05-06-2008 07:08 AM - edited 03-05-2019 10:47 PM
I can't get port authentication to work.
ACS 3.0 using Radius
Cat 3560's
Windows EAP Type = MD5 Challenge
I get prompted to enter my password and it fails authentication. I am thinking something is mis-configured on the ACS 3.0. I am only trying it to get it to work on 1 port with one user at this point. Any ideas?
Cisco Config:
aaa authentication dot1x default group radius
radius-server host 10.20.1.25 auth-port 1645 acct-port 1646
radius-server key xxx
dot1x system-auth-control
interface GigabitEthernet0/3
switchport access vlan 10
switchport mode access
mls qos trust dscp
dot1x system-auth-control auto
spanning-tree portfast
ACS LOG:
05/05/2008 16:57:50 Bad request from NAS .. .. .. (Unknown) Invalid message authenticator in EAP request .. .. .. 10.20.1.18 .. .. .. .. .. MDF-SW-04 Radius
I get the above error when the switch is trying to authenticate me. Then windows errors out and says Authentication Failed.
Any ideas where I need to start troubleshooting this?
Thanks for the help!
05-06-2008 07:38 AM
David,
Sometimes the "Invalid message authenticator in EAP request" error message can occur due to mis-matched shared secret keys.
Please try resetting the shared password on the switch and the ACS to something simple like cisco123.
Regards,
~JG
Do rate helpful posts
05-06-2008 08:17 AM
Below is the info from debug aaa authentication. Any ideas?
bend_idle_request_action called
110512: .May 6 09:08:42.196 UTC: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role
determination not required on GigabitEthernet0/3.
110513: .May 6 09:08:42.196 UTC: dot1x-packet:dot1x_mgr_process_eapol_pak: queu
ing an EAPOL pkt on Authenticator Q
110514: .May 6 09:08:42.196 UTC: dot1x-ev:Enqueued the eapol packet to the glob
al authenticator queue
110515: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAPOL frame on interf
ace GigabitEthernet0/3
110516: .May 6 09:08:42.196 UTC: dot1x-ev:Received pkt saddr =00e0.b8a9.2085 ,
daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.000f
110517: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAP packet on interfa
ce GigabitEthernet0/3
110518: .May 6 09:08:42.196 UTC: EAPOL pak dump rx
110519: .May 6 09:08:42.196 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x000F
110520: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAP packet on the Gig
abitEthernet0/3 from mac 00e0.b8a9.2085
110521: .May 6 09:08:42.196 UTC: dot1x-sm:Posting EAPOL_EAP on Client=37E05D8
110522: .May 6 09:08:42.196 UTC: dot1x_auth_bend Gi0: during state auth_ben
d_request, got event 6(eapolEap)
110523: .May 6 09:08:42.196 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_request ->
auth_bend_response
b8a9.2085:auth_aborting_enter called
110855: .May 6 09:10:47.381 UTC: dot1x-sm:Posting AUTH_ABORT on Client=37E05D8
110856: .May 6 09:10:47.381 UTC: dot1x_auth_bend Gi0: during state auth_ben
d_response, got event 1(authAbort)
110857: .May 6 09:10:47.381 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_response ->
auth_bend_initialize
110858: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_respon
se_exit called
110859: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_initia
lize_enter called
110860: .May 6 09:10:47.381 UTC: dot1x_auth_bend Gi0: idle during state aut
h_bend_initialize
110861: .May 6 09:10:47.381 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_initialize
-> auth_bend_idle
110862: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_idle_e
nter called
110863: .May 6 09:10:47.381 UTC: dot1x-sm:Posting !AUTH_ABORT on Client=37E05D8
110864: .May 6 09:10:47.381 UTC: dot1x_auth Gi0: during state auth_aborting
, got event 20(no_eapolLogoff_no_authAbort)
110865: .May 6 09:10:47.381 UTC: @@@ dot1x_auth Gi0: auth_aborting -> auth_rest
art
110866: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_aborting_ex
it called
110867: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_restart_ent
er called
110868: .May 6 09:10:47.381 UTC: dot1x-ev:Resetting the client 00e0.b8a9.2085
110869: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_aborting_re
start_action called
110870: .May 6 09:10:47.381 UTC: dot1x-sm:Posting !EAP_RESTART on Client=37E05D
8
110871: .May 6 09:10:47.381 UTC: dot1x_auth Gi0: during state auth_restart,
got event 6(no_eapRestart)
110872: .May 6 09:10:47.381 UTC: @@@ dot1x_auth Gi0: auth_restart -> auth_conne
cting
110873: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_connecting_
enter called
110874: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_restart_con
necting_action called
110875: .May 6 09:10:48.413 UTC: dot1x-packet:Received an EAP request packet fr
om EAP for mac 00e0.b8a9.2085
110876: .May 6 09:10:48.413 UTC: dot1x-sm:Posting RX_REQ on Client=37E05D8
110877: .May 6 09:10:48.413 UTC: dot1x_auth Gi0: during state auth_connecti
ng, got event 10(eapReq_no_reAuthMax)
110878: .May 6 09:10:48.413 UTC: @@@ dot1x_auth Gi0: auth_connecting -> auth_au
thenticating
110879: .May 6 09:10:48.413 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_authenticat
ing_enter called
110880: .May 6 09:10:48.413 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_connecting_
authenticating_action called
05-06-2008 09:54 AM
Anybody have any ideas what the log below is telling me?
Log Buffer (32768 bytes):
112712: .May 6 10:51:16.668 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,
changed state to down
112713: .May 6 10:51:19.235 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,
changed state to up
112714: .May 6 10:51:28.589 UTC: AAA/BIND(00000047): Bind i/f
112715: .May 6 10:51:28.589 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de
fault'
112716: .May 6 10:51:59.610 UTC: AAA/BIND(00000047): Bind i/f
112717: .May 6 10:51:59.610 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de
fault'
112718: .May 6 10:52:20.741 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.20.1.2
5:1645,1646 is not responding.
112719: .May 6 10:52:20.741 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.20.1.
25:1645,1646 has returned.
112720: .May 6 10:52:31.663 UTC: AAA/BIND(00000047): Bind i/f
112721: .May 6 10:52:31.663 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de
fault'
05-06-2008 10:25 AM
This is a fresh log. Start of authentication to finish. Any ideas why its failing?
Log Buffer (32768 bytes):
112924: .May 6 11:22:15.538 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,
changed state to down
112925: .May 6 11:22:18.146 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,
changed state to up
112926: .May 6 11:22:32.315 UTC: AAA/BIND(0000004B): Bind i/f
112927: .May 6 11:22:32.315 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de
fault'
112928: .May 6 11:23:03.345 UTC: AAA/BIND(0000004B): Bind i/f
112929: .May 6 11:23:03.345 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de
fault'
112930: .May 6 11:23:24.619 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.20.1.2
5:1812,1813 is not responding.
112931: .May 6 11:23:24.619 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.20.1.
25:1812,1813 has returned.
112932: .May 6 11:23:33.351 UTC: %SM-4-BADEVENT: Event 'authTimeout' is invalid
for the current state 'auth_aborting': dot1x_auth Gi0
-Traceback= B6D4C4 18F7B4 306584 304984 304F2C 8D9B24 8D00EC
112933: .May 6 11:23:35.406 UTC: AAA/BIND(0000004B): Bind i/f
112934: .May 6 11:23:35.406 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de
fault'
112935: .May 6 11:24:06.428 UTC: AAA/BIND(0000004B): Bind i/f
112936: .May 6 11:24:06.428 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de
fault'
112937: .May 6 11:24:38.481 UTC: AAA/BIND(0000004B): Bind i/f
112938: .May 6 11:24:38.481 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de
fault'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide