12-12-2017 01:28 AM - edited 03-08-2019 01:04 PM
Hello,
I am currently trying determine the feasibility of integrating some Cisco gear into our network.  With that said I have borrowed a few pieces of gear and attempting to mirror what we have from another vendor and I have run into a problem that I can not find a solution for.  Right now I am trying to keep it simple so I have a Cisco 2960G 8 port switch setup with one port to do dot1x with mab for now and the port does authenticate without issue but it simply refuses to assign a vlan to the port after the authentication so the client doesn't have any connectivity.  I have attempted to do this from NPS and FreeRADIUS with the same results using both AV pairs and standard attributes but it is a no go.  The information posted below is one attempt against NPS using both standard attributes and AV pairs (again just one or the other yields the same results).
There are three pieces of information included: the version, the config, the session data and the debug information from the switch which does contain the radius reply and authentication verification.
Any ideas would greatly appreciated as I have scoured the docs and the web and gone through the debug messages.
Thanks
Jeremy
version:
Model number : WS-C2960G-8TC-L Top Assembly Revision Number : F0 Version ID : V01 Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 8 WS-C2960G-8TC-L 15.0(2)SE11 C2960-LANBASEK9-M
show auth session int g 0/1
Interface: GigabitEthernet0/1 MAC Address: 2c27.d780.42b9 IP Address: Unknown User-Name: 2c27-d780-42b9 Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A280ADE000000250216BF3B Acct Session ID: 0x0000002D Handle: 0x92000026 Runnable methods list: Method State mab Authc Success
Debug Output
*Mar 1 09:44:02.595: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down *Mar 1 09:44:05.162: AAA/BIND(00000037): Bind i/f *Mar 1 09:44:05.170: mab-ev(Gi0/1): Received MAB context create from AuthMgr *Mar 1 09:44:05.170: mab-ev(Gi0/1): Created MAB client context 0x9A00003C *Mar 1 09:44:05.170: mab : initial state mab_initialize has enter *Mar 1 09:44:05.170: mab-sm(Gi0/1): Received event 'MAB_START' on handle 0x9A00003C *Mar 1 09:44:05.170: mab : during state mab_initialize, got event 4(mabStart) *Mar 1 09:44:05.170: @@@ mab : mab_initialize -> mab_acquiring *Mar 1 09:44:05.279: mab-ev: Received NEW MAC (2c27.d780.42b9) for 0x9A00003C *Mar 1 09:44:05.279: %AUTHMGR-5-START: Starting 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.279: mab-sm(Gi0/1): Received event 'MAB_AVAILABLE' on handle 0x9A00003C *Mar 1 09:44:05.279: mab : during state mab_acquiring, got event 7(mabAvailable) *Mar 1 09:44:05.279: @@@ mab : mab_acquiring -> mab_authorizing *Mar 1 09:44:05.279: mab-ev(Gi0/1): Sending create new context event to EAP from MAB for 0x9A00003C (2c27.d780.42b9) *Mar 1 09:44:05.279: mab-ev: formatted mac = 2c27-d780-42b9 *Mar 1 09:44:05.279: mab-ev: created mab pseudo dot1x profile dot1x_mac_auth_2c27.d780.42b9 *Mar 1 09:44:05.279: mab-ev(Gi0/1): Starting MAC-AUTH-BYPASS for 0x9A00003C (2c27.d780.42b9) *Mar 1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP *Mar 1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP *Mar 1 09:44:05.279: AAA/AUTHEN/8021X (00000037): Pick method list 'default' *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037):Orig. component type = Dot1X *Mar 1 09:44:05.279: RADIUS: AAA Unsupported Attr: service-type [344] 4 10 *Mar 1 09:44:05.279: RADIUS: AAA Unsupported Attr: audit-session-id [819] 24 61834856 *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute hwidb *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute auth-profile *Mar 1 09:44:05.279: RADIUS: AAA Unsupported Attr: interface [221] 18 61831760 *Mar 1 09:44:05.279: RADIUS(00000037): Config NAS IP: 0.0.0.0 *Mar 1 09:44:05.279: RADIUS(00000037): Config NAS IPv6: :: *Mar 1 09:44:05.279: RADIUS/ENCODE(00000037): acct_session_id: 45 *Mar 1 09:44:05.279: RADIUS(00000037): sending *Mar 1 09:44:05.279: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21 *Mar 1 09:44:05.279: RADIUS(00000037): Send Access-Request to 10.40.1.21:1645 id 1645/59, len 162 *Mar 1 09:44:05.279: RADIUS: authenticator FF EF 36 D5 56 D8 12 90 - C0 04 AF 6F 0B C0 40 BD *Mar 1 09:44:05.279: RADIUS: User-Name [1] 16 "2c27-d780-42b9" *Mar 1 09:44:05.287: RADIUS: User-Password [2] 18 * *Mar 1 09:44:05.287: RADIUS: Service-Type [6] 6 Call Check [10] *Mar 1 09:44:05.287: RADIUS: Framed-MTU [12] 6 1500 *Mar 1 09:44:05.287: RADIUS: Called-Station-Id [30] 19 "EC-30-91-AF-FD-81" *Mar 1 09:44:05.287: RADIUS: Calling-Station-Id [31] 19 "2C-27-D7-80-42-B9" *Mar 1 09:44:05.287: RADIUS: Message-Authenticato[80] 18 *Mar 1 09:44:05.287: RADIUS: D3 45 4E 86 80 34 84 8B 0E 6C 85 0A F3 03 9F AF [ EN4l] *Mar 1 09:44:05.287: RADIUS: EAP-Key-Name [102] 2 * *Mar 1 09:44:05.287: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] *Mar 1 09:44:05.287: RADIUS: NAS-Port [5] 6 50001 *Mar 1 09:44:05.287: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/1" *Mar 1 09:44:05.287: RADIUS: NAS-IP-Address [4] 6 10.40.10.222 *Mar 1 09:44:05.287: RADIUS(00000037): Sending a IPv4 Radius Packet *Mar 1 09:44:05.287: RADIUS(00000037): Started 5 sec timeout *Mar 1 09:44:05.296: RADIUS: Received from id 1645/59 10.40.1.21:1645, Access-Accept, len 200 *Mar 1 09:44:05.296: RADIUS: authenticator DE 3D 1B B0 C0 EC 6A CD - 42 A4 AB 78 F6 70 0C 60 *Mar 1 09:44:05.296: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6] *Mar 1 09:44:05.296: RADIUS: Tunnel-Private-Group[81] 5 "102" *Mar 1 09:44:05.296: RADIUS: Tunnel-Type [64] 6 00:VLAN [13] *Mar 1 09:44:05.296: RADIUS: Class [25] 46 *Mar 1 09:44:05.296: RADIUS: 91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45 [ 7(Q$(\>:GE] *Mar 1 09:44:05.296: RADIUS: Vendor, Cisco [26] 24 *Mar 1 09:44:05.296: RADIUS: Cisco AVpair [1] 18 "tunnel-type=VLAN" *Mar 1 09:44:05.296: RADIUS: Vendor, Cisco [26] 34 *Mar 1 09:44:05.296: RADIUS: Cisco AVpair [1] 28 "tunnel-medium-type=ALL_802" *Mar 1 09:44:05.304: RADIUS: Vendor, Cisco [26] 35 *Mar 1 09:44:05.304: RADIUS: Cisco AVpair [1] 29 "tunnel-private-group-id=102" *Mar 1 09:44:05.304: RADIUS: Vendor, Microsoft [26] 12 *Mar 1 09:44:05.304: RADIUS: MS-Link-Util-Thresh[14] 6 *Mar 1 09:44:05.304: RADIUS: 00 00 00 32 [ 2] *Mar 1 09:44:05.304: RADIUS: Vendor, Microsoft [26] 12 *Mar 1 09:44:05.304: RADIUS: MS-Link-Drop-Time-L[15] 6 *Mar 1 09:44:05.304: RADIUS: 00 00 00 78 [ x] *Mar 1 09:44:05.304: RADIUS(00000037): Received from id 1645/59 *Mar 1 09:44:05.304: AAA/AUTHOR (00000037): Method list id=0 not configured. Skip author *Mar 1 09:44:05.304: mab-ev(Gi0/1): MAB received an Access-Accept for 0x9A00003C (2c27.d780.42b9) *Mar 1 09:44:05.304: %MAB-5-SUCCESS: Authentication successful for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.304: mab-sm(Gi0/1): Received event 'MAB_RESULT' on handle 0x9A00003C *Mar 1 09:44:05.304: mab : during state mab_authorizing, got event 5(mabResult) *Mar 1 09:44:05.304: @@@ mab : mab_authorizing -> mab_terminate *Mar 1 09:44:05.304: mab-ev(Gi0/1): Deleted credentials profile for 0x9A00003C (dot1x_mac_auth_2c27.d780.42b9) *Mar 1 09:44:05.304: mab-ev(Gi0/1): Sending event (2) to AuthMGR for 2c27.d780.42b9 *Mar 1 09:44:05.304: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.564: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B *Mar 1 09:44:05.564: RADIUS/ENCODE(00000037):Orig. component type = Dot1X *Mar 1 09:44:05.564: RADIUS(00000037): Config NAS IP: 0.0.0.0 *Mar 1 09:44:05.564: RADIUS(00000037): Config NAS IPv6: :: *Mar 1 09:44:05.564: RADIUS(00000037): sending *Mar 1 09:44:05.564: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21 *Mar 1 09:44:05.564: RADIUS(00000037): Send Accounting-Request to 10.40.1.21:1646 id 1646/61, len 192 *Mar 1 09:44:05.564: RADIUS: authenticator 36 BE 06 0A BF 1F D0 44 - BA 5D 4D 34 19 95 F8 C0 *Mar 1 09:44:05.564: RADIUS: Acct-Session-Id [44] 10 "0000002D" *Mar 1 09:44:05.564: RADIUS: Calling-Station-Id [31] 19 "2C-27-D7-80-42-B9" *Mar 1 09:44:05.564: RADIUS: User-Name [1] 16 "2c27-d780-42b9" *Mar 1 09:44:05.564: RADIUS: Acct-Authentic [45] 6 RADIUS [1] *Mar 1 09:44:05.564: RADIUS: Acct-Status-Type [40] 6 Start [1] *Mar 1 09:44:05.564: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] *Mar 1 09:44:05.564: RADIUS: NAS-Port [5] 6 50001 *Mar 1 09:44:05.564: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/1" *Mar 1 09:44:05.564: RADIUS: Called-Station-Id [30] 19 "EC-30-91-AF-FD-81" *Mar 1 09:44:05.564: RADIUS: Class [25] 46 *Mar 1 09:44:05.564: RADIUS: 91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45 [ 7(Q$(\>:GE] *Mar 1 09:44:05.564: RADIUS: Service-Type [6] 6 Framed [2] *Mar 1 09:44:05.564: RADIUS: NAS-IP-Address [4] 6 10.40.10.222 *Mar 1 09:44:05.564: RADIUS: Acct-Delay-Time [41] 6 0 *Mar 1 09:44:05.564: RADIUS(00000037): Sending a IPv4 Radius Packet *Mar 1 09:44:05.564: RADIUS(00000037): Started 5 sec timeout *Mar 1 09:44:05.564: RADIUS: Received from id 1646/61 10.40.1.21:1646, Accounting-response, len 20 *Mar 1 09:44:05.573: RADIUS: authenticator F6 45 3E AB CF 3B A7 B3 - 72 00 EE 72 D6 C6 31 A4 *Mar 1 09:44:07.158: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up *Mar 1 09:44:08.165: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
Config
Building configuration... Current configuration : 3687 bytes ! ! Last configuration change at 09:44:14 UTC Mon Mar 1 1993 by admin ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Cisco-2960G ! boot-start-marker boot-end-marker ! ! username admin privilege 15 secret 5 … aaa new-model ! ! aaa group server radius dot1x-auth server name nps ! aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network group group radius aaa accounting dot1x default start-stop group radius ! ! ! ! ! ! aaa session-id common system mtu routing 1500 vtp mode off ! ! no ip domain-lookup ip domain-name emcc.edu ! mab request format attribute 1 groupsize 4 separator - lowercase mab request format attribute 2 0 ..... ! ! dot1x system-auth-control dot1x guest-vlan supplicant ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 102 name Staff ! vlan 104 name Labs ! vlan 110 name Management ! lldp run ! ip ssh authentication-retries 2 ip ssh version 2 ! ! ! ! ! interface GigabitEthernet0/1 switchport mode access authentication host-mode multi-auth authentication order mab dot1x authentication port-control auto mab spanning-tree portfast ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 switchport access vlan 102 switchport mode access ! interface GigabitEthernet0/8 switchport mode trunk ! interface Vlan1 no ip address ! interface Vlan110 ip address 10.40.10.222 255.255.255.0 ! ip default-gateway 10.40.10.1 ip http server ip http secure-server radius-server host 10.40.1.21 key ..... !
....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide