802.1x Port Authentication via RADIUS

Similar Messages

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Radius server for 802.1x port authentication

  Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
  Thanks

  Check connectivity between the PIX and the server.
  If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
  aaa-server group_tag (if_name) host server_ip key timeout 5
  If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
  If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
  Ensure that the secret key is correct.
  Check the server logs for failed attempts. All servers have some kind of logging function.

• Help Please :) LInksys WRVS4400N 802.1X port authentication setup

  HI all,
  I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
  1x Linksys WRVS4400N
  1x Microsoft Server 2003 with IAS and Active Directory services
  1x Dell Laptop (Used for testing Radius Athentication)
  I Created 4 VLAN(s) to test with this LAB
  VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
  VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
  VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
  VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
  This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
  Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
  Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
  Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
  Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
  VLAN 1: Default
  Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
  VLAN 10: Servers
  Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
  VLAN 20: IT
  Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
  VLAN 30: Design
  Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
  This is how my Radius is setup
  Mode: Enabled
  RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
  UDP Port: 1812
  Secret: Password1
  Port(s) 1 & 2: Force Authorized
  Port(s) 3 & 4: Force UnAuthorized
  On the Server this is what I have configured
  1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
  2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
  Tunnel-Medium-Type: 802
  Tunnel-PVT-Group-ID: 20
  Tunnel-Type: Virtual LAN
  My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
  I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
  If anybody can help me out that would be great!
  Cheers
  Graham

  1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
  2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
  3. The VLAN configuration looks very odd to me. If I see it correctly you have:
  Port 1: General mode, PVID 1, 1U
  Port 2: General mode, PVID 10, 1T, 10U
  Port 3: Access mode, PVID ???, 20U, 30U
  Port 4: Access mode, PVID ???, 20U, 30U
  I wonder why you are even able to set this up...
  a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
  b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
  c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
  4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
  5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
  6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
  7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything?

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• About TACACS+ and 802.1x port authentication

  Hi
  Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
  Where to find the documents about Tacacs+ doesn't support EAP?
  Regards,
  Thanks.

  Correct, TACACS does not support EAP, check the following links:
  https://cisco.hosted.jivesoftware.com/message/7901
  http://www.rfc-editor.org/rfc/rfc1492.txt

• About 802.1x port authentication using TACACS+

  Hi
  I have some question. Please help me. Thanks.
  Question1. May I use that 802.1x port authentication using TACACS+
  Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
  Any help would be greatly appreciated.
  Thanks.

  Thanks to you.
  Where to find the documents about Tacacs+ doesn't support EAP?
  I cast more time and I cannot find the documents.
  Please help me....
  Thanks.

• VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

  I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
  If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
  If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
  Current configuration : 6199 bytes
  ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa local authentication default authorization default
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  clock timezone EST -5 0
  clock summer-time EDT recurring
  ip cef
  ip dhcp pool pool
  import all
  network 192.168.28.0 255.255.255.248
  bootfile PXEboot.com
  default-router 192.168.28.1
  dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
  domain-name domain.local
  option 66 ip 192.168.23.10
  option 67 ascii PXEboot.com
  option 150 ip 192.168.23.10
  lease 0 2
  ip dhcp pool phonepool
  network 192.168.28.128 255.255.255.248
  default-router 192.168.28.129
  dns-server 192.168.26.10 192.168.1.100
  option 150 ip 192.168.1.132
  domain-name domain.local
  lease 0 2
  ip dhcp pool guestpool
  network 10.254.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  domain-name local
  default-router 10.254.0.1
  lease 0 2
  no ip domain lookup
  ip domain name remote.domain.local
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO892-K9
  dot1x system-auth-control
  username somebody privilege 15 password 0 password
  redundancy
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key secretpassword address 123.123.123.123
  crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto map pix 10 ipsec-isakmp
  set peer 123.123.123.123
  set transform-set pix-set
  match address 110
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet1
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet2
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet4
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  switchport access vlan 12
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet8
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map pix
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.28.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.28.129 255.255.255.248
  interface Vlan12
  ip address 10.254.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 101 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip radius source-interface Vlan10
  ip sla auto discovery
  access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 101 permit ip 192.168.28.0 0.0.0.255 any
  access-list 101 permit ip 10.254.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
  radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
  radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  ntp source FastEthernet0
  ntp server 192.168.26.10
  ntp server 192.168.1.100
  end

  I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• 802.1x port authentication not working

  I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
  Switch info:
  sw-ConfB>sho ver
  Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
  Port config:
  interface FastEthernet0/11
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  Radius Server Info:
  radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
  Kinda lost why not Radius packet even comes from the switch. Any tips?

  sw-ConfB#sho ru
  Building configuration...
  Current configuration : 6301 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname sw-ConfB
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  system mtu routing 1500
  crypto pki trustpoint TP-self-signed-706182400
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-706182400
   revocation-check none
   rsakeypair TP-self-signed-706182400
  crypto pki certificate chain TP-self-signed-706182400
   certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
    365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
    34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
    D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
    E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
    BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
    02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
    11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
    A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
    D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
    8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
    CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
    2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
    1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
    quit
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet0/1
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/2
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/3
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/4
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/5
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/6
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/7
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/8
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/9
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/10
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/11
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/12
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface GigabitEthernet0/1
   switchport trunk native vlan 200
   switchport trunk allowed vlan 100,200,900
   switchport mode trunk
  interface GigabitEthernet0/2
   switchport access vlan 100
   switchport mode access
  interface Vlan1
   no ip address
  interface Vlan100
   ip address 10.0.1.3 255.255.255.0
  interface Vlan200
   ip address 10.0.2.4 255.255.255.0
  interface Vlan900
   ip address 10.0.9.4 255.255.255.0
  ip default-gateway 10.0.1.1
  ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
  radius-server retransmit 5
  radius-server key secret
  radius-server vsa send authentication

• 802.1X Port Authentication\ACS Question

  Hello,
  I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
  I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa.  When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that.  Thanks for any suggestions you might have.
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x violation-mode protect
  dot1x reauthentication
  aaa new-model
  aaa authentication password-prompt PASSCODE---->
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  aaa session-id common

  I have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
  Thanks,

• NAC 802.1x: VLAN assignment via RADIUS

  I'm deploy a 802.1x NAC solution. Users authenticate ok but the VLAN is not assigned to the port.
  The RADIUS server send the attributes to the NAD (switch 3560). I see the following lines in the radius debug output:
  02:49:08: RADIUS: Received from id 1645/4 192.168.1.1:1645, Access-Accept, len 267
  02:49:08: RADIUS: authenticator AB 90 94 95 D0 86 04 E5 - D3 AC 43 21 C0 31 29 EB
  02:49:08: RADIUS: Session-Timeout [27] 6 3600
  02:49:08: RADIUS: Termination-Action [29] 6 1
  02:49:08: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
  02:49:08: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
  02:49:08: RADIUS: Tunnel-Private-Group[81] 10 01:"healthy"
  02:49:08: RADIUS: Vendor, Cisco [26] 29
  02:49:08: RADIUS: Cisco AVpair [1] 23 "posture-token=Healthy"
  I suppose that the error appears because the attributes 64 and 65 are "Unsupported". Is it right?
  In RADIUS server I configure:
  attribute 64 = VLAN (13)
  attribute 65 = 802 (6)
  Below I attach switch configuration. The "healthy" vlan is configured in this one.
  Any help would be appreciated.
  Thanks and regards.
  Mart?n.

  I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".
  Other user has the same problem, he posted the question with the following subject: "NAC L2 802.1x VLAN assignment".In this question the problem is better described.

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• 802.1x port authentication failing after getting a access-accept packet

  Hi all,
  Im not 100% sure what the hell is going on here.
  Any idea's or help will be appreciated.
  Heres the topology.
  1 x windows 2012 NPS
  1x 3750X
  1x Windows 7 x64
  data flow
  <laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
  The switch that is doing the authentication is the 3750X. Here is the IOS version.
  Switch Ports Model              SW Version            SW Image
  *    1 54    WS-C3750X-48       15.2(1)E              C3750E-UNIVERSALK9-M
  A wireshark trace on the NPS server shows that the packets are arriving and being sent back
  Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
  As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
  here is a debug output as you plug in the laptop.
  Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
  Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
  Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
  Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
  Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
  Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
  Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
  Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1
  Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
  Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
  Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
  Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
  Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
  Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
  Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
  Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
  Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
  Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
  Oct 24 10:53:47.580:     eap_authen : initial state eap_auth_initialize has enter
  Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
  Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
  Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
  Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
  Oct 24 10:53:47.580:     eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
  Oct 24 10:53:47.580:     eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
  Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_propose_method
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
  Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_method_request
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
  Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
  Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_tx_packet
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
  Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST  ID:0x1   Length:0x0005  Type:IDENTITY
  Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
  Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
  Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
  Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
  Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
  Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0
  Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
  Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1  id: 0x1  length: 0x0005
  Oct 24 10:53:47.597: dot1x-packet: type: 0x1
  Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
  Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
  Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x0
  Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
  Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
  Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
  Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x0
  Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
  Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
  Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
  Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE  ID:0x1   Length:0x001F  Type:IDENTITY
  Oct 24 10:53:47.606:     Payload:  47454E4552414C5C72616E64792E636F ...
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
  Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
  Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
  Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_received, got event 10(eapMethodData)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
  Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
  Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
  Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
  Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
  Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
  Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
  Oct 24 10:53:47.614:     eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
  Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
  Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
  Oct 24 10:53:47.614: RADIUS(00000000): sending
  Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
  Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
  Oct 24 10:53:47.614: RADIUS:  authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
  Oct 24 10:53:47.614: RADIUS:  User-Name           [1]   28  "GENERAL\randy.coburn.admin"
  Oct 24 10:53:47.614: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Oct 24 10:53:47.614: RADIUS:  Vendor, Cisco       [26]  27
  Oct 24 10:53:47.614: RADIUS:   Cisco AVpair       [1]   21  "service-type=Framed"
  Oct 24 10:53:47.614: RADIUS:  Framed-MTU          [12]  6   1500
  Oct 24 10:53:47.614: RADIUS:  Called-Station-Id   [30]  19  "AC-F2-C5-75-7D-0D"
  Oct 24 10:53:47.614: RADIUS:  Calling-Station-Id  [31]  19  "64-31-50-0E-9B-00"
  Oct 24 10:53:47.614: RADIUS:  EAP-Message         [79]  33
  Oct 24 10:53:47.614: RADIUS:   02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F  [GENERAL\randy.co]
  Oct 24 10:53:47.622: RADIUS:   62 75 72 6E 2E 61 64 6D 69 6E        [ burn.admin]
  Oct 24 10:53:47.622: RADIUS:  Message-Authenticato[80]  18
  Oct 24 10:53:47.622: RADIUS:   EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED             [ RMcs$]
  Oct 24 10:53:47.622: RADIUS:  EAP-Key-Name        [102] 2   *
  Oct 24 10:53:47.622: RADIUS:  Vendor, Cisco       [26]  49
  Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A846660000004700DF6030"
  Oct 24 10:53:47.622: RADIUS:  Vendor, Cisco       [26]  20
  Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   14  "method=dot1x"
  Oct 24 10:53:47.622: RADIUS:  NAS-IP-Address      [4]   6   192.168.70.102
  Oct 24 10:53:47.622: RADIUS:  NAS-Port            [5]   6   60000
  Oct 24 10:53:47.622: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/13"
  Oct 24 10:53:47.622: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
  Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
  Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
  Oct 24 10:53:47.622: RADIUS:  authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
  Oct 24 10:53:47.622: RADIUS:  Class               [25]  46
  Oct 24 10:53:47.622: RADIUS:   76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50          [ vf7y{uAP]
  Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
  Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
  Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
  Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
  Oct 24 10:53:47.622:     eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
  Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
  Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
  Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE  ID:0x1   Length:0x0004
  Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
  Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
  Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
  Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
  Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
  Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
  Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
  Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
  Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
  Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
  Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0
  Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
  Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4  id: 0x1  length: 0x0004
  Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
  Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
  Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
  Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
  Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
  Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
  Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
  Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
  Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
  Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
  Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
  Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
  Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
  Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
  Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

  Hi Jatin,
  See below the data that you have requested.
  show run bits.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa session-id common
  clock timezone BST 0 0
  clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
  dot1x system-auth-control
  interface GigabitEthernet1/0/13
  switchport access vlan 80
  switchport mode access
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface GigabitEthernet1/0/48
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 70
  switchport mode trunk
  radius server NPS1
  address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
  timeout 10
  key thesecret
  ip default-gateway 192.168.70.1
  SW1-randy#show auth sessions interface gig 1/0/13
  Interface    MAC Address    Method       Domain          Status    Fg Session ID
  Gi1/0/13     803f.5d09.189e N/A          UNKNOWN      Unauth         C0A846660000002F00251DBC
  SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
            Mac Address Table
  Vlan    Mac Address       Type        Ports
    80    803f.5d09.189e    DYNAMIC     Drop
  SW1-randy#ping 192.168.19.121
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
  Here is a wireshark of the accept packet.
  Message was edited by: randy coburn
  Added wireshark trace

• ISE Sponsor Authentication via RADIUS

  My client is requesting us to change the way the sponsor users are authenticated and authorized to access the ISE Sponsor Portal.
  Their like to pass the ISE request to AD through a RADIUS server first. They said "to avoid sending AD credentials to ISE directly". Under this requirements,
  My search and limited knowledge give me to assume I should define a Proxy RADIUS
  I think I can Define an External RADIUS server, but I wonder if creating this, it would be available as an Identity Source for the "Sponsor Portal Sequence".
  If not, how can I add this? After that, what conditions or attributes should I look for to use in the "Sponsor Group Policy" in order to filter username/password and allow access only to employees and deny access to anyone else?
  I will appreciate any advice you can give me to offer the best recommendation to the customer.
  Regards.
  Daniel Escalante.       

  I think I understood the customer concern. This is quoted from Microsoft http://support.microsoft.com/kb/321051
  "The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
  So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
  The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
  In my case there is no FW between ISE and AD, so where or how can I show the customer we are using LDAPS?
  Regards.