2960S - 15.0(2)SE MAB Issue
We have a Cisco 2960S configured for TrustSec (802.1x+MAB), with several
workstations/users connected to it through their Cisco IP Phones. The users are using
802.1x and their phones are being MAB'd.
Intermittently, the MAB functionality seems to stall, see by the output below. The issue
is not isolated to a given port, but does not occur on other switches (3560Gs) in the environment.
This switch is running 15.0(2)SE
Authentication Session command does not show a phone, only a workstation:
NFF-Cat2960S-off#sh authen sess int gi1/0/13
Interface: GigabitEthernet1/0/13
MAC Address: 082e.5f86.4345
IP Address: 192.168.1.111
User-Name: <removed>
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 10
ACS ACL: xACSACLx-IP-ACL-PERMITALL-50bfa391
Session timeout: 14400s (server), Remaining: 14353s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: C0A8011600000F4AFC60371C
Acct Session ID: 0x000010D5
Handle: 0xD6000F4B
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
CAM shows the phone as connected and communicating (even after a shut/noshut):
NFF-Cat2960S-off#sh mac add int gi1/0/13
Mac Address Table
Vlan Mac Address Type Ports
10 082e.5f86.4345 STATIC Gi1/0/13
10 e804.6212.9903 DYNAMIC Gi1/0/13
20 e804.6212.9903 DYNAMIC Gi1/0/13
Total Mac Addresses for this criterion: 3
Interface Configuration: (same as others on this switch and others)
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 20
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
Phone has DHCP, but traffic is being blocked by ACL-DEFAULT, as the switch is not
performing MAB to download a more permissive dACL:
Jan 2 15:21:10.365 EST: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp
192.168.20.77(49858) -> 192.168.20.5(2000), 1 packet
Finally, the switch is reporting that MAB on this port is in an ACQUIRING state, even though the MACs are discovered:
MAB details for GigabitEthernet1/0/13
Mac-Auth-Bypass = Enabled
MAB Client List
Client MAC = Waiting
Session ID = C0A8011600000FB006D7DCEA
MAB SM state = ACQUIRING
Authen Status = FAIL
Hi,
Just out of curiosity can you post your port configuration.
Thanks.
Sent from Cisco Technical Support Android App
Similar Messages
-
Latest ios(12.2(5X), (15.x) MAB issue
i will use a switching module in 3945 router instead of 2960 switch
existing ios version(old-switch) is 12.2(44)SE6
new ios version(new-sm module) is 12.2(55)SE7
existing ios version mab do work fine, but new ios version mab don't work
--- existing configuration ---
aaa new-model
aaa authentication
login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
interface xx
switchport access vlan 10
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
spanning-tree portfast
--- new configuration ---
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
interface xx
authentication port-control auto
mab
dot1x pae authenticator
as ios version upgrade, some of the configuration has been changed and
mac authentication bypass is not working, so please tell me why these
problem occurI have to mention one more thing. If I connect to the console, I do not get any prompt or see any banner etc. However I will see all the log messages coming up on the screen.
I can ssh / telnet to the switch no problem. -
I'm working with the following lab:
ISE 1.1.3.124
3560 running c3560-ipservicesk9-mz.122-55.SE
Cisco AP (1131, 1231).
I'm attempting MAB. The AP is being profiled correctly and I'm seeing successful authen and authz. But the device (AP/whatever) cannot pickup a DHCP address. If I manually assign an IP, then no traffic flows through the switchport. DHCP works fine for ports with no security. The DACL is being applied and should permit the traffic - I've even tried a permit ip any any.
I've attached the switch config and some ISE screenshots / logs.
Some further details below.
Thanks to anyone if you can nudge me in the right direction.
## switch dot1x debug
%MAB-5-SUCCESS: Authentication successful for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
3560-1#
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-REQUEST
%EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-SUCCESS
%EPM-6-IPEVENT: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT IP-WAIT
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
3560-1#
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
3560-1#sh authentication sessions int fa0/2
Interface: FastEthernet0/2
MAC Address: 001b.2abc.5de0
IP Address: Unknown
User-Name: 00-1B-2A-BC-5D-E0
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A863FE000001392E8FE236
Acct Session ID: 0x00000180
Handle: 0xFC000139
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
3560-1#sh authentication method mab
Interface MAC Address Method Domain Status Session ID
Fa0/2 001b.2abc.5de0 mab DATA Authz Success C0A863FE000001392E8FE236
3560-1#sh ip access-lists
Standard IP access list 10
10 permit 192.168.99.10 (9814 matches)
20 deny any log
Extended IP access list ACL_DEFAULT
10 permit udp any eq bootpc any eq bootps (71 matches)
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit ip any host 192.168.99.10
60 deny ip any any log
Extended IP access list ACL_REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 192.168.99.10
40 permit tcp any any eq www
50 deny ip any any
Extended IP access list xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6 (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 192.168.99.224
40 deny ip any any logIt is nice to see that you find the resolution the command “ip dncp snooping trust” Validates DHCP messages received from untrusted sources and filters out invalid messages.
-
I am trying to set my ISE to attempt dot1x before mab. If I set up the switchport to try mab first, then ISE does its job and assigns the proper vlan. However, when I set the port up to do dot1x first, the port reverts to the default vlan 1. I am able to manually assign the proper vlan on the port and ISE does not interfere, but that kind of defeats the purpose. The port is on a 4506 and below is the port config. Any direction would be greatly appreciated.
interface GigabitEthernet5/7
description 1-151
switchport mode access
switchport block unicast
switchport voice vlan 68
ip arp inspection limit rate 60
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 40
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 3600
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
endRecently i have implemented in one of our customer, find the below switch configuration.
aaa new-model
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client <ISE IP ADDRESS> server-key 7 10471A1C25141B1F0F
aaa session-id common
ip device tracking probe use-svi
ip device tracking
ip admission name Testing_ISE proxy http inactivity-time 10 list ISE_ALLOWED
epm logging
dot1x system-auth-control
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1-1005 priority 8192
port-channel load-balance src-dst-ip
vlan internal allocation policy ascending
interface ran GigabitEthernet X/X
description "Connected to test PC for ISE testing"
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication event server dead action authorize vlan 107
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip http server
ip http secure-server
ip access-list extended ISE_REDIR
deny udp any any eq bootpc
deny udp any any eq bootps
deny udp any any eq domain
deny ip any host <ISE IP ADDRESS> log
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any log
ip access-list extended ISE_ALLOWED
permit ip any host <ISE IP ADDRESS>
logging esm config
snmp-server community string RO
snmp-server community public RO
snmp-server community ise RO
snmp-server trap-source Vlan250
snmp-server enable traps mac-notification change move threshold
snmp-server host <ISE IP ADDRESS> version 2c ise mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host <ISE IP ADDRESS> auth-port 1812 acct-port 1813 key 7
141E010E2C07233F27
radius-server vsa send accounting
radius-server vsa send authentication
Create a Authentication policy in ISE and allow ISE_REDIR ACL. -
Cisco ISE & 3750 Switch MAB configuration Issue
Hi,
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
Here is the test switch configuration :
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
snmp-server community ISE-Test RO
snmp-server community ISE-Test1 RW
snmp-server trap-source FastEthernet0/24
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
Thank you in advanced! I hope that this issue might be intersting!
MartinCan you confirm that you have the following syntax in your NAD:
aaa server radius dynamic-author
client 192.168.98.10 server-key AAA_Secret
Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x -
Slow download performance with windows 7 on Cisco 2960S
has someone experience with the the windows 7 on Cisco 2960S.
One customer had the issue with very slow download rate ( 500kByte) with 100MB / full duplex and default tcp paramenter under win 7 with IOS 12.2.55SE1.
No error was seen.
The change of follwing in windows improve the performance a litte bit to 1-2 MByte.
no compression, no tcp windowing, no received side scaling, no windows side heuristic, no checksum offloading and a smaller MTU size than default.
After update the Switch to 12.2.55.SE2 the performance imporve to 4-12 MByte.
Has someone an idea about the chances in IOS 12.2.55SE2. I cant find anything in RN about this issue.
Best regards
SteffenI have the same issues in WS-C2960G-48TC-L . my downloads dropped in my lan from 2 mb/s to 100kb/s in all operating systems including linux workstations . my ios version is 12.2(44)SE5 in 2960 switches .
i have 2 x 4503-E L3 and 14 2960-48TC-L switches but i can not access the new ios versions to test if the issue is coming from ios version because of end of support .
can someone ensure that the new ios remove this issue ? -
2960x broken when USB console cable connected
Hi
I have a strage issue here, on 2 different 2960X ( WS-C2960X-48TD-L ) when I connect the mini USB cable for console access the switch do not respond anymore, after few seconds all the led stop to flash, the switch start to broadcast all packets on all ports, causing redundand port to create a loop.
The issue is present on both switches, tried to cold boot, tried updating to 15.0(2)EX4 but still same issue.
I tried different usb cables that are working on 2960S and 3750x, anyone with this issue ?
It is annoing as I have only usb pors available there.
The issue start when the cable is plugged in without even start the login, the Control plane free about 20-30 seconds after. If I remove the usb cable everithing is fine again, but spanning tree on other switches has gone crazy due to the switch was farwarding on all ports.Hi,
anyone has this same issue ? -
WS-C2960S-48TS-L showing as unsupported device in CNA 5.5
I have set up a new switch, I can connect to it thru a web browser or telnet to it thru the network, but when I try to connect to it thru CNA 5.5 I can connect without a problem but it shows up as an unsupported device and I can't do any configurations to it. I am able to configure other 2950, 2960, and 3560 devices without an issue but this is the first 2960s model I have worked with. Is there an issue between CNA and this model that needs to be addressed? The 2960s is running the latest IOS.
seems like Cisco does not like answering any questions posted on here
Firstly, there are two types of people who posts here. They are people with issues/problems and those who can provide solutions. Now these people who provide solutions do not necessarily work for Cisco (just want to point it out). Cisco created this website to allow the sharing of informations and solutions for those who don't have, for instance, a Cisco TAC access. Unfortunately not everyone is an expert in every field (like me).
The Cisco 2960S is a fairly new product (released on April or May 2010, if I recall). However, if you look at the age of the latest version of Cisco Network Assistant (CNA), version 5.5, was released waaaaaaaaaaaaaaaaaaaaaaay back September 2009. This is like, in my humble opinion, using Office 2010 on a Windows 98 OS.
Another thing is that not all of us are avid users of CNA. We are "old school" and use the CLI to configure Cisco appliance as it's more robust and offers a helluvalot functionalities and features.
If contact your authorized Cisco reseller or Cisco SE, you can ask them when the next release for CNA will be.
This post is not meant to offend, criticize and/or insult anyone here. It's not meant to be demeaning, offensive or condescending. This post is just a personal opinion.
Hope this helps. -
IOS 15.0(2)SE5 DHCP Snooping Problem
I have just upgraded a single production switch from IOS 12.2(50)SE1 to 15.0(2)SE5 to test out new ipv6 security features that we will soon require for our deployment. upon booting into the newer IOS the DHCP snooping feature stopped working, this caused ARP inspection to start dropping traffic so we had to disable it. after going through the normal troublehsooting procedures (check config, reboot, re-apply config, check clients, renew IP address etc) it still is not working.
has anyone else experience this problem or anything similar?
I would be interested to hear from people on recent experiences when upgrading software as we have been having a bad time recently with cisco software across a range of products.Aurelien
I just tested this on a 2960-S running SE5 with no issues.
2960-1#debug ip dhcp snooping packet
DHCP Snooping Packet debugging is on
2960-1#
Mar 30 01:30:23.963: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak. Was Vl1
Mar 30 01:30:23.963: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak. Was Po1
Mar 30 01:30:23.963: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak. Was Vl1
Mar 30 01:30:23.963: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel1)
2960-1#
Mar 30 01:30:23.968: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 3037.a696.3640, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3640
Mar 30 01:30:23.968: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
Mar 30 01:30:23.968: DHCP_SNOOPING_SW: bridge packet send pac
2960-1#ket to cpu port: Vlan1.
Mar 30 01:30:25.976: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak. Was Vl1
Mar 30 01:30:25.976: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak. Was Gi0/24
Mar 30 01:30:25.976: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak. Was Vl1
Mar 30 01:30:25.976: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/24)
Mar 30 01:30:25.976: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, inpu
2960-1#t interface: Gi0/24, MAC da: ffff.ffff.ffff, MAC sa: 001c.0e86.6f4a, IP da: 255.255.255.255, IP sa: 172.16.156.33, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.16.156.47, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3640
Mar 30 01:30:25.981: DHCP_SNOOPING: direct forward dhcp replyto output port: Port-channel1.
Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak. Was Vl1
Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak. W
2960-1#as Po1
Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po1 for pak. Was Vl1
Mar 30 01:30:25.987: DHCP_SNOOPING: received new DHCP packet from input interface (Port-channel1)
Mar 30 01:30:25.987: DHCP_SNOOPING: process new DHCP packet, message type: DHCPREQUEST, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 3037.a696.3640, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3
2960-1#640
Mar 30 01:30:25.987: DHCP_SNOOPING_SW: bridge packet get invalid mat entry: FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (1)
Mar 30 01:30:25.987: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan1.
Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak. Was Vl1
Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for pak. Was Gi0/24
Mar 30 01:30:25.987: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Gi0/24 for pak. Was Vl
2960-1#1
Mar 30 01:30:25.987: DHCP_SNOOPING: received new DHCP packet from input interface (GigabitEthernet0/24)
Mar 30 01:30:25.992: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input interface: Gi0/24, MAC da: ffff.ffff.ffff, MAC sa: 001c.0e86.6f4a, IP da: 255.255.255.255, IP sa: 172.16.156.33, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 172.16.156.47, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 3037.a696.3640
Mar 30 01:30:25.992: DHCP_SNOOPING: direct forward dhcp replyto output port:
2960-1#Port-channel1.
2960-1#sh ip dhc
2960-1#sh ip dhcp no
2960-1#sh ip dhcp sno
2960-1#sh ip dhcp snooping b
2960-1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
30:37:A6:96:36:40 172.16.156.47 86387 dhcp-snooping 1 Port-channel1
Total number of bindings: 1
2960-1#sh ver | in IOS
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE5, RELEASE SOFTWARE (fc1)
2960-1# -
Aironet 1142 as supplicant to 2960 switch (NEAT/CISP/MAB)
Hello!
First, my configuration, (then the problem down below):
I have an Aironet 1142 with mulitple SSIDs [mapped to VLANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is uplinked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator swtich; it just has a manually-configured trunk port to the user-area 2960 [for now; i'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native VLAN, and all is well [so it seems]. The Aironet's dot11Radio is configured for two SSIDs and mapped to VLANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for VLAN 1 [but NOT the wireless user VLANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID VLANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong].
Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but i'm willing to be persuaded otherwise, based on sound advice].
Ok, now the problem:
Users on the guest wireless SSID (Vlan 20) say they cannot connect. Yep, classic. VLAN 20 is trunked and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that VLAN.
I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (VLAN 10) has full access. Am I running into a problem with "multi-host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a VLAN 20 host on this SSID, but no unicast traffic! Argh!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping
#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: ccd5.3947.7980 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
GigabitEthernet1/0/46 no no 15
Custom circuit-ids:
GigabitEthernet1/0/48 yes yes unlimited
Custom circuit-ids:
GigabitEthernet1/0/52 yes yes unlimited
Custom circuit-ids:
#sh run br | incl aaa auth
aaa authentication login default local group rad_eap
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default local group rad_eap
aaa authorization network default group rad_eap local
#sh run int gi1/0/2
interface GigabitEthernet1/0/2
description Wireless Access Points
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth limit 50
priority-queue out
authentication host-mode multi-host
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
macro description CISCO_WIRELESS_AP_EVENT
auto qos trust
spanning-tree portfast
#sh int gi1/0/2 sw
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
#sh auth sess int gi1/0/2
Interface: GigabitEthernet1/0/2
MAC Address: acf2.c5f2.8e27
IP Address: 10.100.32.42
User-Name: acf2c5f28e27
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A64200B00000CDA41AFBEDF
Acct Session ID: 0x00000D00
Handle: 0xDE000CDA
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
#sh mab int gi1/0/2
MAB details for GigabitEthernet1/0/2
Mac-Auth-Bypass = Enabled
#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Gi1/0/48 on 802.1q trunking 1
Gi1/0/52 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/48 1-2,10,20
Gi1/0/52 1-2,10,20
Port Vlans allowed and active in management domain
Gi1/0/1 1-2,10,20
Gi1/0/2 1-2,10,20
Gi1/0/48 1-2,10,20
Gi1/0/52 1-2,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1-2,10,20
Gi1/0/2 1-2,10,20
Gi1/0/48 2
Gi1/0/52 1-2,10,20
Ok, what am I missing??The problem lies in the wired Ethernet port on the Aironet. I did not submit that configuration because I thought it was simple and unrelated. Here is what I had:
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
The correct configuration should have been:
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
The line "no bridge-group 20 unicast-flooding" should not be applied to the wired port. That's stupid. With that erroneous command, the wired port will forward only broadcast and multicast traffic! Unicast traffic will be dropped. Oops.
However, I do not understand why applying this to the radio interfaces has no effect there. I have yet to find any conclusive detailed answers, either. Regardless, my original problem is fixed. -
IEEE 802.1x with EAP-TLS issue in cisco 2960
In My Cisco 2960 switch is not working with EAP-TLS mechanism of 802.1x but its works well with other protocols like EAP-PEAP or MAC Address authentication.
Below is the configuration
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization configuration default group radius
aaa accounting update periodic 30
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
speed 100
duplex full
authentication order dot1x mab webauth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
spanning-tree bpduguard enable
Can anyone suggest me ?Thanks for the reply jatin.
I have a client on the interface fa0/1 with a valid client certificate. And have a debug logs as below
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 8 00:03:06.266: AAA/BIND(000001C7): Bind i/f
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_initialize_enter called
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:06.266: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Created a client entry (0xB0000DBA)
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Dot1x authentication started for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.274: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.274: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.274: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.274: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.274: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.274: EAPOL pak dump Tx
*Mar 8 00:03:06.274: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.274: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.274: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): queuing an EAPOL pkt on Auth Q
*Mar 8 00:03:06.794: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 0,TYPE= 0,LEN= 0
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): New client detected, notifying AuthMgr
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending event (0) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL-Start packet
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting EAPOL_START on Client 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth Fa0/1: during state auth_authenticating, got event 4(eapolStart)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_aborting
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): 802.1x method gets the go ahead from Auth Mgr for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting AUTH_ABORT for 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 1(authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_initialize
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.794: dot1x_auth_bend Fa0/1: idle during state auth_bend_initialize
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting !AUTH_ABORT on Client 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth Fa0/1: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_aborting -> auth_restart
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Resetting the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_restart_action called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.802: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.802: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.811: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.811: EAPOL pak dump Tx
*Mar 8 00:03:06.811: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.811: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.811: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 1,LEN= 34
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.811: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.819: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.819: RADIUS(000001C7): sending
*Mar 8 00:03:06.819: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.819: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/83, len 251
*Mar 8 00:03:06.819: RADIUS: authenticator A1 79 FA E5 F4 B7 7F 4F - 2B 73 3A 0D 1F D8 89 20
*Mar 8 00:03:06.819: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.819: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:06.819: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:06.819: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.819: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.819: RADIUS: EAP-Message [79] 36
*Mar 8 00:03:06.819: RADIUS: 02 01 00 22 01 68 6F 73 74 2F 44 30 39 30 32 4D 41 4C 4C 30 ["host/D0902MALL0]
*Mar 8 00:03:06.819: RADIUS: 30 35 2E 49 4E 2E 69 6E 74 72 61 6E 65 74 [ 05.IN.intranet]
*Mar 8 00:03:06.819: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.819: RADIUS: D6 6F 7B CD 36 46 5E F6 90 6F 85 A8 BD BD AE D8 [ o{6F^o]
*Mar 8 00:03:06.819: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:06.819: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:06.819: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:06.819: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.819: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:06.819: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:06.819: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:06.861: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 8 00:03:06.903: RADIUS: Received from id 1645/83 10.26.13.59:1812, Access-Challenge, len 76
*Mar 8 00:03:06.903: RADIUS: authenticator 7B 1C DC CA A8 92 E9 34 - 17 86 25 2F 9D 7E 63 96
*Mar 8 00:03:06.903: RADIUS: EAP-Message [79] 8
*Mar 8 00:03:06.903: RADIUS: 01 02 00 06 0D 20 [ ]
*Mar 8 00:03:06.903: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.903: RADIUS: DD F3 7B 33 37 6D 40 BD F3 D2 78 DF F1 14 4D E4 [ {37m@xM]
*Mar 8 00:03:06.903: RADIUS: State [24] 30
*Mar 8 00:03:06.903: RADIUS: 00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70 [ }@EP.{Lp]
*Mar 8 00:03:06.911: RADIUS(000001C7): Received from id 1645/83
*Mar 8 00:03:06.911: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:06.911: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:06.911: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.911: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.911: EAPOL pak dump Tx
*Mar 8 00:03:06.911: EAPOL Version: 0x3 type: 0x0 length: 0x0006
*Mar 8 00:03:06.911: EAP code: 0x1 id: 0x2 length: 0x0006 type: 0xD
*Mar 8 00:03:06.911: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.920: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 105
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.920: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.920: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.920: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.920: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.920: RADIUS(000001C7): sending
*Mar 8 00:03:06.920: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.920: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/84, len 352
*Mar 8 00:03:06.920: RADIUS: authenticator 41 72 8D 6A B4 72 19 84 - 1B C8 33 F7 95 DD 07 BC
*Mar 8 00:03:06.928: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.928: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:06.928: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:06.928: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.928: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.928: RADIUS: EAP-Message [79] 107
*Mar 8 00:03:06.928: RADIUS: 02 02 00 69 0D 80 00 00 00 5F 16 03 01 00 5A 01 00 00 56 03 01 52 C5 45 4F 07 CA B3 29 50 A7 CE 40 76 B6 BD F0 50 D4 CE 9A 8A 02 C4 3D 40 35 B5 F0 E1 E2 75 [i_ZVREO)P@vP=@5u]
*Mar 8 00:03:06.928: RADIUS: 50 00 00 18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 [ P/528]
*Mar 8 00:03:06.928: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.928: RADIUS: A3 28 CE 27 20 C0 D6 2C 11 01 D6 61 1F C3 6F 03 [ (' ,ao]
*Mar 8 00:03:06.928: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:06.928: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:06.928: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:06.928: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.928: RADIUS: State [24] 30
*Mar 8 00:03:06.928: RADIUS: 00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70 [ }@EP.{Lp]
*Mar 8 00:03:06.928: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:06.928: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:06.928: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.004: RADIUS: Received from id 1645/84 10.26.13.59:1812, Access-Challenge, len 1188
*Mar 8 00:03:07.004: RADIUS: authenticator 7B 52 29 05 7E C3 EF 8E - 13 38 30 03 4B 65 64 0F
*Mar 8 00:03:07.004: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.004: RADIUS: 01 03 04 56 0D C0 00 00 05 78 16 03 01 00 51 02 00 00 4D 03 01 52 C5 45 4F 0F 04 37 77 A0 C2 68 66 4E 45 92 AB 3D 7F 94 70 AF 36 [VxQMREO7whfNE=p6]
*Mar 8 00:03:07.004: RADIUS: 1D C5 17 23 5C F1 FA CA 60 B0 20 A5 48 16 D5 3F F9 B0 FF 38 1D D5 13 B3 88 13 06 EF DC 87 5C AE 17 E7 7E 80 84 21 58 64 F7 A6 36 00 35 00 00 05 FF 01 00 01 00 16 03 01 02 1C 0B 00 02 18 00 02 15 00 02 12 30 82 02 0E 30 [#\` H?8\~!Xd6500]
*Mar 8 00:03:07.004: RADIUS: 82 01 77 A0 03 02 01 02 02 09 00 88 7A CB 35 3F 1E 3E 62 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 [wz5?>b0*H0/10USP]
*Mar 8 00:03:07.004: RADIUS: 49 4E 41 56 44 30 30 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C [INAVD0000410UPol]
*Mar 8 00:03:07.004: RADIUS: 69 63 79 4D 61 6E 61 67 65 72 30 1E 17 0D 31 33 30 38 32 [icyManager013082]
*Mar 8 00:03:07.004: RADIUS: 37 30 37 32 34 33 30 5A 17 0D 31 34 30 38 32 37 30 37 [7072430Z14082707]
*Mar 8 00:03:07.004: RADIUS: 32 34 33 30 5A 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 49 4E 41 56 [2430Z0/10USPINAV]
*Mar 8 00:03:07.004: RADIUS: 44 30 30 [ D00]
*Mar 8 00:03:07.004: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.004: RADIUS: 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C 69 63 79 4D 61 6E 61 [00410UPolicyMana]
*Mar 8 00:03:07.004: RADIUS: 67 65 72 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 C9 B9 03 65 83 EB 39 86 14 BC 95 7B DB 07 7E C5 8A D7 DA C7 8A CA 5A 88 6E 0B 93 06 35 57 [ger00*H0e9{~Zn5W]
*Mar 8 00:03:07.012: RADIUS: 6E DE 93 CD C9 FE 8E 9F E1 5F A9 04 5C BD A9 AD 5A 04 6E 35 47 76 A1 58 E5 C4 32 D7 49 9E 17 75 20 C6 6F 45 40 [n_\Zn5GvX2Iu oE@]
*Mar 8 00:03:07.012: RADIUS: AC EF 40 6D 15 38 F9 C2 28 7E C9 68 37 52 3B BF F4 C1 5E B8 BA 46 68 43 79 B1 65 66 [@m8(~h7R;^FhCyef]
*Mar 8 00:03:07.012: RADIUS: 9E 58 ED EC 8C 95 A2 D8 BF AA 77 AC 85 90 E3 AB C6 27 3A A2 22 AC 1C 48 B3 BF BE F7 85 CF 5C BB 2D 02 03 01 00 01 A3 32 30 30 30 0F 06 03 55 1D 11 04 08 30 06 87 04 0A 1A 0D 3B 30 [Xw':"H\-2000U0;0]
*Mar 8 00:03:07.012: RADIUS: 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 03 30 0D 06 09 2A 86 48 86 F7 0D 01 01 [ U?0++0*H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.012: RADIUS: 05 05 00 03 81 81 00 C4 46 3E 38 3D 53 0F 28 34 C1 A6 ED DC 70 76 9B 70 6B A8 95 7C 44 8E 7D 6E D6 8B 6D [F>8=S(4pvpk|D}nm]
*Mar 8 00:03:07.012: RADIUS: 90 49 83 06 E4 BF 68 2F 9D 77 78 A3 76 76 19 84 AD 26 3F F3 ED AA 88 52 35 0E 35 DD 00 E5 96 88 44 30 79 A0 71 [Ih/wxvv&?R55D0yq]
*Mar 8 00:03:07.012: RADIUS: 8D 25 3E 77 A0 E0 43 92 33 55 40 E1 C8 EE 88 11 25 E2 70 28 11 6C 5A 4E 3D F1 93 57 0A 6F [?>wC3U@?p(lZN=Wo]
*Mar 8 00:03:07.012: RADIUS: 36 51 72 04 08 C0 C0 DF F0 94 A9 F7 A1 05 C8 37 D6 F8 D4 9C 20 1A 7B CD 2C 17 83 7B 8E 20 F7 2D B6 16 03 01 02 FC 0D 00 02 F4 03 01 02 40 02 EE 00 63 30 61 31 0B 30 [6Qr7 {,{ -@c0a10]
*Mar 8 00:03:07.012: RADIUS: 09 06 03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04 0A 13 0C 44 69 67 69 43 65 72 74 20 49 [UUS10UDigiCert I]
*Mar 8 00:03:07.012: RADIUS: 6E 63 31 19 30 17 06 03 55 04 0B 13 10 77 77 77 2E 64 69 67 69 63 65 72 [nc10Uwww.digicer]
*Mar 8 00:03:07.012: RADIUS: 74 2E 63 6F 6D 31 20 30 1E 06 03 55 04 03 13 17 44 69 67 69 43 65 72 [t.com1 0UDigiCer]
*Mar 8 00:03:07.012: RADIUS: 74 20 47 6C 6F 62 61 6C 20 52 6F 6F 74 20 43 41 [t Global Root CA]
*Mar 8 00:03:07.012: RADIUS: 00 48 [ H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.012: RADIUS: 30 46 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0F10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS: 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 16 30 14 06 03 55 04 03 13 0D 49 6E 64 69 61 20 52 [0&,dIN10UIndia R]
*Mar 8 00:03:07.020: RADIUS: 6F 6F 74 20 43 41 00 4A 30 48 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E [oot CAJ0H10&,din]
*Mar 8 00:03:07.020: RADIUS: 74 72 61 6E 65 74 31 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 18 30 16 06 03 55 [tranet10&,dIN10U]
*Mar 8 00:03:07.020: RADIUS: 04 03 13 0F 45 6E 74 65 72 70 72 69 73 65 20 43 41 2D 31 00 4D [Enterprise CA-1M]
*Mar 8 00:03:07.020: RADIUS: 30 4B 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0K10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS: 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 1B 30 19 06 03 55 04 03 13 12 49 4E 2D 53 50 49 4E [0&,dIN10UIN-SPIN]
*Mar 8 00:03:07.020: RADIUS: 43 52 54 30 30 30 30 33 2D 43 41 00 D5 30 81 D2 31 0B 30 09 06 03 55 04 06 13 02 55 [CRT00003-CA010UU]
*Mar 8 00:03:07.020: RADIUS: 53 31 13 30 11 06 03 55 04 [ S10U]
*Mar 8 00:03:07.020: RADIUS: EAP-Message [79] 100
*Mar 8 00:03:07.020: RADIUS: 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E [California10USun]
*Mar 8 00:03:07.020: RADIUS: 6E 79 76 61 6C 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E [nyvale10UAruba N]
*Mar 8 00:03:07.020: RADIUS: 65 74 77 6F 72 6B 73 31 40 30 3E 06 03 55 04 03 0C 37 43 6C 65 [etworks1@0>U7Cle]
*Mar 8 00:03:07.020: RADIUS: 61 72 50 61 73 73 20 4F 6E 62 6F 61 72 64 20 4C [arPass Onboard L]
*Mar 8 00:03:07.020: RADIUS: 6F 63 61 6C 20 43 65 72 74 69 [ ocal Certi]
*Mar 8 00:03:07.020: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.020: RADIUS: 12 75 40 41 6F 40 6B 6F A5 FE AB 85 F3 B3 CF A4 [ u@Ao@ko]
*Mar 8 00:03:07.020: RADIUS: State [24] 30
*Mar 8 00:03:07.020: RADIUS: 00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1 [ oQKnEKkHw]
*Mar 8 00:03:07.029: RADIUS(000001C7): Received from id 1645/84
*Mar 8 00:03:07.029: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+98, total 1110 bytes
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.037: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.037: EAPOL pak dump Tx
*Mar 8 00:03:07.037: EAPOL Version: 0x3 type: 0x0 length: 0x0456
*Mar 8 00:03:07.037: EAP code: 0x1 id: 0x3 length: 0x0456 type: 0xD
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.037: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 6
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:07.037: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:07.037: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:07.046: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:07.046: RADIUS(000001C7): sending
*Mar 8 00:03:07.046: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:07.046: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/85, len 253
*Mar 8 00:03:07.046: RADIUS: authenticator 1C D7 6D 40 A3 D6 BA B1 - A7 E6 70 DA 32 83 2E 19
*Mar 8 00:03:07.046: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:07.046: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:07.046: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:07.046: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:07.046: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:07.046: RADIUS: EAP-Message [79] 8
*Mar 8 00:03:07.046: RADIUS: 02 03 00 06 0D 00
*Mar 8 00:03:07.046: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.046: RADIUS: 73 1D 89 5C 66 19 32 B6 63 C2 64 C1 04 42 A9 F9 [ s\f2cdB]
*Mar 8 00:03:07.046: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:07.046: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:07.046: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:07.046: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:07.046: RADIUS: State [24] 30
*Mar 8 00:03:07.046: RADIUS: 00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1 [ oQKnEKkHw]
*Mar 8 00:03:07.046: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:07.046: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:07.046: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.113: RADIUS: Received from id 1645/85 10.26.13.59:1812, Access-Challenge, len 378
*Mar 8 00:03:07.113: RADIUS: authenticator 1A 85 26 09 58 84 BC D4 - E0 A9 E3 C0 25 31 2D 31
*Mar 8 00:03:07.113: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.121: RADIUS: 01 04 01 32 0D 00 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 [2ficate Authorit]
*Mar 8 00:03:07.121: RADIUS: 79 20 28 53 69 67 6E 69 6E 67 29 31 3F 30 3D 06 09 2A [y (Signing)1?0=*]
*Mar 8 00:03:07.121: RADIUS: 86 48 86 F7 0D 01 09 01 16 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D [H0d6bb4f70-f412-]
*Mar 8 00:03:07.121: RADIUS: 34 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 [4552-aee2-c7a026]
*Mar 8 00:03:07.121: RADIUS: 66 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 [[email protected]]
*Mar 8 00:03:07.121: RADIUS: 6F 6D 00 CB 30 81 C8 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 [om010UUS10UCalif]
*Mar 8 00:03:07.121: RADIUS: 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E 6E 79 76 61 6C [ornia10USunnyval]
*Mar 8 00:03:07.121: RADIUS: 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E 65 74 77 6F 72 [e10UAruba Networ]
*Mar 8 00:03:07.121: RADIUS: 6B 73 31 36 30 34 06 03 55 04 03 0C 2D 43 6C 65 61 72 50 61 73 [ks1604U-ClearPas]
*Mar 8 00:03:07.121: RADIUS: 73 20 4F 6E 62 6F 61 72 64 20 4C 6F 63 61 6C 20 [s Onboard Local ]
*Mar 8 00:03:07.121: RADIUS: 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 [Certificate Auth]
*Mar 8 00:03:07.121: RADIUS: 6F 72 69 74 79 31 3F 30 3D 06 09 2A 86 48 86 F7 0D 01 09 01 16 [ ority1?0=*H]
*Mar 8 00:03:07.121: RADIUS: EAP-Message [79] 55
*Mar 8 00:03:07.121: RADIUS: 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D 34 [0d6bb4f70-f412-4]
*Mar 8 00:03:07.121: RADIUS: 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 66 [552-aee2-c7a026f]
*Mar 8 00:03:07.121: RADIUS: 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 6F [[email protected]]
*Mar 8 00:03:07.121: RADIUS: 6D 0E 00 00 00 [ m]
*Mar 8 00:03:07.121: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.121: RADIUS: 4C 46 AA B9 A5 D5 DF EA DB E7 2B 7B 51 7E 58 3F [ LF+{Q~X?]
*Mar 8 00:03:07.121: RADIUS: State [24] 30
*Mar 8 00:03:07.121: RADIUS: 00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1 [ E
*Mar 8 00:03:07.121: RADIUS(000001C7): Received from id 1645/85
*Mar 8 00:03:07.121: RADIUS/DECODE: EAP-Message fragments, 253+53, total 306 bytes
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.130: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.130: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.130: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.130: EAPOL pak dump Tx
*Mar 8 00:03:07.130: EAPOL Version: 0x3 type: 0x0 length: 0x0132
*Mar 8 00:03:07.130: EAP code: 0x1 id: 0x4 length: 0x0132 type: 0xD
*Mar 8 00:03:07.130: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.138: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.138: EAPOL pak dump rx
*Mar 8 00:03:07.138: EAPOL Version: 0x1 type: 0x0 length: 0x05D4
*Mar 8 00:03:07.138: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 1492
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1):
^Z
Malleswaram_2960#
*Mar 8 00:03:07.180: RADIUS: State [24] 30
*Mar 8 00:03:07.180: RADIUS: 00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1 [ E
*Mar 8 00:03:07.180: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:07.180: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:07.180: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:07.893: %SYS-5-CONFIG_I: Configured from console by jameela on vty0 (10.26.20.5)
Malleswaram_2960#
*Mar 8 00:03:10.225: RADIUS(000001C7): Request timed out
*Mar 8 00:03:10.225: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:10.225: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:13.354: RADIUS(000001C7): Request timed out
*Mar 8 00:03:13.354: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:13.354: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:16.307: RADIUS(000001C7): Request timed out
*Mar 8 00:03:16.307: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:16.307: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:19.369: RADIUS(000001C7): Request timed out
*Mar 8 00:03:19.369: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:19.369: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:22.456: RADIUS(000001C7): Request timed out
*Mar 8 00:03:22.456: RADIUS: Fail-over denied to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS: No response from (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response no app start; FAIL
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response; FAIL
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received an EAP Fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting EAP_FAIL for 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 10(eapFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_fail_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_fail_action called
*Mar 8 00:03:22.456: dot1x_auth_bend Fa0/1: idle during state auth_bend_fail
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_fail -> auth_bend_idle
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting AUTH_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth Fa0/1: during state auth_authenticating, got event 15(authFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_authc_result
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authc_result_enter called
*Mar 8 00:03:22.456: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.456: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: dot1x-redundancy: State for client d43d.7e65.4fc1 successfully retrieved
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received Authz fail for the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth Fa0/1: during state auth_authc_result, got event 22(authzFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x4 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting FAILOVER_RETRY on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_held, got event 21(failover_retry)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_held -> auth_restart
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_exit called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_restart_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting REAUTH_MAX on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_connecting, got event 11(reAuthMax)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_disconnected
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): d43d.7e65.4fc1:auth_disconnected_enter sending canned failure to version 1 supplicant
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x5 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_disconnected_reAuthMax_action called
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending event (1) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.464: dot1x-ev:Delete auth client (0xB0000DBA) message
*Mar 8 00:03:22.464: dot1x-ev:Auth client ctx destroyed
*Mar 8 00:03:22.674: AAA/BIND(000001C8): Bind i/f
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_initialize_enter called
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_disconnected_enter called
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_initialize_enter called
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Created a client entry (0x4A000DBB)
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Dot1x authentication started for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_connecting_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_authenticating_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_authenticating_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting AUTH_START for 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Role determination not required
Malleswaram_2960#
*Mar 8 00:03:22.674: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.674: EAPOL pak dump Tx
*Mar 8 00:03:22.674: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:22.674: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:22.674: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_request_action called
*Mar 8 00:03:22.791: dot1x-ev(Fa0/1): New client notification from AuthMgr for 0x4A000DBB - d43d.7e65.4fc1
*Mar 8 00:03:22.791: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:25.761: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:25.761: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:25.761: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#n
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:25.761: EAPOL pak dump Tx
*Mar 8 00:03:25.761: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:25.761: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:25.761: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debu
Malleswaram_2960#no debug
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:28.848: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:28.848: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:28.848: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#no debug all
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:28.848: EAPOL pak dump Tx
*Mar 8 00:03:28.848: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:28.848: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:28.848: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:03:31.180: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar 8 00:03:31.180: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
*Mar 8 00:03:31.180: AAA/MEMORY: create_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' ds0=0 port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=C9A1F1D1
*Mar 8 00:03:31.389: TAC+: (-1901802859): received author response status = PASS_ADD
*Mar 8 00:03:31.389: AAA/MEMORY: free_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15
*Mar 8 00:03:31.935: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:31.935: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:31.935: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#no deb
Malleswaram_2960#no debug al
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:04:32.677: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:04:41.938: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:42.654: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:05:51.915: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Pls dont worry about day and time. -
with acs 4.2 installed in my network, PEAP, EAP-TLS, md5... authentications work normally. But Mac-Based-Authentication doesnt work at all. i tested every thing but no luck .
This is what i have setup on Swith for MAB:
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x mac-auth-bypass
On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds, Even i created User-Name&password by those Agentless hosts mac-adds on acs, ..... still nothing seems to be working. i have selected ACS_Internal-Database for mac authentication.
On ACS while i check the Failed-attempt log, nothing is logged there. i dont know where is the issue.
Please tell me where im wrong on my config?Hello Inayat,
Yes you were right. i changed the auth-timeouts, and it is authenticating MAB-clients very fast.
Thank you for your support
I need a user-guide on how to Setup Authentication for Wireless users, we have agentfull and agentless wireless-hosts (having Iphones...). so the authentication methods will be md5, eap-tls and mab.
I will use (LinkSys-Wireless Router) as the authenticator for wireless-hosts ?
I need a user-guide for how to setup the wireless-hosts( supplicants) and how to setup Link-Sys and the Cisco-Switch in the middle. if you have any link, plz refer me -
with acs 4.2 installed in my network, PEAP, EAP-TLS, md5... authentications work normally. But Mac-Based-Authentication doesnt work at all. i tested every thing but no luck .
This is what i have setup on Swith for MAB:
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x mac-auth-bypass
On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds, Even i created User-Name&password by those Agentless hosts mac-adds on acs, ..... still nothing seems to be working. i have selected ACS_Internal-Database for mac authentication.
On ACS while i check the Failed-attempt log, nothing is logged there. i dont know where is the issue.
Please tell me where im wrong on my config?Under your interface type: mab
Sent from Cisco Technical Support iPad App -
[Q] Identity Sequence issue causes MAB to auth against AD ??
We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.
We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.
I have set up the folowing Identity Sequence:
AD1 (this is set up as our AD servers for 802.1X user and machine auth)
SecurID Server (we dont use this yet either)
Internal Users (this is just used to authenticate ciscoworks)
Internal Hosts (this contains the list of allowed MAC addresses)
Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.
Here is the successful connection entry (all MAC addresses substituted form the originals)...
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Hosts
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24412 User not found in Active Directory
24559 Searching for user in the RSA identity store.
24556 User record was not found in the cache.
24210 Looking up User in Internal Users IDStore - 00-1B-78-00-33-00
24216 The user is not found in the internal users identity store.
24209 Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00
24211 Found Host in Internal Hosts IDStore
22037 Authentication Passed
22023 Proceed to attribute retrieval
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24412 User not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - MAB-PC
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept
Here is the failed connection entry....
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24416 User's Groups retrieval from Active Directory succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
11003 Returned RADIUS Access-Reject
Any help greatly appreciated!Hello Paul,
If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?
A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.
For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.
If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?
Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom
Ultimately, I am trying to decide if
a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously ---> Do not think this might be the case as it will always pass the credentials to the every database on the specified order
b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.
c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence. ----> Do not think AD is rejecting the MAC Address based on:
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24416 User's Groups retrieval from Active Directory succeeded
At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side -
Strange issue with new Cisco Catalyst 2960 (IOS)
Hello all,
I am upgrading a older 2950(100M) switch replacing it with a gigabit 2960. Installed it in the same rack, the configuration is practically non-existent just set the passwords and IP. We run a single VLAN flat network for this so I started out by patching it to the existing switch, after a few days we had an opportunity to migrate because there was some downtime so I disconnected the cables on the old and moved them to the new.. Everything seemed fine, there is connectivity and things operate, but a few days later we noticed that some network transfer activities are slow. There are no errors or log entries showing on the new switch or the old one, but the low throughput is persistent.
All ports show 1G Full duplex as they should, but what I see when I test is that traffic tests look almost asynchronous when passing switch boundaries with normal read speeds and slow writes. Reversing the direction of the test hosts I get slow reads and fast writes so it seems to 'stick' to one side of the traffic path. Testing the same equipment against differente targets without the switch boundary crossing does not show the problem. All Intra-switch tests look good (gig switches transfer near a gig and 100 switches near 100), but the moment there is a crossing things behave strangely regardless of the target (new switch is center backbone with most hosts, but does no routing). Network layout is essentially a T with everything radiating from the new switch. I can eliminate the old switch soon, but I still need to resolve the problem with the crossing to the other switch.
Everything seems to point at the inter switch links. One is a patch cable under two feet, and the other is a dedicated fiber site link. We had the vendor confirm that the site link showed no issues, but having the same symptoms on both links makes me suspect the switch has something odd happening..
I checked for duplex issues first, but didn't find any. I flushed the arp caches in all of the switches (3 total) and all of the computers as well, but the problem persists.
Could this be an STP issue ? If so how can I set this switch as the STP root and force a refresh..
Any help would be greatly appreciated.Hi Paul,
That was my concern and why I worried about making a change from remote, things are not as they should be.
Here is the output for each switch..
======================================================================
First the old switch (originally old switch connected to remote directly port 24 fixed speed/duplex and no other config)
C2950Calidad#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0013.7f23.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0013.7f23.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/16 Desg FWD 19 128.16 P2p
Fa0/21 Desg FWD 19 128.21 P2p
Fa0/22 Desg FWD 19 128.22 P2p
C2950Calidad#sh run int Fa0/22
Building configuration...
Current configuration : 34 bytes
interface FastEthernet0/22
end
C2950Calidad#sh int Fa0/22
FastEthernet0/22 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0013.7f23.0016 (bia 0013.7f23.0016)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 11/255, rxload 3/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 100BaseTX
input flow-control is unsupported output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:20, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1229000 bits/sec, 716 packets/sec
5 minute output rate 4361000 bits/sec, 800 packets/sec
1543435357 packets input, 1281752172 bytes, 0 no buffer
Received 3977688 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 4346 ignored
0 watchdog, 2032103 multicast, 0 pause input
0 input packets with dribble condition detected
2298226914 packets output, 1725074683 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
C2950Calidad#sh int Fa0/22 switchport
Name: Fa0/22
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
============================================================================
Now the new switch (at center between other two, patched to above, fiber dedicated provider link to remote)
This includes two port command sets because it's in the middle interconnecting the other switches.
CISCO-2960-48-GB-ASP#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0013.7f23.0000
Cost 19
Port 48 (GigabitEthernet1/0/48)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address f41f.c2dc.9b80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
Gi1/0/2 Desg FWD 19 128.2 P2p
Gi1/0/3 Desg FWD 4 128.3 P2p
Gi1/0/4 Desg FWD 4 128.4 P2p
Gi1/0/5 Desg FWD 4 128.5 P2p
Gi1/0/6 Desg FWD 4 128.6 P2p
Gi1/0/7 Desg FWD 4 128.7 P2p
Gi1/0/10 Desg FWD 4 128.10 P2p
Gi1/0/11 Desg FWD 4 128.11 P2p
Gi1/0/12 Desg FWD 4 128.12 P2p
Gi1/0/13 Desg FWD 4 128.13 P2p
Gi1/0/14 Desg FWD 4 128.14 P2p
Gi1/0/15 Desg FWD 4 128.15 P2p
Gi1/0/16 Desg FWD 19 128.16 P2p
Gi1/0/17 Desg FWD 4 128.17 P2p
Gi1/0/18 Desg FWD 4 128.18 P2p
Gi1/0/20 Desg FWD 4 128.20 P2p
Gi1/0/21 Desg FWD 19 128.21 P2p
Gi1/0/22 Desg FWD 4 128.22 P2p
Gi1/0/24 Desg FWD 4 128.24 P2p
Gi1/0/25 Desg FWD 4 128.25 P2p
Gi1/0/27 Desg FWD 19 128.27 P2p
Gi1/0/29 Desg FWD 19 128.29 P2p
Gi1/0/32 Desg FWD 19 128.32 P2p
Gi1/0/37 Desg FWD 4 128.37 P2p
Gi1/0/38 Desg FWD 19 128.38 P2p
Gi1/0/39 Desg FWD 19 128.39 P2p
Gi1/0/40 Desg FWD 19 128.40 P2p
Gi1/0/41 Desg FWD 19 128.41 P2p
Gi1/0/42 Desg FWD 4 128.42 P2p
Gi1/0/43 Desg FWD 19 128.43 P2p
Gi1/0/44 Desg FWD 19 128.44 P2p
Gi1/0/45 Desg FWD 19 128.45 P2p
Gi1/0/47 Desg FWD 19 128.47 P2p
Gi1/0/48 Root FWD 19 128.48 P2p
CISCO-2960-48-GB-ASP#show run int Gi1/0/48
Building configuration...
Current configuration : 39 bytes
interface GigabitEthernet1/0/48
end
CISCO-2960-48-GB-ASP#show int Gi1/0/48
GigabitEthernet1/0/48 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is f41f.c2dc.9bb0 (bia f41f.c2dc.9bb0)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 10/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 12712290
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 4305000 bits/sec, 801 packets/sec
5 minute output rate 1149000 bits/sec, 706 packets/sec
2196985674 packets input, 2514470162077 bytes, 0 no buffer
Received 28075666 broadcasts (15513358 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 15513358 multicast, 0 pause input
0 input packets with dribble condition detected
1534630723 packets output, 395369715690 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
CISCO-2960-48-GB-ASP#show int Gi1/0/48 switchport
Name: Gi1/0/48
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
CISCO-2960-48-GB-ASP#show run int Gi1/0/47
Building configuration...
Current configuration : 63 bytes
interface GigabitEthernet1/0/47
speed 100
duplex full
end
CISCO-2960-48-GB-ASP#show int Gi1/0/47
GigabitEthernet1/0/47 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is f41f.c2dc.9baf (bia f41f.c2dc.9baf)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:28, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 576929
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 922000 bits/sec, 233 packets/sec
5 minute output rate 453000 bits/sec, 220 packets/sec
57257892 packets input, 17029314836 bytes, 0 no buffer
Received 81580 broadcasts (29497 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 29497 multicast, 0 pause input
0 input packets with dribble condition detected
101568868 packets output, 77491607955 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
CISCO-2960-48-GB-ASP#show int Gi1/0/47 switchport
Name: Gi1/0/47
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
===========================================================================
Finally the third switch (at separate site via provider dedicated fiber link from port 47 above)
SWC2960#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 1833.9db5.cd80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 1833.9db5.cd80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/5 Desg FWD 19 128.5 P2p
Fa0/6 Desg FWD 19 128.6 P2p
Fa0/7 Desg FWD 19 128.7 P2p
Fa0/8 Desg FWD 19 128.8 P2p
Fa0/9 Desg FWD 19 128.9 P2p
Fa0/12 Desg FWD 19 128.12 P2p
Fa0/13 Desg FWD 19 128.13 P2p
Fa0/14 Desg FWD 19 128.14 P2p
Fa0/16 Desg FWD 19 128.16 P2p
Fa0/17 Desg FWD 19 128.17 P2p
Fa0/18 Desg FWD 19 128.18 P2p
Gi0/2 Desg FWD 4 128.26 P2p
SWC2960#sh run int Gi0/2
Building configuration...
Current configuration : 36 bytes
interface GigabitEthernet0/2
end
SWC2960#sh int Gi0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 1833.9db5.cd9a (bia 1833.9db5.cd9a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 450000 bits/sec, 205 packets/sec
5 minute output rate 792000 bits/sec, 211 packets/sec
76476638 packets input, 76487607492 bytes, 0 no buffer
Received 528325 broadcasts (253243 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 253243 multicast, 0 pause input
0 input packets with dribble condition detected
59807938 packets output, 18071502348 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
SWC2960#sh int Gi0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
There really isn't anything odd configured, but since CDP doesn't cross the fiber link I think it must be a q-q tunnel..
Dave
Maybe you are looking for
-
AJAX Report Refresh a_report- Condition for display not being validated
Hi , I have a report which has the following condition for dispaly: Exists(SQL query returs atleast one row) - SELECT * from temp1The query for the report is : select * from temp1 Now I have a button on the page and on click of the button I call the
-
I am wanting to setup my E1000 as an access point to an internet connected wired network so I can access the computers on the wired network and the internet. I attempted to use the Linksys "Guide Me" support, but it directed me to how to on another t
-
1130AG Lightweight IOS V12.(7)JX - static ip on it can't removed
Hi there - I'm stuck on this problem... my 1130AG lightweight access point has and static ip address on fa0 AP0007.0e5f.f430#show ip int brie Interface IP-Address OK? Method Status Protocol FastEthernet0 10.40.0.1 YES other up down I want to clear th
-
Moment type in delivery based on PO
Hi Gurus, Please guide me that in the replenishment delivery based on PO, how the moment type is coming in to delivery document. Thanks & Regards, Savi
-
Mac Pro and G4 won't talk via ethernet
Hi, I know this is child's play for many of you, but I'm at a dead end. I'm trying to network my new Mac Pro with my G4 MDD /dual 1.25/ V.10.2.8. I made sure that file sharing is on in both Macs, that the ethernet ports are active, and that I have a