Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1225
Views
0
Helpful
0
Replies

802.1x Authenticates but does not assign the vlan attribute

jmartin@emcc.edu
Level 1
Level 1

‎12-06-2017 10:10 PM - edited ‎02-21-2020 10:41 AM

Hello,

 

I am currently trying determine the feasibility of integrating some Cisco gear into our network.  With that said I have borrowed a few pieces of gear and attempting to mirror what we have from another vendor and I have run into a problem that I can not find a solution for.  Right now I am trying to keep it simple so I have a Cisco 2960G 8 port switch setup with one port to do dot1x with mab for now and the port does authenticate without issue but it simply refuses to assign a vlan to the port after the authentication so the client doesn't have any connectivity.  I have attempted to do this from NPS and FreeRADIUS with the same results using both AV pairs and standard attributes but it is a no go.  The information posted below is one attempt against NPS using both standard attributes and AV pairs (again just one or the other yields the same results).  

 

There are three pieces of information included: the version, the config, the session data and the debug information from the switch which does contain the radius reply and authentication verification. 

 

Any ideas would greatly appreciated as I have scoured the docs and the web and gone through the debug messages.

 

Thanks

Jeremy

 

version:

Model number                    : WS-C2960G-8TC-L
Top Assembly Revision Number    : F0
Version ID                      : V01

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 8     WS-C2960G-8TC-L    15.0(2)SE11           C2960-LANBASEK9-M

 

show auth session int g 0/1

            Interface:  GigabitEthernet0/1
          MAC Address:  2c27.d780.42b9
           IP Address:  Unknown
            User-Name:  2c27-d780-42b9
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A280ADE000000250216BF3B
      Acct Session ID:  0x0000002D
               Handle:  0x92000026

Runnable methods list:
       Method   State
       mab      Authc Success

Debug Output

*Mar  1 09:44:02.595: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar  1 09:44:05.162: AAA/BIND(00000037): Bind i/f
*Mar  1 09:44:05.170: mab-ev(Gi0/1): Received MAB context create from AuthMgr
*Mar  1 09:44:05.170: mab-ev(Gi0/1): Created MAB client context 0x9A00003C
*Mar  1 09:44:05.170:     mab : initial state mab_initialize has enter
*Mar  1 09:44:05.170: mab-sm(Gi0/1): Received event 'MAB_START' on handle 0x9A00003C
*Mar  1 09:44:05.170:     mab : during state mab_initialize, got event 4(mabStart)
*Mar  1 09:44:05.170: @@@ mab : mab_initialize -> mab_acquiring
*Mar  1 09:44:05.279: mab-ev: Received NEW MAC (2c27.d780.42b9) for 0x9A00003C
*Mar  1 09:44:05.279: %AUTHMGR-5-START: Starting 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.279: mab-sm(Gi0/1): Received event 'MAB_AVAILABLE' on handle 0x9A00003C
*Mar  1 09:44:05.279:     mab : during state mab_acquiring, got event 7(mabAvailable)
*Mar  1 09:44:05.279: @@@ mab : mab_acquiring -> mab_authorizing
*Mar  1 09:44:05.279: mab-ev(Gi0/1): Sending create new context event to EAP from MAB for 0x9A00003C (2c27.d780.42b9)
*Mar  1 09:44:05.279: mab-ev: formatted mac = 2c27-d780-42b9
*Mar  1 09:44:05.279: mab-ev: created mab pseudo dot1x profile dot1x_mac_auth_2c27.d780.42b9
*Mar  1 09:44:05.279: mab-ev(Gi0/1): Starting MAC-AUTH-BYPASS for 0x9A00003C (2c27.d780.42b9)
*Mar  1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP
*Mar  1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP
*Mar  1 09:44:05.279: AAA/AUTHEN/8021X (00000037): Pick method list 'default'
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037):Orig. component type = Dot1X
*Mar  1 09:44:05.279: RADIUS:  AAA Unsupported Attr: service-type      [344] 4   10
*Mar  1 09:44:05.279: RADIUS:  AAA Unsupported Attr: audit-session-id  [819] 24  61834856
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute hwidb
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute auth-profile
*Mar  1 09:44:05.279: RADIUS:  AAA Unsupported Attr: interface         [221] 18  61831760
*Mar  1 09:44:05.279: RADIUS(00000037): Config NAS IP: 0.0.0.0
*Mar  1 09:44:05.279: RADIUS(00000037): Config NAS IPv6: ::
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037): acct_session_id: 45
*Mar  1 09:44:05.279: RADIUS(00000037): sending
*Mar  1 09:44:05.279: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21
*Mar  1 09:44:05.279: RADIUS(00000037): Send Access-Request to 10.40.1.21:1645 id 1645/59, len 162
*Mar  1 09:44:05.279: RADIUS:  authenticator FF EF 36 D5 56 D8 12 90 - C0 04 AF 6F 0B C0 40 BD
*Mar  1 09:44:05.279: RADIUS:  User-Name           [1]   16  "2c27-d780-42b9"
*Mar  1 09:44:05.287: RADIUS:  User-Password       [2]   18  *
*Mar  1 09:44:05.287: RADIUS:  Service-Type        [6]   6   Call Check                [10]
*Mar  1 09:44:05.287: RADIUS:  Framed-MTU          [12]  6   1500
*Mar  1 09:44:05.287: RADIUS:  Called-Station-Id   [30]  19  "EC-30-91-AF-FD-81"
*Mar  1 09:44:05.287: RADIUS:  Calling-Station-Id  [31]  19  "2C-27-D7-80-42-B9"
*Mar  1 09:44:05.287: RADIUS:  Message-Authenticato[80]  18
*Mar  1 09:44:05.287: RADIUS:   D3 45 4E 86 80 34 84 8B 0E 6C 85 0A F3 03 9F AF              [ EN4l]
*Mar  1 09:44:05.287: RADIUS:  EAP-Key-Name        [102] 2   *
*Mar  1 09:44:05.287: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
*Mar  1 09:44:05.287: RADIUS:  NAS-Port            [5]   6   50001
*Mar  1 09:44:05.287: RADIUS:  NAS-Port-Id         [87]  20  "GigabitEthernet0/1"
*Mar  1 09:44:05.287: RADIUS:  NAS-IP-Address      [4]   6   10.40.10.222
*Mar  1 09:44:05.287: RADIUS(00000037): Sending a IPv4 Radius Packet
*Mar  1 09:44:05.287: RADIUS(00000037): Started 5 sec timeout
*Mar  1 09:44:05.296: RADIUS: Received from id 1645/59 10.40.1.21:1645, Access-Accept, len 200
*Mar  1 09:44:05.296: RADIUS:  authenticator DE 3D 1B B0 C0 EC 6A CD - 42 A4 AB 78 F6 70 0C 60
*Mar  1 09:44:05.296: RADIUS:  Tunnel-Medium-Type  [65]  6   00:ALL_802                [6]
*Mar  1 09:44:05.296: RADIUS:  Tunnel-Private-Group[81]  5   "102"
*Mar  1 09:44:05.296: RADIUS:  Tunnel-Type         [64]  6   00:VLAN                   [13]
*Mar  1 09:44:05.296: RADIUS:  Class               [25]  46
*Mar  1 09:44:05.296: RADIUS:   91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45        [ 7(Q$(\>:GE]
*Mar  1 09:44:05.296: RADIUS:  Vendor, Cisco       [26]  24
*Mar  1 09:44:05.296: RADIUS:   Cisco AVpair       [1]   18  "tunnel-type=VLAN"
*Mar  1 09:44:05.296: RADIUS:  Vendor, Cisco       [26]  34
*Mar  1 09:44:05.296: RADIUS:   Cisco AVpair       [1]   28  "tunnel-medium-type=ALL_802"
*Mar  1 09:44:05.304: RADIUS:  Vendor, Cisco       [26]  35
*Mar  1 09:44:05.304: RADIUS:   Cisco AVpair       [1]   29  "tunnel-private-group-id=102"
*Mar  1 09:44:05.304: RADIUS:  Vendor, Microsoft   [26]  12
*Mar  1 09:44:05.304: RADIUS:   MS-Link-Util-Thresh[14]  6
*Mar  1 09:44:05.304: RADIUS:   00 00 00 32                 [ 2]
*Mar  1 09:44:05.304: RADIUS:  Vendor, Microsoft   [26]  12
*Mar  1 09:44:05.304: RADIUS:   MS-Link-Drop-Time-L[15]  6
*Mar  1 09:44:05.304: RADIUS:   00 00 00 78                 [ x]
*Mar  1 09:44:05.304: RADIUS(00000037): Received from id 1645/59
*Mar  1 09:44:05.304: AAA/AUTHOR (00000037): Method list id=0 not configured. Skip author
*Mar  1 09:44:05.304: mab-ev(Gi0/1): MAB received an Access-Accept for 0x9A00003C (2c27.d780.42b9)
*Mar  1 09:44:05.304: %MAB-5-SUCCESS: Authentication successful for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.304: mab-sm(Gi0/1): Received event 'MAB_RESULT' on handle 0x9A00003C
*Mar  1 09:44:05.304:     mab : during state mab_authorizing, got event 5(mabResult)
*Mar  1 09:44:05.304: @@@ mab : mab_authorizing -> mab_terminate
*Mar  1 09:44:05.304: mab-ev(Gi0/1): Deleted credentials profile for 0x9A00003C (dot1x_mac_auth_2c27.d780.42b9)
*Mar  1 09:44:05.304: mab-ev(Gi0/1): Sending event (2) to AuthMGR for 2c27.d780.42b9
*Mar  1 09:44:05.304: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.564: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.564: RADIUS/ENCODE(00000037):Orig. component type = Dot1X
*Mar  1 09:44:05.564: RADIUS(00000037): Config NAS IP: 0.0.0.0
*Mar  1 09:44:05.564: RADIUS(00000037): Config NAS IPv6: ::
*Mar  1 09:44:05.564: RADIUS(00000037): sending
*Mar  1 09:44:05.564: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21
*Mar  1 09:44:05.564: RADIUS(00000037): Send Accounting-Request to 10.40.1.21:1646 id 1646/61, len 192
*Mar  1 09:44:05.564: RADIUS:  authenticator 36 BE 06 0A BF 1F D0 44 - BA 5D 4D 34 19 95 F8 C0
*Mar  1 09:44:05.564: RADIUS:  Acct-Session-Id     [44]  10  "0000002D"
*Mar  1 09:44:05.564: RADIUS:  Calling-Station-Id  [31]  19  "2C-27-D7-80-42-B9"
*Mar  1 09:44:05.564: RADIUS:  User-Name           [1]   16  "2c27-d780-42b9"
*Mar  1 09:44:05.564: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
*Mar  1 09:44:05.564: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
*Mar  1 09:44:05.564: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
*Mar  1 09:44:05.564: RADIUS:  NAS-Port            [5]   6   50001
*Mar  1 09:44:05.564: RADIUS:  NAS-Port-Id         [87]  20  "GigabitEthernet0/1"
*Mar  1 09:44:05.564: RADIUS:  Called-Station-Id   [30]  19  "EC-30-91-AF-FD-81"
*Mar  1 09:44:05.564: RADIUS:  Class               [25]  46
*Mar  1 09:44:05.564: RADIUS:   91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45        [ 7(Q$(\>:GE]
*Mar  1 09:44:05.564: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Mar  1 09:44:05.564: RADIUS:  NAS-IP-Address      [4]   6   10.40.10.222
*Mar  1 09:44:05.564: RADIUS:  Acct-Delay-Time     [41]  6   0
*Mar  1 09:44:05.564: RADIUS(00000037): Sending a IPv4 Radius Packet
*Mar  1 09:44:05.564: RADIUS(00000037): Started 5 sec timeout
*Mar  1 09:44:05.564: RADIUS: Received from id 1646/61 10.40.1.21:1646, Accounting-response, len 20
*Mar  1 09:44:05.573: RADIUS:  authenticator F6 45 3E AB CF 3B A7 B3 - 72 00 EE 72 D6 C6 31 A4
*Mar  1 09:44:07.158: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar  1 09:44:08.165: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

Config

Building configuration...

Current configuration : 3687 bytes
!
! Last configuration change at 09:44:14 UTC Mon Mar 1 1993 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco-2960G
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 secret 5 …
aaa new-model
!
!
aaa group server radius dot1x-auth
 server name nps
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network group group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode off
!
!
no ip domain-lookup
ip domain-name emcc.edu
!
mab request format attribute 1 groupsize 4 separator - lowercase
mab request format attribute 2 0 .....
!
crypto pki trustpoint TP-self-signed-2444230016
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2444230016
 revocation-check none
 rsakeypair TP-self-signed-2444230016
!
!
crypto pki certificate chain TP-self-signed-2444230016
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343434 32333030 3136301E 170D3933 30333031 30303031
  30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343432
  33303031 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EA30 5AA080A5 6BF7CD7D 305C6B10 4456218D B224FA68 EDBBB240 354E493E
  AD02693B C130D378 A69FE7BE 2EFD7500 68AA765C 419AFF13 E4B5A5A9 E2F58521
  9D1A3EB3 298EBD08 36743AED F8A6373E 350EED20 188AD517 D09F141D 506BBAC7
  4194B568 869004C6 A8044F6F 49F832EE 5E00394A 2E39A46B 52C031A5 9EB2BAB0
  A3DB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14380063 EE6B8B23 049B54A4 8EC93C5F 7270AD23 DE301D06
  03551D0E 04160414 380063EE 6B8B2304 9B54A48E C93C5F72 70AD23DE 300D0609
  2A864886 F70D0101 05050003 81810022 574B8155 3F6F7097 5B06A9A3 933EDB44
  0BA522EF 76576AF9 0538C37D 626FC0FD E3BD4EEB A02D2DE7 68686242 92F9ED36
  2AC23F94 A1373178 D864BFCD 89CAD940 FE1A4D26 7233C0EC C3A71985 0D729341
  1D3F06D3 B18C47F1 AE86109C D8F10F45 E2506E15 BC9B68A8 1B3EF4C5 61F8BEDE
  15A2B307 9F1B5318 4BBB9CFF 797493
        quit
dot1x system-auth-control
dot1x guest-vlan supplicant
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 102
 name Staff
!
vlan 104
 name Labs
!
vlan 110
 name Management
!
lldp run
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
interface GigabitEthernet0/1
 switchport mode access
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication port-control auto
 mab
 spanning-tree portfast
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
 switchport access vlan 102
 switchport mode access
!
interface GigabitEthernet0/8
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan110
 ip address 10.40.10.222 255.255.255.0
!
ip default-gateway 10.40.10.1
ip http server
ip http secure-server
radius-server host 10.40.1.21 key .....
!
!
!
vstack
!
line con 0
line vty 0 4
 session-timeout 35791
line vty 5 15
!
end
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents