4 Radius Packet
Nov  6 16:44:55.732: RADIUS(00000095): Send Accounting-Request to 10.95.1.114:1813 id 1646/16,len 90
Nov  6 16:44:55.732: RADIUS:  authenticator 79 25 BD 80 67 D6 1F BA - 5E 02 2B 55 98 37 69 BF
Nov  6 16:44:55.732: RADIUS:  Acct-Session-Id     [44]  10  "0000008B"
Nov  6 16:44:55.735: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]
Nov  6 16:44:55.735: RADIUS:  Acct-Terminate-Cause[49]  6   user-request              [1]
Nov  6 16:44:55.735: RADIUS:  Acct-Session-Time   [46]  6   2280
Nov  6 16:44:55.735: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
Nov  6 16:44:55.735: RADIUS:  NAS-Port            [5]   6   0
Nov  6 16:44:55.735: RADIUS:  NAS-Port-Id         [87]  6   "tty0"
Nov  6 16:44:55.735: RADIUS:  NAS-Port-Type       [61]  6   Async                     [0]
Nov  6 16:44:55.735: RADIUS:  Service-Type        [6]   6   NAS Prompt                [7]
Nov  6 16:44:55.735: RADIUS:  NAS-IP-Address      [4]   6   10.100.52.10
Nov  6 16:44:55.735: RADIUS:  Acct-Delay-Time     [41]  6   0
Nov  6 16:44:55.735: RADIUS(00000095): Started 5 sec timeout
Nov  6 16:44:55.735: RADIUS: Received from id 1646/16 10.95.1.114:1813, Accounting-response, len 20
Nov  6 16:44:55.735: RADIUS:  authenticator AC C0 5B 5B 04 B7 27 09 - 9D 33 58 38 4D AB 16 C8
Nov  6 16:45:47.706: %AUTHMGR-5-START: Starting 'dot1x' for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65
Nov  6 16:47:19.971: %DOT1X-5-FAIL: Authentication failed for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65
Nov  6 16:47:19.971: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65
Nov  6 16:47:19.971: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65
Nov  6 16:47:19.971: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65
Nov  6 16:47:19.971: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65

 

 

The configuration is as follows: 

 

!
hostname xxx
!
boot-start-marker
boot-end-marker
!
enable secret 4 eaOP83n/Avy2EAs2tg7JbhLCX5T8h39E3GwBeTDW5sY
!
username xxxprivilege 15 password 0 xxx
aaa new-model
!
!
aaa group server radius IAS
 server 10.95.1.114 auth-port 1812 acct-port 1813
!
aaa authentication login userAuthentication local group IAS
aaa authentication dot1x default group radius
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
!
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c2960x-24ps-l
!
!
no ip domain-lookup
ip domain-name xxx
!
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1,100 priority 61440
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet1/0/23
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 switchport mode trunk
!
interface Vlan1
 ip address dhcp
!
interface Vlan100
 ip address 10.100.52.10 255.255.0.0
!
ip default-gateway 10.100.52.12
ip http server
ip http secure-server
!
ip radius source-interface Vlan100
!
!
radius-server host 10.95.1.114 key xxxxx
radius-server host 10.95.1.114 auth-port 1812 acct-port 1813 key xxxxx
!
!
!
line con 0
 logging synchronous
line vty 0 2
 exec-timeout 0 0
 authorization exec userAuthorization
 logging synchronous
 login authentication userAuthentication
 transport input telnet ssh
line vty 3 4
 exec-timeout 0 0
 logging synchronous
 transport input telnet
line vty 5 15
 exec-timeout 0 0
 logging synchronous
 transport input telnet
!
end

 

I hope you can help me

 

 

Best regards

 

1 REPLY
Cisco Employee

The log message

The log message

\Nov  6 16:47:19.971: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65

means that the client is not responding to the EAPoL based massaged. The NAD (in your situation a switch) is sending the "Access-Request" message to the endpoint but the endpoint is not responding. This would indicate that the endpoint supplicant is not properly configured to perform dot1x. With that being said can you tell us:

1. What type of endpoint is this? Windows, MAC, etc

2. What type of dot1x authentication are you trying to perform? PEAP, EAP-TLS, etc?

The next log message:

Nov  6 16:47:19.971: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65

is indicating that since the dot1x authentication failed, the NAD will try the next available and configured authentication method (MAB, web auth, etc)

However, the following log message

Nov  6 16:47:19.971: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65

Informs you that all configured authentication methods had been tried. This is because you only have dot1x configured as an authentication method. If you want you can configure MAB, webauth, etc

This final log message:

Nov  6 16:47:19.971: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0edd.75c9) on Interface Gi1/0/23 AuditSessionID 0A64340A00000082046F3A65

Simply states that the dot1x process failed so your client will be getting an "Access_Reject" and will not be allowed on the network

I hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
1359
Views
0
Helpful
1
Replies
CreatePlease to create content