12-06-2017 10:10 PM - edited 02-21-2020 10:41 AM
Hello,
I am currently trying determine the feasibility of integrating some Cisco gear into our network. With that said I have borrowed a few pieces of gear and attempting to mirror what we have from another vendor and I have run into a problem that I can not find a solution for. Right now I am trying to keep it simple so I have a Cisco 2960G 8 port switch setup with one port to do dot1x with mab for now and the port does authenticate without issue but it simply refuses to assign a vlan to the port after the authentication so the client doesn't have any connectivity. I have attempted to do this from NPS and FreeRADIUS with the same results using both AV pairs and standard attributes but it is a no go. The information posted below is one attempt against NPS using both standard attributes and AV pairs (again just one or the other yields the same results).
There are three pieces of information included: the version, the config, the session data and the debug information from the switch which does contain the radius reply and authentication verification.
Any ideas would greatly appreciated as I have scoured the docs and the web and gone through the debug messages.
Thanks
Jeremy
version:
Model number : WS-C2960G-8TC-L Top Assembly Revision Number : F0 Version ID : V01 Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 8 WS-C2960G-8TC-L 15.0(2)SE11 C2960-LANBASEK9-M
show auth session int g 0/1
Interface: GigabitEthernet0/1 MAC Address: 2c27.d780.42b9 IP Address: Unknown User-Name: 2c27-d780-42b9 Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A280ADE000000250216BF3B Acct Session ID: 0x0000002D Handle: 0x92000026 Runnable methods list: Method State mab Authc Success
Debug Output
*Mar 1 09:44:02.595: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down *Mar 1 09:44:05.162: AAA/BIND(00000037): Bind i/f *Mar 1 09:44:05.170: mab-ev(Gi0/1): Received MAB context create from AuthMgr *Mar 1 09:44:05.170: mab-ev(Gi0/1): Created MAB client context 0x9A00003C *Mar 1 09:44:05.170: mab : initial state mab_initialize has enter *Mar 1 09:44:05.170: mab-sm(Gi0/1): Received event 'MAB_START' on handle 0x9A00003C *Mar 1 09:44:05.170: mab : during state mab_initialize, got event 4(mabStart) *Mar 1 09:44:05.170: @@@ mab : mab_initialize -> mab_acquiring *Mar 1 09:44:05.279: mab-ev: Received NEW MAC (2c27.d780.42b9) for 0x9A00003C *Mar 1 09:44:05.279: %AUTHMGR-5-START: Starting 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.279: mab-sm(Gi0/1): Received event 'MAB_AVAILABLE' on handle 0x9A00003C *Mar 1 09:44:05.279: mab : during state mab_acquiring, got event 7(mabAvailable) *Mar 1 09:44:05.279: @@@ mab : mab_acquiring -> mab_authorizing *Mar 1 09:44:05.279: mab-ev(Gi0/1): Sending create new context event to EAP from MAB for 0x9A00003C (2c27.d780.42b9) *Mar 1 09:44:05.279: mab-ev: formatted mac = 2c27-d780-42b9 *Mar 1 09:44:05.279: mab-ev: created mab pseudo dot1x profile dot1x_mac_auth_2c27.d780.42b9 *Mar 1 09:44:05.279: mab-ev(Gi0/1): Starting MAC-AUTH-BYPASS for 0x9A00003C (2c27.d780.42b9) *Mar 1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP *Mar 1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP *Mar 1 09:44:05.279: AAA/AUTHEN/8021X (00000037): Pick method list 'default' *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037):Orig. component type = Dot1X *Mar 1 09:44:05.279: RADIUS: AAA Unsupported Attr: service-type [344] 4 10 *Mar 1 09:44:05.279: RADIUS: AAA Unsupported Attr: audit-session-id [819] 24 61834856 *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute hwidb *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute auth-profile *Mar 1 09:44:05.279: RADIUS: AAA Unsupported Attr: interface [221] 18 61831760 *Mar 1 09:44:05.279: RADIUS(00000037): Config NAS IP: 0.0.0.0 *Mar 1 09:44:05.279: RADIUS(00000037): Config NAS IPv6: :: *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037): acct_session_id: 45 *Mar 1 09:44:05.279: RADIUS(00000037): sending *Mar 1 