Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3644
Views
0
Helpful
4
Replies

radius authentication enabled, but no sessions exist

Kjetil Fleten
Level 1
Level 1

‎05-30-2017 03:08 PM - edited ‎03-08-2019 10:47 AM

Hello,

We have enabled aaa authentication on a switch, but "show authentication sessions" says "No sessions currently exist".

The switch is a 2960X. Same config works on other switches in the same organisation. Can anyone see what's wrong ?

Output of "show run aaa":

aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group ISE-group
aaa authorization network default group radius local
aaa accounting dot1x default start-stop group ISE-group

radius server ISE1
   address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
   key 7(string omited)
!
radius server ISE2
    address ipv4192.168.1.11 auth-port 1812 acct-port 1813
    key 7 (string omited)
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 10 tries 3
radius-server vsa send cisco-nas-port
!
aaa group server radius ISE-group
server name ISE1
server name ISE2
!
aaa new-model
aaa session-id common

Output of sh run interface:

interface GigabitEthernet1/0/5
switchport mode access
switchport voice vlan 6
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication timer inactivity 120
authentication timer unauthorized 30
authentication violation replace
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input Voip_qos_policy
end

Labels:
0 Helpful
4 Replies 4

a.alekseev
Level 7
Level 7

‎05-30-2017 10:44 PM

Switch(config)#dot1x system-auth-control

0 Helpful

Kjetil Fleten
Level 1
Level 1
In response to a.alekseev

‎05-30-2017 11:05 PM

dot1x system-auth-control is already in the config. I just tried to do a "no dot1x system-auth-control" and then re-enable with "dot1x system-auth-control", to see if that helped. The problem persist, though.

0 Helpful

a.alekseev
Level 7
Level 7
In response to Kjetil Fleten

‎05-30-2017 11:15 PM

Is your radius accessible from the switch?

you can enable debugs

  • debug dot1x all
  • debug authentication all
  • debug radius (provides the information of radius at debug level)
  • debug aaa authentication (debug for authentication)
  • debug aaa authorization (debug for authorization)
0 Helpful

daemibros
Level 1
Level 1
In response to a.alekseev

‎01-29-2021 12:56 AM

Did anyone find a solution with this. I am having same issue on a C1000 switch. Same configs works on more than 10 other switches. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card