802.1x with EAP-TLS Fails on Wired

Dear Colleagues,
I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
Setup :
1. Radius Server - Cisco ACS 1113 Engine
2. Authenticator - Cisco 6509 Switch
3. Supplicant - Windows XP SP2/3
Problem:
1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
Errors Seen:
1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
3. Supplicant Reports when Trace enabled in the RASTLS file - â>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:â and âCode 4 unexpected in state SentFinishedâ
Other Information:
1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
3. Clients have Certs issued by clients own CA infrastructure.
4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
5. PEAP works fine on wired.
Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
Thanks
Volven

Similar Messages

IEEE 802.1x with EAP-TLS issue in cisco 2960

In My Cisco 2960 switch is not working with EAP-TLS mechanism of 802.1x but its works well with other protocols like EAP-PEAP or MAC Address authentication.
Below is the configuration
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization configuration default group radius
aaa accounting update periodic 30
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
speed 100
duplex full
authentication order dot1x mab webauth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
spanning-tree bpduguard enable
Can anyone suggest me ?

Thanks for the reply jatin.
I have a client on the interface fa0/1 with a valid client certificate. And have a debug logs as below
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 8 00:03:06.266: AAA/BIND(000001C7): Bind i/f
*Mar 8 00:03:06.266:     dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_initialize_enter called
*Mar 8 00:03:06.266:     dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:06.266:     dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266:     dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.266:     dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:06.266:     dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:06.266: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Created a client entry (0xB0000DBA)
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Dot1x authentication started for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.266:     dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.274:     dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.274: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.274:     dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.274: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.274: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.274: EAPOL pak dump Tx
*Mar 8 00:03:06.274: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.274: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.274: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): queuing an EAPOL pkt on Auth Q
*Mar 8 00:03:06.794: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 0,TYPE= 0,LEN= 0
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
    pae-ether-type = 888e.0101.0000
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): New client detected, notifying AuthMgr
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending event (0) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL-Start packet
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting EAPOL_START on Client 0xB0000DBA
*Mar 8 00:03:06.794:     dot1x_auth Fa0/1: during state auth_authenticating, got event 4(eapolStart)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_aborting
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): 802.1x method gets the go ahead from Auth Mgr for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting AUTH_ABORT for 0xB0000DBA
*Mar 8 00:03:06.794:     dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 1(authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_initialize
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.794:     dot1x_auth_bend Fa0/1: idle during state auth_bend_initialize
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting !AUTH_ABORT on Client 0xB0000DBA
*Mar 8 00:03:06.794:     dot1x_auth Fa0/1: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_aborting -> auth_restart
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Resetting the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_restart_action called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.802:     dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.802: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.811:     dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.811: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.811:     dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.811: EAPOL pak dump Tx
*Mar 8 00:03:06.811: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.811: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.811: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 1,LEN= 34
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
    pae-ether-type = 888e.0100.0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.811:     dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.811: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.819: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.819: RADIUS(000001C7): sending
*Mar 8 00:03:06.819: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.819: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/83, len 251
*Mar 8 00:03:06.819: RADIUS: authenticator A1 79 FA E5 F4 B7 7F 4F - 2B 73 3A 0D 1F D8 89 20
*Mar 8 00:03:06.819: RADIUS: User-Name           [1]   31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.819: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 8 00:03:06.819: RADIUS: Framed-MTU          [12] 6   1500
*Mar 8 00:03:06.819: RADIUS: Called-Station-Id   [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.819: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.819: RADIUS: EAP-Message         [79] 36
*Mar 8 00:03:06.819: RADIUS:   02 01 00 22 01 68 6F 73 74 2F 44 30 39 30 32 4D 41 4C 4C 30 ["host/D0902MALL0]
*Mar 8 00:03:06.819: RADIUS:   30 35 2E 49 4E 2E 69 6E 74 72 61 6E 65 74    [ 05.IN.intranet]
*Mar 8 00:03:06.819: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.819: RADIUS:   D6 6F 7B CD 36 46 5E F6 90 6F 85 A8 BD BD AE D8            [ o{6F^o]
*Mar 8 00:03:06.819: RADIUS: EAP-Key-Name        [102] 2   *
*Mar 8 00:03:06.819: RADIUS: Vendor, Cisco       [26] 49
*Mar 8 00:03:06.819: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
*Mar 8 00:03:06.819: RADIUS: NAS-Port            [5]   6   50001
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Id         [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.819: RADIUS: NAS-IP-Address      [4]   6   10.26.237.11
*Mar 8 00:03:06.819: RADIUS: Acct-Session-Id     [44] 10 "000002D4"
*Mar 8 00:03:06.819: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:06.861: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 8 00:03:06.903: RADIUS: Received from id 1645/83 10.26.13.59:1812, Access-Challenge, len 76
*Mar 8 00:03:06.903: RADIUS: authenticator 7B 1C DC CA A8 92 E9 34 - 17 86 25 2F 9D 7E 63 96
*Mar 8 00:03:06.903: RADIUS: EAP-Message         [79] 8
*Mar 8 00:03:06.903: RADIUS:   01 02 00 06 0D 20                 [ ]
*Mar 8 00:03:06.903: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.903: RADIUS:   DD F3 7B 33 37 6D 40 BD F3 D2 78 DF F1 14 4D E4           [ {37m@xM]
*Mar 8 00:03:06.903: RADIUS: State               [24] 30
*Mar 8 00:03:06.903: RADIUS:   00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70          [ }@EP.{Lp]
*Mar 8 00:03:06.911: RADIUS(000001C7): Received from id 1645/83
*Mar 8 00:03:06.911: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:06.911:     dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:06.911: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.911: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.911: EAPOL pak dump Tx
*Mar 8 00:03:06.911: EAPOL Version: 0x3 type: 0x0 length: 0x0006
*Mar 8 00:03:06.911: EAP code: 0x1 id: 0x2 length: 0x0006 type: 0xD
*Mar 8 00:03:06.911: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.920: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 105
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
    pae-ether-type = 888e.0100.0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.920:     dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.920: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.920: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.920: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.920: RADIUS(000001C7): sending
*Mar 8 00:03:06.920: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.920: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/84, len 352
*Mar 8 00:03:06.920: RADIUS: authenticator 41 72 8D 6A B4 72 19 84 - 1B C8 33 F7 95 DD 07 BC
*Mar 8 00:03:06.928: RADIUS: User-Name           [1]   31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.928: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 8 00:03:06.928: RADIUS: Framed-MTU          [12] 6   1500
*Mar 8 00:03:06.928: RADIUS: Called-Station-Id   [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.928: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.928: RADIUS: EAP-Message         [79] 107
*Mar 8 00:03:06.928: RADIUS:   02 02 00 69 0D 80 00 00 00 5F 16 03 01 00 5A 01 00 00 56 03 01 52 C5 45 4F 07 CA B3 29 50 A7 CE 40 76 B6 BD F0 50 D4 CE 9A 8A 02 C4 3D 40 35 B5 F0 E1 E2 75 [i_ZVREO)P@vP=@5u]
*Mar 8 00:03:06.928: RADIUS:   50 00 00 18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00             [ P/528]
*Mar 8 00:03:06.928: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.928: RADIUS:   A3 28 CE 27 20 C0 D6 2C 11 01 D6 61 1F C3 6F 03            [ (' ,ao]
*Mar 8 00:03:06.928: RADIUS: EAP-Key-Name        [102] 2   *
*Mar 8 00:03:06.928: RADIUS: Vendor, Cisco       [26] 49
*Mar 8 00:03:06.928: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
*Mar 8 00:03:06.928: RADIUS: NAS-Port            [5]   6   50001
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Id         [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.928: RADIUS: State               [24] 30
*Mar 8 00:03:06.928: RADIUS:   00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70          [ }@EP.{Lp]
*Mar 8 00:03:06.928: RADIUS: NAS-IP-Address      [4]   6   10.26.237.11
*Mar 8 00:03:06.928: RADIUS: Acct-Session-Id     [44] 10 "000002D4"
*Mar 8 00:03:06.928: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.004: RADIUS: Received from id 1645/84 10.26.13.59:1812, Access-Challenge, len 1188
*Mar 8 00:03:07.004: RADIUS: authenticator 7B 52 29 05 7E C3 EF 8E - 13 38 30 03 4B 65 64 0F
*Mar 8 00:03:07.004: RADIUS: EAP-Message         [79] 255
*Mar 8 00:03:07.004: RADIUS:   01 03 04 56 0D C0 00 00 05 78 16 03 01 00 51 02 00 00 4D 03 01 52 C5 45 4F 0F 04 37 77 A0 C2 68 66 4E 45 92 AB 3D 7F 94 70 AF 36 [VxQMREO7whfNE=p6]
*Mar 8 00:03:07.004: RADIUS:   1D C5 17 23 5C F1 FA CA 60 B0 20 A5 48 16 D5 3F F9 B0 FF 38 1D D5 13 B3 88 13 06 EF DC 87 5C AE 17 E7 7E 80 84 21 58 64 F7 A6 36 00 35 00 00 05 FF 01 00 01 00 16 03 01 02 1C 0B 00 02 18 00 02 15 00 02 12 30 82 02 0E 30 [#\` H?8\~!Xd6500]
*Mar 8 00:03:07.004: RADIUS:   82 01 77 A0 03 02 01 02 02 09 00 88 7A CB 35 3F 1E 3E 62 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 [wz5?>b0*H0/10USP]
*Mar 8 00:03:07.004: RADIUS:   49 4E 41 56 44 30 30 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C [INAVD0000410UPol]
*Mar 8 00:03:07.004: RADIUS:   69 63 79 4D 61 6E 61 67 65 72 30 1E 17 0D 31 33 30 38 32 [icyManager013082]
*Mar 8 00:03:07.004: RADIUS:   37 30 37 32 34 33 30 5A 17 0D 31 34 30 38 32 37 30 37 [7072430Z14082707]
*Mar 8 00:03:07.004: RADIUS:   32 34 33 30 5A 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 49 4E 41 56 [2430Z0/10USPINAV]
*Mar 8 00:03:07.004: RADIUS:   44 30 30               [ D00]
*Mar 8 00:03:07.004: RADIUS: EAP-Message         [79] 255
*Mar 8 00:03:07.004: RADIUS:   30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C 69 63 79 4D 61 6E 61 [00410UPolicyMana]
*Mar 8 00:03:07.004: RADIUS:   67 65 72 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 C9 B9 03 65 83 EB 39 86 14 BC 95 7B DB 07 7E C5 8A D7 DA C7 8A CA 5A 88 6E 0B 93 06 35 57 [ger00*H0e9{~Zn5W]
*Mar 8 00:03:07.012: RADIUS:   6E DE 93 CD C9 FE 8E 9F E1 5F A9 04 5C BD A9 AD 5A 04 6E 35 47 76 A1 58 E5 C4 32 D7 49 9E 17 75 20 C6 6F 45 40 [n_\Zn5GvX2Iu oE@]
*Mar 8 00:03:07.012: RADIUS:   AC EF 40 6D 15 38 F9 C2 28 7E C9 68 37 52 3B BF F4 C1 5E B8 BA 46 68 43 79 B1 65 66 [@m8(~h7R;^FhCyef]
*Mar 8 00:03:07.012: RADIUS:   9E 58 ED EC 8C 95 A2 D8 BF AA 77 AC 85 90 E3 AB C6 27 3A A2 22 AC 1C 48 B3 BF BE F7 85 CF 5C BB 2D 02 03 01 00 01 A3 32 30 30 30 0F 06 03 55 1D 11 04 08 30 06 87 04 0A 1A 0D 3B 30 [Xw':"H\-2000U0;0]
*Mar 8 00:03:07.012: RADIUS:   1D 06 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 03 30 0D 06 09 2A 86 48 86 F7 0D 01 01          [ U?0++0*H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message         [79] 255
*Mar 8 00:03:07.012: RADIUS:   05 05 00 03 81 81 00 C4 46 3E 38 3D 53 0F 28 34 C1 A6 ED DC 70 76 9B 70 6B A8 95 7C 44 8E 7D 6E D6 8B 6D [F>8=S(4pvpk|D}nm]
*Mar 8 00:03:07.012: RADIUS:   90 49 83 06 E4 BF 68 2F 9D 77 78 A3 76 76 19 84 AD 26 3F F3 ED AA 88 52 35 0E 35 DD 00 E5 96 88 44 30 79 A0 71 [Ih/wxvv&?R55D0yq]
*Mar 8 00:03:07.012: RADIUS:   8D 25 3E 77 A0 E0 43 92 33 55 40 E1 C8 EE 88 11 25 E2 70 28 11 6C 5A 4E 3D F1 93 57 0A 6F [?>wC3U@?p(lZN=Wo]
*Mar 8 00:03:07.012: RADIUS:   36 51 72 04 08 C0 C0 DF F0 94 A9 F7 A1 05 C8 37 D6 F8 D4 9C 20 1A 7B CD 2C 17 83 7B 8E 20 F7 2D B6 16 03 01 02 FC 0D 00 02 F4 03 01 02 40 02 EE 00 63 30 61 31 0B 30 [6Qr7 {,{ -@c0a10]
*Mar 8 00:03:07.012: RADIUS:   09 06 03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04 0A 13 0C 44 69 67 69 43 65 72 74 20 49 [UUS10UDigiCert I]
*Mar 8 00:03:07.012: RADIUS:   6E 63 31 19 30 17 06 03 55 04 0B 13 10 77 77 77 2E 64 69 67 69 63 65 72 [nc10Uwww.digicer]
*Mar 8 00:03:07.012: RADIUS:   74 2E 63 6F 6D 31 20 30 1E 06 03 55 04 03 13 17 44 69 67 69 43 65 72 [t.com1 0UDigiCer]
*Mar 8 00:03:07.012: RADIUS:   74 20 47 6C 6F 62 61 6C 20 52 6F 6F 74 20 43 41 [t Global Root CA]
*Mar 8 00:03:07.012: RADIUS:   00 48                 [ H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message         [79] 255
*Mar 8 00:03:07.012: RADIUS:   30 46 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0F10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS:   12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 16 30 14 06 03 55 04 03 13 0D 49 6E 64 69 61 20 52 [0&,dIN10UIndia R]
*Mar 8 00:03:07.020: RADIUS:   6F 6F 74 20 43 41 00 4A 30 48 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E [oot CAJ0H10&,din]
*Mar 8 00:03:07.020: RADIUS:   74 72 61 6E 65 74 31 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 18 30 16 06 03 55 [tranet10&,dIN10U]
*Mar 8 00:03:07.020: RADIUS:   04 03 13 0F 45 6E 74 65 72 70 72 69 73 65 20 43 41 2D 31 00 4D [Enterprise CA-1M]
*Mar 8 00:03:07.020: RADIUS:   30 4B 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0K10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS:   12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 1B 30 19 06 03 55 04 03 13 12 49 4E 2D 53 50 49 4E [0&,dIN10UIN-SPIN]
*Mar 8 00:03:07.020: RADIUS:   43 52 54 30 30 30 30 33 2D 43 41 00 D5 30 81 D2 31 0B 30 09 06 03 55 04 06 13 02 55 [CRT00003-CA010UU]
*Mar 8 00:03:07.020: RADIUS:   53 31 13 30 11 06 03 55 04              [ S10U]
*Mar 8 00:03:07.020: RADIUS: EAP-Message         [79] 100
*Mar 8 00:03:07.020: RADIUS:   08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E [California10USun]
*Mar 8 00:03:07.020: RADIUS:   6E 79 76 61 6C 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E [nyvale10UAruba N]
*Mar 8 00:03:07.020: RADIUS:   65 74 77 6F 72 6B 73 31 40 30 3E 06 03 55 04 03 0C 37 43 6C 65 [etworks1@0>U7Cle]
*Mar 8 00:03:07.020: RADIUS:   61 72 50 61 73 73 20 4F 6E 62 6F 61 72 64 20 4C [arPass Onboard L]
*Mar 8 00:03:07.020: RADIUS:   6F 63 61 6C 20 43 65 72 74 69        [ ocal Certi]
*Mar 8 00:03:07.020: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.020: RADIUS:   12 75 40 41 6F 40 6B 6F A5 FE AB 85 F3 B3 CF A4           [ u@Ao@ko]
*Mar 8 00:03:07.020: RADIUS: State               [24] 30
*Mar 8 00:03:07.020: RADIUS:   00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1         [ oQKnEKkHw]
*Mar 8 00:03:07.029: RADIUS(000001C7): Received from id 1645/84
*Mar 8 00:03:07.029: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+98, total 1110 bytes
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.037:     dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.037: EAPOL pak dump Tx
*Mar 8 00:03:07.037: EAPOL Version: 0x3 type: 0x0 length: 0x0456
*Mar 8 00:03:07.037: EAP code: 0x1 id: 0x3 length: 0x0456 type: 0xD
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.037: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 6
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
    pae-ether-type = 888e.0100.0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:07.037:     dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:07.037: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:07.046: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:07.046: RADIUS(000001C7): sending
*Mar 8 00:03:07.046: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:07.046: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/85, len 253
*Mar 8 00:03:07.046: RADIUS: authenticator 1C D7 6D 40 A3 D6 BA B1 - A7 E6 70 DA 32 83 2E 19
*Mar 8 00:03:07.046: RADIUS: User-Name           [1]   31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:07.046: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 8 00:03:07.046: RADIUS: Framed-MTU          [12] 6   1500
*Mar 8 00:03:07.046: RADIUS: Called-Station-Id   [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:07.046: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:07.046: RADIUS: EAP-Message         [79] 8
*Mar 8 00:03:07.046: RADIUS:   02 03 00 06 0D 00
*Mar 8 00:03:07.046: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.046: RADIUS:   73 1D 89 5C 66 19 32 B6 63 C2 64 C1 04 42 A9 F9           [ s\f2cdB]
*Mar 8 00:03:07.046: RADIUS: EAP-Key-Name        [102] 2   *
*Mar 8 00:03:07.046: RADIUS: Vendor, Cisco       [26] 49
*Mar 8 00:03:07.046: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
*Mar 8 00:03:07.046: RADIUS: NAS-Port            [5]   6   50001
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Id         [87] 17 "FastEthernet0/1"
*Mar 8 00:03:07.046: RADIUS: State               [24] 30
*Mar 8 00:03:07.046: RADIUS:   00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1         [ oQKnEKkHw]
*Mar 8 00:03:07.046: RADIUS: NAS-IP-Address      [4]   6   10.26.237.11
*Mar 8 00:03:07.046: RADIUS: Acct-Session-Id     [44] 10 "000002D4"
*Mar 8 00:03:07.046: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.113: RADIUS: Received from id 1645/85 10.26.13.59:1812, Access-Challenge, len 378
*Mar 8 00:03:07.113: RADIUS: authenticator 1A 85 26 09 58 84 BC D4 - E0 A9 E3 C0 25 31 2D 31
*Mar 8 00:03:07.113: RADIUS: EAP-Message         [79] 255
*Mar 8 00:03:07.121: RADIUS:   01 04 01 32 0D 00 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 [2ficate Authorit]
*Mar 8 00:03:07.121: RADIUS:   79 20 28 53 69 67 6E 69 6E 67 29 31 3F 30 3D 06 09 2A [y (Signing)1?0=*]
*Mar 8 00:03:07.121: RADIUS:   86 48 86 F7 0D 01 09 01 16 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D [H0d6bb4f70-f412-]
*Mar 8 00:03:07.121: RADIUS:   34 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 [4552-aee2-c7a026]
*Mar 8 00:03:07.121: RADIUS:   66 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 [[email protected]]
*Mar 8 00:03:07.121: RADIUS:   6F 6D 00 CB 30 81 C8 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 [om010UUS10UCalif]
*Mar 8 00:03:07.121: RADIUS:   6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E 6E 79 76 61 6C [ornia10USunnyval]
*Mar 8 00:03:07.121: RADIUS:   65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E 65 74 77 6F 72 [e10UAruba Networ]
*Mar 8 00:03:07.121: RADIUS:   6B 73 31 36 30 34 06 03 55 04 03 0C 2D 43 6C 65 61 72 50 61 73 [ks1604U-ClearPas]
*Mar 8 00:03:07.121: RADIUS:   73 20 4F 6E 62 6F 61 72 64 20 4C 6F 63 61 6C 20 [s Onboard Local ]
*Mar 8 00:03:07.121: RADIUS:   43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 [Certificate Auth]
*Mar 8 00:03:07.121: RADIUS:   6F 72 69 74 79 31 3F 30 3D 06 09 2A 86 48 86 F7 0D 01 09 01 16       [ ority1?0=*H]
*Mar 8 00:03:07.121: RADIUS: EAP-Message         [79] 55
*Mar 8 00:03:07.121: RADIUS:   30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D 34 [0d6bb4f70-f412-4]
*Mar 8 00:03:07.121: RADIUS:   35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 66 [552-aee2-c7a026f]
*Mar 8 00:03:07.121: RADIUS:   62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 6F [[email protected]]
*Mar 8 00:03:07.121: RADIUS:   6D 0E 00 00 00                 [ m]
*Mar 8 00:03:07.121: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.121: RADIUS:   4C 46 AA B9 A5 D5 DF EA DB E7 2B 7B 51 7E 58 3F          [ LF+{Q~X?]
*Mar 8 00:03:07.121: RADIUS: State               [24] 30
*Mar 8 00:03:07.121: RADIUS:   00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1            [ E
*Mar 8 00:03:07.121: RADIUS(000001C7): Received from id 1645/85
*Mar 8 00:03:07.121: RADIUS/DECODE: EAP-Message fragments, 253+53, total 306 bytes
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.130:     dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.130: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.130: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.130: EAPOL pak dump Tx
*Mar 8 00:03:07.130: EAPOL Version: 0x3 type: 0x0 length: 0x0132
*Mar 8 00:03:07.130: EAP code: 0x1 id: 0x4 length: 0x0132 type: 0xD
*Mar 8 00:03:07.130: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.138: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.138: EAPOL pak dump rx
*Mar 8 00:03:07.138: EAPOL Version: 0x1 type: 0x0 length: 0x05D4
*Mar 8 00:03:07.138: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 1492
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1):
^Z
Malleswaram_2960#
*Mar 8 00:03:07.180: RADIUS: State               [24] 30
*Mar 8 00:03:07.180: RADIUS:   00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1            [ E
*Mar 8 00:03:07.180: RADIUS: NAS-IP-Address      [4]   6   10.26.237.11
*Mar 8 00:03:07.180: RADIUS: Acct-Session-Id     [44] 10 "000002D4"
*Mar 8 00:03:07.180: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:07.893: %SYS-5-CONFIG_I: Configured from console by jameela on vty0 (10.26.20.5)
Malleswaram_2960#
*Mar 8 00:03:10.225: RADIUS(000001C7): Request timed out
*Mar 8 00:03:10.225: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:10.225: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:13.354: RADIUS(000001C7): Request timed out
*Mar 8 00:03:13.354: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:13.354: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:16.307: RADIUS(000001C7): Request timed out
*Mar 8 00:03:16.307: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:16.307: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:19.369: RADIUS(000001C7): Request timed out
*Mar 8 00:03:19.369: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:19.369: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:22.456: RADIUS(000001C7): Request timed out
*Mar 8 00:03:22.456: RADIUS: Fail-over denied to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS: No response from (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response no app start; FAIL
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response; FAIL
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received an EAP Fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting EAP_FAIL for 0xB0000DBA
*Mar 8 00:03:22.456:     dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 10(eapFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_fail_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_fail_action called
*Mar 8 00:03:22.456:     dot1x_auth_bend Fa0/1: idle during state auth_bend_fail
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_fail -> auth_bend_idle
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting AUTH_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456:     dot1x_auth Fa0/1: during state auth_authenticating, got event 15(authFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_authc_result
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authc_result_enter called
*Mar 8 00:03:22.456: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.456: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: dot1x-redundancy: State for client d43d.7e65.4fc1 successfully retrieved
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received Authz fail for the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456:     dot1x_auth Fa0/1: during state auth_authc_result, got event 22(authzFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x4 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting FAILOVER_RETRY on Client 0xB0000DBA
*Mar 8 00:03:22.464:     dot1x_auth Fa0/1: during state auth_held, got event 21(failover_retry)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_held -> auth_restart
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_exit called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_restart_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:22.464:     dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting REAUTH_MAX on Client 0xB0000DBA
*Mar 8 00:03:22.464:     dot1x_auth Fa0/1: during state auth_connecting, got event 11(reAuthMax)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_disconnected
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): d43d.7e65.4fc1:auth_disconnected_enter sending canned failure to version 1 supplicant
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x5 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_disconnected_reAuthMax_action called
*Mar 8 00:03:22.464:     dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending event (1) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.464: dot1x-ev:Delete auth client (0xB0000DBA) message
*Mar 8 00:03:22.464: dot1x-ev:Auth client ctx destroyed
*Mar 8 00:03:22.674: AAA/BIND(000001C8): Bind i/f
*Mar 8 00:03:22.674:     dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_initialize_enter called
*Mar 8 00:03:22.674:     dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_disconnected_enter called
*Mar 8 00:03:22.674:     dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674:     dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_initialize_enter called
*Mar 8 00:03:22.674:     dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:22.674:     dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Created a client entry (0x4A000DBB)
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Dot1x authentication started for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x4A000DBB
*Mar 8 00:03:22.674:     dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_connecting_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x4A000DBB
*Mar 8 00:03:22.674:     dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_authenticating_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_authenticating_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting AUTH_START for 0x4A000DBB
*Mar 8 00:03:22.674:     dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Role determination not required
Malleswaram_2960#
*Mar 8 00:03:22.674: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.674: EAPOL pak dump Tx
*Mar 8 00:03:22.674: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:22.674: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:22.674: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_request_action called
*Mar 8 00:03:22.791: dot1x-ev(Fa0/1): New client notification from AuthMgr for 0x4A000DBB - d43d.7e65.4fc1
*Mar 8 00:03:22.791: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:25.761:     dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:25.761: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:25.761: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#n
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:25.761: EAPOL pak dump Tx
*Mar 8 00:03:25.761: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:25.761: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:25.761: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debu
Malleswaram_2960#no debug
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:28.848:     dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:28.848: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:28.848: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#no debug all
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:28.848: EAPOL pak dump Tx
*Mar 8 00:03:28.848: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:28.848: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:28.848: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:03:31.180: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar 8 00:03:31.180: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
*Mar 8 00:03:31.180: AAA/MEMORY: create_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' ds0=0 port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=C9A1F1D1
*Mar 8 00:03:31.389: TAC+: (-1901802859): received author response status = PASS_ADD
*Mar 8 00:03:31.389: AAA/MEMORY: free_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15
*Mar 8 00:03:31.935: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:31.935: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:31.935: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#no deb
Malleswaram_2960#no debug al
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:04:32.677: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:04:41.938: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:42.654: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:05:51.915: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Pls dont worry about day and time.

802.1x with EAP-TLS and dACLs

Hi,
i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).
I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?
in 'worst' case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?
Thanks,
Guy

Hi Guy,
provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.
In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.
So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.
However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.
If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:
1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.
2) configure an "Indentity Store Sequence" where you select:
- Authentication Method List : Certificate based : "Certificate Authentication Profile"
- Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores
In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)
You can find relevant documentation about this on the ACS user guide:
- Configuring "Certificate Authentication Profile"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057
- Configuring "Identity Store Sequence"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132
- Managing policy elements:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

Hello, I´m stucked with this problem for 3 weeks now.
I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.
Thank you
Jorge

Hi Rik,
the Below are the certificate details
ISE Certificate Signed by XX-CA-PROC-06
User PKI Signed by XX-CA-OTHER-08
In ISE certificate Store i have the below certificates
XX-CA-OTHER-08 signed by XX-CA-ROOT-04
XX-CA-PROC-06 signed by XX-CA-ROOT-04
XX-CA-ROOT-04 signed by XX-CA-ROOT-04
ISE certificate signed by XX-CA-PROC-06
I have enabled - 'Trust for client authentication' on all three certificates
this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
when i check the certificates of current user in the Client PC this is how it shows.
XX-CA-ROOT-04 is listed in Trusted root Certification Authority
and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities

Trouble with EAP-TLS with Wireless before Windows logon

Ill start with a list of equipment;
5508 WLC
3502i AP's
Cisco ACS 5.3
Windows 7 clients
WLAN is configure with WPA2/AES with 802.1x for key management.
Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication. The client is configured to use a certificate on the computer. "It only works if user or computer auth is seected." If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
ACS is configured to only allow for protocol EAP-TLS.
We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials. Once I log off the Windows 7 client, I lose connection to the WLAN. We would like to stay logged on to the WLAN. PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
Any ideas??
Thanks in advanced,
Ryan

Hi Ryan,
You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
Richard

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi guys,
I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

WPA2 security with EAP-TLS user cert auth

I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth. The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer.
When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged. On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

Well Well
WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
Please make sure to rate correct answers

EAP-TLS FAILING ON WIRELSS IPPHONE CP-7925G

Hi all,
we had enabled the eap-tls authentication on our WIFI network. We are using Cisco ACS 1113 & Microsoft Certificate Server for this setup. Currently we are able to successfully authenticat EAP-TLS on computer, but the Phones are not registering the network.
On the ACS we are getting the following error.
"EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake".
Thanks
Nibin

Dear all
Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
Thanks
Nibin Rodrigues

802.1x with AD authentication in a wired environment

Hello,
I have a question about 802.1x authentication. I want use a combination from 802.1x and a domain authentication on a AD from microsoft. I think the first login request is the domain login, but the port on the switch is always blocked. After the PC is already up, then I can login with 802.1x authentication. Please let me know what is the best solution for this scenario. The customer need a domain login and he want use the 802.1x authentication.
Give it a solution with only 1 login request???
thanks
Jens

You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.
You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.
http://support.microsoft.com/kb/318750/EN-US/
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).
HTH
Andy

'Could not find user' with EAP-TLS in ACS

Hi all,
we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
Sometimes machine authentications fail with following message in AUTH.log:
AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
Thanks
Kai

AUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
You might need to check the log on AD side to see why it could not find this host.
Comparing the logs between the working and non-working cases might be helpful.

Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
on this computer" and un-checked "Use simple certificate selection".
My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
drop down.
Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
TIA,
-Rick

Hi Rick,
Thank you for your patience.
According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

ISE problem with EAP-TLS Supplicant Provisioning

Hi All,
I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software. The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate... 'device on-boarding'
The entire CWA / Device Registration process is all fine and works well. I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory. All of this works fine.
The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA. This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE. There doesn't seem to be any way to configure this behaviour within ISE.
Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
Cheers,
Richard
PS - Also using WinSPWizard 1.0.0.28

Hi Richard,
This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
Istvan Segyik
Systems Engineer
Global Virtual Engineering
WW Partner Organization
Cisco Systems, Inc
Email: [email protected]
Work: +36 1 2254604
Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

Hello,
Has anyone come across this error code before? I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
I setup 7925 phones for EAP-TLS using MIC. I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication". A Certificate Profile is configured matching Common Name and is added to the Identity Sequence. I got some additional attribute information, where there is a error message:
OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
Anyone know what this error means?

Yes,
That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
Installing the Authentication Server Root Certificate
The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
To install the certificate, follow these steps:
Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
Step 2 Go to the phone web page and choose Certificates.
Step 3 Click Import next to the Authentication Server Root certificate.
Step 4 Restart the phone.
Thanks,
Tarik Admani
*Please rate helpful posts*

Wired EAP-TLS Problems

I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
My current setup is:
FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
Laptop - OpenSUSE 10.2
I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
"select * from nas" (comma seperated to make it easier):
id,nasname,shortname,type,ports,secret,community,description
1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
wpa_supplicant.conf on laptop:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
identity="SUSE Laptop"
eapol_flags=0
eap=TLS
ca_cert="/home/evosys/Documents/cacert.pem"
client_cert="/home/evosys/Documents/suse_cert.pem"
private_key="/home/evosys/Documents/suse_key.pem"
private_key_passwd="<password>"
Outputs of the radiusd and wpa_supplicant are attached...

Based on this:
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
Shelly

802.1x with EAP-TLS Fails on Wired

Similar Messages

Maybe you are looking for