09:44:05.279: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21 *Mar 1 09:44:05.279: RADIUS(00000037): Send Access-Request to 10.40.1.21:1645 id 1645/59, len 162 *Mar 1 09:44:05.279: RADIUS: authenticator FF EF 36 D5 56 D8 12 90 - C0 04 AF 6F 0B C0 40 BD *Mar 1 09:44:05.279: RADIUS: User-Name [1] 16 "2c27-d780-42b9" *Mar 1 09:44:05.287: RADIUS: User-Password [2] 18 * *Mar 1 09:44:05.287: RADIUS: Service-Type [6] 6 Call Check [10] *Mar 1 09:44:05.287: RADIUS: Framed-MTU [12] 6 1500 *Mar 1 09:44:05.287: RADIUS: Called-Station-Id [30] 19 "EC-30-91-AF-FD-81" *Mar 1 09:44:05.287: RADIUS: Calling-Station-Id [31] 19 "2C-27-D7-80-42-B9" *Mar 1 09:44:05.287: RADIUS: Message-Authenticato[80] 18 *Mar 1 09:44:05.287: RADIUS: D3 45 4E 86 80 34 84 8B 0E 6C 85 0A F3 03 9F AF [ EN4l] *Mar 1 09:44:05.287: RADIUS: EAP-Key-Name [102] 2 * *Mar 1 09:44:05.287: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] *Mar 1 09:44:05.287: RADIUS: NAS-Port [5] 6 50001 *Mar 1 09:44:05.287: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/1" *Mar 1 09:44:05.287: RADIUS: NAS-IP-Address [4] 6 10.40.10.222 *Mar 1 09:44:05.287: RADIUS(00000037): Sending a IPv4 Radius Packet *Mar 1 09:44:05.287: RADIUS(00000037): Started 5 sec timeout *Mar 1 09:44:05.296: RADIUS: Received from id 1645/59 10.40.1.21:1645, Access-Accept, len 200 *Mar 1 09:44:05.296: RADIUS: authenticator DE 3D 1B B0 C0 EC 6A CD - 42 A4 AB 78 F6 70 0C 60 *Mar 1 09:44:05.296: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6] *Mar 1 09:44:05.296: RADIUS: Tunnel-Private-Group[81] 5 "102" *Mar 1 09:44:05.296: RADIUS: Tunnel-Type [64] 6 00:VLAN [13] *Mar 1 09:44:05.296: RADIUS: Class [25] 46 *Mar 1 09:44:05.296: RADIUS: 91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45 [ 7(Q$(\>:GE] *Mar 1 09:44:05.296: RADIUS: Vendor, Cisco [26] 24 *Mar 1 09:44:05.296: RADIUS: Cisco AVpair [1] 18 "tunnel-type=VLAN" *Mar 1 09:44:05.296: RADIUS: Vendor, Cisco [26] 34 *Mar 1 09:44:05.296: RADIUS: Cisco AVpair [1] 28 "tunnel-medium-type=ALL_802" *Mar 1 09:44:05.304: RADIUS: Vendor, Cisco [26] 35 *Mar 1 09:44:05.304: RADIUS: Cisco AVpair [1] 29 "tunnel-private-group-id=102" *Mar 1 09:44:05.304: RADIUS: Vendor, Microsoft [26] 12 *Mar 1 09:44:05.304: RADIUS: MS-Link-Util-Thresh[14] 6 *Mar 1 09:44:05.304: RADIUS: 00 00 00 32 [ 2] *Mar 1 09:44:05.304: RADIUS: Vendor, Microsoft [26] 12 *Mar 1 09:44:05.304: RADIUS: MS-Link-Drop-Time-L[15] 6 *Mar 1 09:44:05.304: RADIUS: 00 00 00 78 [ x] *Mar 1 09:44:05.304: RADIUS(00000037): Received from id 1645/59 *Mar 1 09:44:05.304: AAA/AUTHOR (00000037): Method list id=0 not configured. Skip author *Mar 1 09:44:05.304: mab-ev(Gi0/1): MAB received an Access-Accept for 0x9A00003C (2c27.d780.42b9) *Mar 1 09:44:05.304: %MAB-5-SUCCESS: Authentication successful for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.304: mab-sm(Gi0/1): Received event 'MAB_RESULT' on handle 0x9A00003C *Mar 1 09:44:05.304: mab : during state mab_authorizing, got event 5(mabResult) *Mar 1 09:44:05.304: @@@ mab : mab_authorizing -> mab_terminate *Mar 1 09:44:05.304: mab-ev(Gi0/1): Deleted credentials profile for 0x9A00003C (dot1x_mac_auth_2c27.d780.42b9) *Mar 1 09:44:05.304: mab-ev(Gi0/1): Sending event (2) to AuthMGR for 2c27.d780.42b9 *Mar 1 09:44:05.304: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.564: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.564: RADIUS/ENCODE(00000037):Orig. component type = Dot1X *Mar 1 09:44:05.564: RADIUS(00000037): Config NAS IP: 0.0.0.0 *Mar 1 09:44:05.564: RADIUS(00000037): Config NAS IPv6: :: *Mar 1 09:44:05.564: RADIUS(00000037): sending *Mar 1 09:44:05.564: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21 *Mar 1 09:44:05.564: RADIUS(00000037): Send Accounting-Request to 10.40.1.21:1646 id 1646/61, len 192 *Mar 1 09:44:05.564: RADIUS: authenticator 36 BE 06 0A BF 1F D0 44 - BA 5D 4D 34 19 95 F8 C0 *Mar 1 09:44:05.564: RADIUS: Acct-Session-Id [44] 10 "0000002D" *Mar 1 09:44:05.564: RADIUS: Calling-Station-Id [31] 19 "2C-27-D7-80-42-B9" *Mar 1 09:44:05.564: RADIUS: User-Name [1] 16 "2c27-d780-42b9" *Mar 1 09:44:05.564: RADIUS: Acct-Authentic [45] 6 RADIUS [1] *Mar 1 09:44:05.564: RADIUS: Acct-Status-Type [40] 6 Start [1] *Mar 1 09:44:05.564: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] *Mar 1 09:44:05.564: RADIUS: NAS-Port [5] 6 50001 *Mar 1 09:44:05.564: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/1" *Mar 1 09:44:05.564: RADIUS: Called-Station-Id [30] 19 "EC-30-91-AF-FD-81" *Mar 1 09:44:05.564: RADIUS: Class [25] 46 *Mar 1 09:44:05.564: RADIUS: 91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45 [ 7(Q$(\>:GE] *Mar 1 09:44:05.564: RADIUS: Service-Type [6] 6 Framed [2] *Mar 1 09:44:05.564: RADIUS: NAS-IP-Address [4] 6 10.40.10.222 *Mar 1 09:44:05.564: RADIUS: Acct-Delay-Time [41] 6 0 *Mar 1 09:44:05.564: RADIUS(00000037): Sending a IPv4 Radius Packet *Mar 1 09:44:05.564: RADIUS(00000037): Started 5 sec timeout *Mar 1 09:44:05.564: RADIUS: Received from id 1646/61 10.40.1.21:1646, Accounting-response, len 20 *Mar 1 09:44:05.573: RADIUS: authenticator F6 45 3E AB CF 3B A7 B3 - 72 00 EE 72 D6 C6 31 A4 *Mar 1 09:44:07.158: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up *Mar 1 09:44:08.165: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
Config
Building configuration... Current configuration : 3687 bytes ! ! Last configuration change at 09:44:14 UTC Mon Mar 1 1993 by admin ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Cisco-2960G ! boot-start-marker boot-end-marker ! ! username admin privilege 15 secret 5 … aaa new-model ! ! aaa group server radius dot1x-auth server name nps ! aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network group group radius aaa accounting dot1x default start-stop group radius ! ! ! ! ! ! aaa session-id common system mtu routing 1500 vtp mode off ! ! no ip domain-lookup ip domain-name emcc.edu ! mab request format attribute 1 groupsize 4 separator - lowercase mab request format attribute 2 0 ..... ! crypto pki trustpoint TP-self-signed-2444230016 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2444230016 revocation-check none rsakeypair TP-self-signed-2444230016 ! ! crypto pki certificate chain TP-self-signed-2444230016 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32343434 32333030 3136301E 170D3933 30333031 30303031 30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343432 33303031 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100EA30 5AA080A5 6BF7CD7D 305C6B10 4456218D B224FA68 EDBBB240 354E493E AD02693B C130D378 A69FE7BE 2EFD7500 68AA765C 419AFF13 E4B5A5A9 E2F58521 9D1A3EB3 298EBD08 36743AED F8A6373E 350EED20 188AD517 D09F141D 506BBAC7 4194B568 869004C6 A8044F6F 49F832EE 5E00394A 2E39A46B 52C031A5 9EB2BAB0 A3DB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14380063 EE6B8B23 049B54A4 8EC93C5F 7270AD23 DE301D06 03551D0E 04160414 380063EE 6B8B2304 9B54A48E C93C5F72 70AD23DE 300D0609 2A864886 F70D0101 05050003 81810022 574B8155 3F6F7097 5B06A9A3 933EDB44 0BA522EF 76576AF9 0538C37D 626FC0FD E3BD4EEB A02D2DE7 68686242 92F9ED36 2AC23F94 A1373178 D864BFCD 89CAD940 FE1A4D26 7233C0EC C3A71985 0D729341 1D3F06D3 B18C47F1 AE86109C D8F10F45 E2506E15 BC9B68A8 1B3EF4C5 61F8BEDE 15A2B307 9F1B5318 4BBB9CFF 797493 quit dot1x system-auth-control dot1x guest-vlan supplicant ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 102 name Staff ! vlan 104 name Labs ! vlan 110 name Management ! lldp run ! ip ssh authentication-retries 2 ip ssh version 2 ! ! ! ! ! interface GigabitEthernet0/1 switchport mode access authentication host-mode multi-auth authentication order mab dot1x authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 switchport access vlan 102 switchport mode access ! interface GigabitEthernet0/8 switchport mode trunk ! interface Vlan1 no ip address ! interface Vlan110 ip address 10.40.10.222 255.255.255.0 ! ip default-gateway 10.40.10.1 ip http server ip http secure-server radius-server host 10.40.1.21 key ..... ! ! ! vstack ! line con 0 line vty 0 4 session-timeout 35791 line vty 5 15 ! end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide