cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
0
Helpful
0
Replies

Endpoint Authentication and Assignment

Hello,

 

I am currently trying determine the feasibility of integrating some Cisco gear into our network.  With that said I have borrowed a few pieces of gear and attempting to mirror what we have from another vendor and I have run into a problem that I can not find a solution for.  Right now I am trying to keep it simple so I have a Cisco 2960G 8 port switch setup with one port to do dot1x with mab for now and the port does authenticate without issue but it simply refuses to assign a vlan to the port after the authentication so the client doesn't have any connectivity.  I have attempted to do this from NPS and FreeRADIUS with the same results using both AV pairs and standard attributes but it is a no go.  The information posted below is one attempt against NPS using both standard attributes and AV pairs (again just one or the other yields the same results). 

 

There are three pieces of information included: the version, the config, the session data and the debug information from the switch which does contain the radius reply and authentication verification.

 

Any ideas would greatly appreciated as I have scoured the docs and the web and gone through the debug messages.

 

Thanks

Jeremy

 

version:

Model number                    : WS-C2960G-8TC-L
Top Assembly Revision Number    : F0
Version ID                      : V01

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 8     WS-C2960G-8TC-L    15.0(2)SE11           C2960-LANBASEK9-M

 

show auth session int g 0/1

            Interface:  GigabitEthernet0/1
          MAC Address:  2c27.d780.42b9
           IP Address:  Unknown
            User-Name:  2c27-d780-42b9
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A280ADE000000250216BF3B
      Acct Session ID:  0x0000002D
               Handle:  0x92000026

Runnable methods list:
       Method   State
       mab      Authc Success

Debug Output

*Mar  1 09:44:02.595: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar  1 09:44:05.162: AAA/BIND(00000037): Bind i/f
*Mar  1 09:44:05.170: mab-ev(Gi0/1): Received MAB context create from AuthMgr
*Mar  1 09:44:05.170: mab-ev(Gi0/1): Created MAB client context 0x9A00003C
*Mar  1 09:44:05.170:     mab : initial state mab_initialize has enter
*Mar  1 09:44:05.170: mab-sm(Gi0/1): Received event 'MAB_START' on handle 0x9A00003C
*Mar  1 09:44:05.170:     mab : during state mab_initialize, got event 4(mabStart)
*Mar  1 09:44:05.170: @@@ mab : mab_initialize -> mab_acquiring
*Mar  1 09:44:05.279: mab-ev: Received NEW MAC (2c27.d780.42b9) for 0x9A00003C
*Mar  1 09:44:05.279: %AUTHMGR-5-START: Starting 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.279: mab-sm(Gi0/1): Received event 'MAB_AVAILABLE' on handle 0x9A00003C
*Mar  1 09:44:05.279:     mab : during state mab_acquiring, got event 7(mabAvailable)
*Mar  1 09:44:05.279: @@@ mab : mab_acquiring -> mab_authorizing
*Mar  1 09:44:05.279: mab-ev(Gi0/1): Sending create new context event to EAP from MAB for 0x9A00003C (2c27.d780.42b9)
*Mar  1 09:44:05.279: mab-ev: formatted mac = 2c27-d780-42b9
*Mar  1 09:44:05.279: mab-ev: created mab pseudo dot1x profile dot1x_mac_auth_2c27.d780.42b9
*Mar  1 09:44:05.279: mab-ev(Gi0/1): Starting MAC-AUTH-BYPASS for 0x9A00003C (2c27.d780.42b9)
*Mar  1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP
*Mar  1 09:44:05.279: mab-ev: Invalid EVT 9 from EAP
*Mar  1 09:44:05.279: AAA/AUTHEN/8021X (00000037): Pick method list 'default'
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037):Orig. component type = Dot1X
*Mar  1 09:44:05.279: RADIUS:  AAA Unsupported Attr: service-type      [344] 4   10
*Mar  1 09:44:05.279: RADIUS:  AAA Unsupported Attr: audit-session-id  [819] 24  61834856
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute hwidb
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037): Unsupported AAA attribute auth-profile
*Mar  1 09:44:05.279: RADIUS:  AAA Unsupported Attr: interface         [221] 18  61831760
*Mar  1 09:44:05.279: RADIUS(00000037): Config NAS IP: 0.0.0.0
*Mar  1 09:44:05.279: RADIUS(00000037): Config NAS IPv6: ::
*Mar  1 09:44:05.279: RADIUS/ENCODE(00000037): acct_session_id: 45
*Mar  1 09:44:05.279: RADIUS(00000037): sending
*Mar  1 09:44:05.279: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21
*Mar  1 09:44:05.279: RADIUS(00000037): Send Access-Request to 10.40.1.21:1645 id 1645/59, len 162
*Mar  1 09:44:05.279: RADIUS:  authenticator FF EF 36 D5 56 D8 12 90 - C0 04 AF 6F 0B C0 40 BD
*Mar  1 09:44:05.279: RADIUS:  User-Name           [1]   16  "2c27-d780-42b9"
*Mar  1 09:44:05.287: RADIUS:  User-Password       [2]   18  *
*Mar  1 09:44:05.287: RADIUS:  Service-Type        [6]   6   Call Check                [10]
*Mar  1 09:44:05.287: RADIUS:  Framed-MTU          [12]  6   1500
*Mar  1 09:44:05.287: RADIUS:  Called-Station-Id   [30]  19  "EC-30-91-AF-FD-81"
*Mar  1 09:44:05.287: RADIUS:  Calling-Station-Id  [31]  19  "2C-27-D7-80-42-B9"
*Mar  1 09:44:05.287: RADIUS:  Message-Authenticato[80]  18
*Mar  1 09:44:05.287: RADIUS:   D3 45 4E 86 80 34 84 8B 0E 6C 85 0A F3 03 9F AF              [ EN4l]
*Mar  1 09:44:05.287: RADIUS:  EAP-Key-Name        [102] 2   *
*Mar  1 09:44:05.287: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
*Mar  1 09:44:05.287: RADIUS:  NAS-Port            [5]   6   50001
*Mar  1 09:44:05.287: RADIUS:  NAS-Port-Id         [87]  20  "GigabitEthernet0/1"
*Mar  1 09:44:05.287: RADIUS:  NAS-IP-Address      [4]   6   10.40.10.222
*Mar  1 09:44:05.287: RADIUS(00000037): Sending a IPv4 Radius Packet
*Mar  1 09:44:05.287: RADIUS(00000037): Started 5 sec timeout
*Mar  1 09:44:05.296: RADIUS: Received from id 1645/59 10.40.1.21:1645, Access-Accept, len 200
*Mar  1 09:44:05.296: RADIUS:  authenticator DE 3D 1B B0 C0 EC 6A CD - 42 A4 AB 78 F6 70 0C 60
*Mar  1 09:44:05.296: RADIUS:  Tunnel-Medium-Type  [65]  6   00:ALL_802                [6]
*Mar  1 09:44:05.296: RADIUS:  Tunnel-Private-Group[81]  5   "102"
*Mar  1 09:44:05.296: RADIUS:  Tunnel-Type         [64]  6   00:VLAN                   [13]
*Mar  1 09:44:05.296: RADIUS:  Class               [25]  46
*Mar  1 09:44:05.296: RADIUS:   91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45        [ 7(Q$(\>:GE]
*Mar  1 09:44:05.296: RADIUS:  Vendor, Cisco       [26]  24
*Mar  1 09:44:05.296: RADIUS:   Cisco AVpair       [1]   18  "tunnel-type=VLAN"
*Mar  1 09:44:05.296: RADIUS:  Vendor, Cisco       [26]  34
*Mar  1 09:44:05.296: RADIUS:   Cisco AVpair       [1]   28  "tunnel-medium-type=ALL_802"
*Mar  1 09:44:05.304: RADIUS:  Vendor, Cisco       [26]  35
*Mar  1 09:44:05.304: RADIUS:   Cisco AVpair       [1]   29  "tunnel-private-group-id=102"
*Mar  1 09:44:05.304: RADIUS:  Vendor, Microsoft   [26]  12
*Mar  1 09:44:05.304: RADIUS:   MS-Link-Util-Thresh[14]  6
*Mar  1 09:44:05.304: RADIUS:   00 00 00 32                 [ 2]
*Mar  1 09:44:05.304: RADIUS:  Vendor, Microsoft   [26]  12
*Mar  1 09:44:05.304: RADIUS:   MS-Link-Drop-Time-L[15]  6
*Mar  1 09:44:05.304: RADIUS:   00 00 00 78                 [ x]
*Mar  1 09:44:05.304: RADIUS(00000037): Received from id 1645/59
*Mar  1 09:44:05.304: AAA/AUTHOR (00000037): Method list id=0 not configured. Skip author
*Mar  1 09:44:05.304: mab-ev(Gi0/1): MAB received an Access-Accept for 0x9A00003C (2c27.d780.42b9)
*Mar  1 09:44:05.304: %MAB-5-SUCCESS: Authentication successful for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.304: mab-sm(Gi0/1): Received event 'MAB_RESULT' on handle 0x9A00003C
*Mar  1 09:44:05.304:     mab : during state mab_authorizing, got event 5(mabResult)
*Mar  1 09:44:05.304: @@@ mab : mab_authorizing -> mab_terminate
*Mar  1 09:44:05.304: mab-ev(Gi0/1): Deleted credentials profile for 0x9A00003C (dot1x_mac_auth_2c27.d780.42b9)
*Mar  1 09:44:05.304: mab-ev(Gi0/1): Sending event (2) to AuthMGR for 2c27.d780.42b9
*Mar  1 09:44:05.304: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.564: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c27.d780.42b9) on Interface Gi0/1 AuditSessionID 0A280ADE000000250216BF3B
*Mar  1 09:44:05.564: RADIUS/ENCODE(00000037):Orig. component type = Dot1X
*Mar  1 09:44:05.564: RADIUS(00000037): Config NAS IP: 0.0.0.0
*Mar  1 09:44:05.564: RADIUS(00000037): Config NAS IPv6: ::
*Mar  1 09:44:05.564: RADIUS(00000037): sending
*Mar  1 09:44:05.564: RADIUS/ENCODE: Best Local IP-Address 10.40.10.222 for Radius-Server 10.40.1.21
*Mar  1 09:44:05.564: RADIUS(00000037): Send Accounting-Request to 10.40.1.21:1646 id 1646/61, len 192
*Mar  1 09:44:05.564: RADIUS:  authenticator 36 BE 06 0A BF 1F D0 44 - BA 5D 4D 34 19 95 F8 C0
*Mar  1 09:44:05.564: RADIUS:  Acct-Session-Id     [44]  10  "0000002D"
*Mar  1 09:44:05.564: RADIUS:  Calling-Station-Id  [31]  19  "2C-27-D7-80-42-B9"
*Mar  1 09:44:05.564: RADIUS:  User-Name           [1]   16  "2c27-d780-42b9"
*Mar  1 09:44:05.564: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
*Mar  1 09:44:05.564: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
*Mar  1 09:44:05.564: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
*Mar  1 09:44:05.564: RADIUS:  NAS-Port            [5]   6   50001
*Mar  1 09:44:05.564: RADIUS:  NAS-Port-Id         [87]  20  "GigabitEthernet0/1"
*Mar  1 09:44:05.564: RADIUS:  Called-Station-Id   [30]  19  "EC-30-91-AF-FD-81"
*Mar  1 09:44:05.564: RADIUS:  Class               [25]  46
*Mar  1 09:44:05.564: RADIUS:   91 C1 08 B4 00 00 01 37 00 01 02 00 0A 28 01 15 00 00 00 00 51 F4 AA 24 1A C5 91 CB 01 D3 28 B5 5C 3E 3A CC 00 00 00 00 00 05 47 45        [ 7(Q$(\>:GE]
*Mar  1 09:44:05.564: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Mar  1 09:44:05.564: RADIUS:  NAS-IP-Address      [4]   6   10.40.10.222
*Mar  1 09:44:05.564: RADIUS:  Acct-Delay-Time     [41]  6   0
*Mar  1 09:44:05.564: RADIUS(00000037): Sending a IPv4 Radius Packet
*Mar  1 09:44:05.564: RADIUS(00000037): Started 5 sec timeout
*Mar  1 09:44:05.564: RADIUS: Received from id 1646/61 10.40.1.21:1646, Accounting-response, len 20
*Mar  1 09:44:05.573: RADIUS:  authenticator F6 45 3E AB CF 3B A7 B3 - 72 00 EE 72 D6 C6 31 A4
*Mar  1 09:44:07.158: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar  1 09:44:08.165: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

Config

Building configuration...

Current configuration : 3687 bytes
!
! Last configuration change at 09:44:14 UTC Mon Mar 1 1993 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco-2960G
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 secret 5 …
aaa new-model
!
!
aaa group server radius dot1x-auth
 server name nps
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network group group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode off
!
!
no ip domain-lookup
ip domain-name emcc.edu
!
mab request format attribute 1 groupsize 4 separator - lowercase
mab request format attribute 2 0 .....
!
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 102
 name Staff
!
vlan 104
 name Labs
!
vlan 110
 name Management
!
lldp run
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
interface GigabitEthernet0/1
 switchport mode access
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication port-control auto
 mab
 spanning-tree portfast
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
 switchport access vlan 102
 switchport mode access
!
interface GigabitEthernet0/8
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan110
 ip address 10.40.10.222 255.255.255.0
!
ip default-gateway 10.40.10.1
ip http server
ip http secure-server
radius-server host 10.40.1.21 key .....
!
....

 

0 Replies 0
Review Cisco Networking products for a $25 gift card