Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Authentication via Dot1x on 3560's via ACS 3.0

I can't get port authentication to work.

ACS 3.0 using Radius

Cat 3560's

Windows EAP Type = MD5 Challenge

I get prompted to enter my password and it fails authentication. I am thinking something is mis-configured on the ACS 3.0. I am only trying it to get it to work on 1 port with one user at this point. Any ideas?

Cisco Config:

aaa authentication dot1x default group radius

radius-server host 10.20.1.25 auth-port 1645 acct-port 1646

radius-server key xxx

dot1x system-auth-control

interface GigabitEthernet0/3

switchport access vlan 10

switchport mode access

mls qos trust dscp

dot1x system-auth-control auto

spanning-tree portfast

ACS LOG:

05/05/2008 16:57:50 Bad request from NAS .. .. .. (Unknown) Invalid message authenticator in EAP request .. .. .. 10.20.1.18 .. .. .. .. .. MDF-SW-04 Radius

I get the above error when the switch is trying to authenticate me. Then windows errors out and says Authentication Failed.

Any ideas where I need to start troubleshooting this?

Thanks for the help!

4 REPLIES

Re: Port Authentication via Dot1x on 3560's via ACS 3.0

David,

Sometimes the "Invalid message authenticator in EAP request" error message can occur due to mis-matched shared secret keys.

Please try resetting the shared password on the switch and the ACS to something simple like cisco123.

Regards,

~JG

Do rate helpful posts

New Member

Re: Port Authentication via Dot1x on 3560's via ACS 3.0

Below is the info from debug aaa authentication. Any ideas?

bend_idle_request_action called

110512: .May 6 09:08:42.196 UTC: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role

determination not required on GigabitEthernet0/3.

110513: .May 6 09:08:42.196 UTC: dot1x-packet:dot1x_mgr_process_eapol_pak: queu

ing an EAPOL pkt on Authenticator Q

110514: .May 6 09:08:42.196 UTC: dot1x-ev:Enqueued the eapol packet to the glob

al authenticator queue

110515: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAPOL frame on interf

ace GigabitEthernet0/3

110516: .May 6 09:08:42.196 UTC: dot1x-ev:Received pkt saddr =00e0.b8a9.2085 ,

daddr = 0180.c200.0003,

pae-ether-type = 888e.0100.000f

110517: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAP packet on interfa

ce GigabitEthernet0/3

110518: .May 6 09:08:42.196 UTC: EAPOL pak dump rx

110519: .May 6 09:08:42.196 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x000F

110520: .May 6 09:08:42.196 UTC: dot1x-packet:Received an EAP packet on the Gig

abitEthernet0/3 from mac 00e0.b8a9.2085

110521: .May 6 09:08:42.196 UTC: dot1x-sm:Posting EAPOL_EAP on Client=37E05D8

110522: .May 6 09:08:42.196 UTC: dot1x_auth_bend Gi0: during state auth_ben

d_request, got event 6(eapolEap)

110523: .May 6 09:08:42.196 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_request ->

auth_bend_response

b8a9.2085:auth_aborting_enter called

110855: .May 6 09:10:47.381 UTC: dot1x-sm:Posting AUTH_ABORT on Client=37E05D8

110856: .May 6 09:10:47.381 UTC: dot1x_auth_bend Gi0: during state auth_ben

d_response, got event 1(authAbort)

110857: .May 6 09:10:47.381 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_response ->

auth_bend_initialize

110858: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_respon

se_exit called

110859: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_initia

lize_enter called

110860: .May 6 09:10:47.381 UTC: dot1x_auth_bend Gi0: idle during state aut

h_bend_initialize

110861: .May 6 09:10:47.381 UTC: @@@ dot1x_auth_bend Gi0: auth_bend_initialize

-> auth_bend_idle

110862: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_bend_idle_e

nter called

110863: .May 6 09:10:47.381 UTC: dot1x-sm:Posting !AUTH_ABORT on Client=37E05D8

110864: .May 6 09:10:47.381 UTC: dot1x_auth Gi0: during state auth_aborting

, got event 20(no_eapolLogoff_no_authAbort)

110865: .May 6 09:10:47.381 UTC: @@@ dot1x_auth Gi0: auth_aborting -> auth_rest

art

110866: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_aborting_ex

it called

110867: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_restart_ent

er called

110868: .May 6 09:10:47.381 UTC: dot1x-ev:Resetting the client 00e0.b8a9.2085

110869: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_aborting_re

start_action called

110870: .May 6 09:10:47.381 UTC: dot1x-sm:Posting !EAP_RESTART on Client=37E05D

8

110871: .May 6 09:10:47.381 UTC: dot1x_auth Gi0: during state auth_restart,

got event 6(no_eapRestart)

110872: .May 6 09:10:47.381 UTC: @@@ dot1x_auth Gi0: auth_restart -> auth_conne

cting

110873: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_connecting_

enter called

110874: .May 6 09:10:47.381 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_restart_con

necting_action called

110875: .May 6 09:10:48.413 UTC: dot1x-packet:Received an EAP request packet fr

om EAP for mac 00e0.b8a9.2085

110876: .May 6 09:10:48.413 UTC: dot1x-sm:Posting RX_REQ on Client=37E05D8

110877: .May 6 09:10:48.413 UTC: dot1x_auth Gi0: during state auth_connecti

ng, got event 10(eapReq_no_reAuthMax)

110878: .May 6 09:10:48.413 UTC: @@@ dot1x_auth Gi0: auth_connecting -> auth_au

thenticating

110879: .May 6 09:10:48.413 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_authenticat

ing_enter called

110880: .May 6 09:10:48.413 UTC: dot1x-sm:Gi0/3:00e0.b8a9.2085:auth_connecting_

authenticating_action called

New Member

Re: Port Authentication via Dot1x on 3560's via ACS 3.0

Anybody have any ideas what the log below is telling me?

Log Buffer (32768 bytes):

112712: .May 6 10:51:16.668 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to down

112713: .May 6 10:51:19.235 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to up

112714: .May 6 10:51:28.589 UTC: AAA/BIND(00000047): Bind i/f

112715: .May 6 10:51:28.589 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de

fault'

112716: .May 6 10:51:59.610 UTC: AAA/BIND(00000047): Bind i/f

112717: .May 6 10:51:59.610 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de

fault'

112718: .May 6 10:52:20.741 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.20.1.2

5:1645,1646 is not responding.

112719: .May 6 10:52:20.741 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.20.1.

25:1645,1646 has returned.

112720: .May 6 10:52:31.663 UTC: AAA/BIND(00000047): Bind i/f

112721: .May 6 10:52:31.663 UTC: AAA/AUTHEN/19 (00000047): Pick method list 'de

fault'

New Member

Re: Port Authentication via Dot1x on 3560's via ACS 3.0

This is a fresh log. Start of authentication to finish. Any ideas why its failing?

Log Buffer (32768 bytes):

112924: .May 6 11:22:15.538 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to down

112925: .May 6 11:22:18.146 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3,

changed state to up

112926: .May 6 11:22:32.315 UTC: AAA/BIND(0000004B): Bind i/f

112927: .May 6 11:22:32.315 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112928: .May 6 11:23:03.345 UTC: AAA/BIND(0000004B): Bind i/f

112929: .May 6 11:23:03.345 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112930: .May 6 11:23:24.619 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.20.1.2

5:1812,1813 is not responding.

112931: .May 6 11:23:24.619 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.20.1.

25:1812,1813 has returned.

112932: .May 6 11:23:33.351 UTC: %SM-4-BADEVENT: Event 'authTimeout' is invalid

for the current state 'auth_aborting': dot1x_auth Gi0

-Traceback= B6D4C4 18F7B4 306584 304984 304F2C 8D9B24 8D00EC

112933: .May 6 11:23:35.406 UTC: AAA/BIND(0000004B): Bind i/f

112934: .May 6 11:23:35.406 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112935: .May 6 11:24:06.428 UTC: AAA/BIND(0000004B): Bind i/f

112936: .May 6 11:24:06.428 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

112937: .May 6 11:24:38.481 UTC: AAA/BIND(0000004B): Bind i/f

112938: .May 6 11:24:38.481 UTC: AAA/AUTHEN/19 (0000004B): Pick method list 'de

fault'

596
Views
3
Helpful
4
Replies