802.1x fail authentication - packets keep discarded
Hi all,
I'm implementing 802.1x using Catalyst 3560 and MS IAS as radius server. The plan is, every PC needs to authenticate using PEAP with radius and assigned to a VLAN. Fail authentication will be assigned to guest VLAN.
The problem is when I'm testing a PC, set the PC withouth 802.1x enabled, plug it to the 3560 port, the port keeps that PC packets discarded forever. I remove dot1x configuration on the interface, but it keep discard all packets (can't ping anywhere). When I plugged the PC to other port with the same configuration (no dot1x), it works. I have tried shut and no shut the interface, disable - enable devices, remove config and etc but the PC can't ping anywhere.
I'm happy to paste the config. Could anyone please explain me why it happens and what is the solution? Many thanks.
Here's an example config that should work:
interface GigabitEthernet1/0/5
switchport access vlan 31
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 35
dot1x auth-fail vlan 35
end
This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?
NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].
Hope this helps,
Similar Messages
-
802.1x Failed Authentication with WS-C3750G-24T
Hi,
I have already set up a lab comprising of 1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
If anyone could check it and suggest anything it could be appreciated!!!
Thank you in advance!Hi,
basically what happens is that the maximum EAP packet size for communication between client and RADIUS server is negotiated. Therefore, in your case the switch notifies NPS that the client is capable of handling packets up to 9000 bytes in size.
EAP messages, especially those containing the server certificate, are usually bigger than 1500 bytes and arrive at the switch in multiple fragments:
Mar 6 15:50:11.881: RADIUS(0000002C): Received from id 1645/41
Mar 6 15:50:11.881: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+253+253+253+253+20, total 2044 bytes
Having learned that 2044 bytes is acceptable for the client, the switch forwards the full message in one chunk, but since your client is likely to have set the interface MTU to 1500, the packet is oversized and never reaches its destination.
And yes, I think changing the System Jumbo MTU to 1500 bytes would lead to the same result. If my memory serves me right, a new setting takes effect only after a reboot, so I'd suggest giving it a go in your lab first.
Best regards,
Josef -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
VWLC 802.1x NPS authentication Fails
Hi Guys,
Hopefully someone can help me with the following problem i'm facing...
I've a vWLC running 7.3 deployed in our HQ site.
At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
These AP's register just fine through the VPN link back to the vWLC.
We deployed a few SSID's that are bound to AP groups.
All SSID's that use WPA2 with PSK work fine
All SSID's that use WPA2 with 802.1x Fail
The Security Settings for the failing SSID's are:
WPA2 Policy
WPA2 Encryption AES
Key Man 802.1x
AAA Server is pointing to the right NPS for Auth and Accounting
Radius overwrite IF is disabled
The settings of the NPS are:
Conditions:
Win Group: DOMAIN\Groupxx
NAS Port Type: Wireless - IEEE 802.11
Settings:
EAP Conf: Configured
Access Perm: Granted
EAP Method: MS PEAP
Auth Method: EAP
NAP Enforcement: Allow full access
Update non complient: True
Service Type: Login
When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
On the vWLC i can see trap:
AAA Authentication Failure for UserName:user User Type: WLAN USER
At the NPS i can see:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\user
Account Name: user
Account Domain: DOMAIN
Fully Qualified Account Name: dom.com/OU/OU/OU/USER full name
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 34-a8-4e-70-0b-90:test.sec
Calling Station Identifier: 10-40-f3-8f-ac-62
NAS:
NAS IPv4 Address: IP vWLC
NAS IPv6 Address: -
NAS Identifier: VWLC001
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: vWLC001
Client IP Address: IP vWLC
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco WiFi
Authentication Provider: Windows
Authentication Server: FQDN NPS server
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Hopefully someone can point me in the right direction.
Cheers,
JPFind below the output of the debug:
(Cisco Controller) >
(Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
*dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
*dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62 -
802.1x Port Authentication via RADIUS
I am investigating implementing 802.1x port authentication on our network.
I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
I have configured the switch with the following commands
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x key test
and the port to be authorised has been configured with
dot1x port-control auto
As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasnt available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=3
Realm = def
User = Administrator
Code = Access request
ID = 26
Length = 169
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
NAS-IP-Address = x.x.x.x
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = Administrator
Called-Station-Id = 00-11-00-11-00-11
Calling-Station-Id = 11-00-11-00-11-00
Service-Type = Framed
Framed-MTU = 1500
State = 0x3170020000FCB47C00
EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=4
Realm = def
User = Administrator
Code = Access reject
ID = 26
Length = 0
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
*Mar 2 01:58:38: dot1x-ev:Username is Administrator
*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
*Mar 2 01:58:38: dot1x-ev:Sent to Bend
*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
Again there doesnt appear to be a password, shouldn't I see one?
Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
I would recommend either:
a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
Eval copies are available on their websites.
Hope this helps, -
Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010
Hi
My company has implemented 802.1x Wired authentication, we use GPO to specify a
Wired Profile that uses a COMPUTER certificate.
We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open. If we close Lync 2010 the issue does not occur. Lync 2010 installs a self signed USER certificate for authentication.
I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER. We have installed these hotfixes and the
issue still occurs.Hi,
From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
Meanwhile, I found the following hotfix which may related to this issue.
No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
Next Action Plan:
1.Clean Boot
a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
b. In the Startup tab, click the "Disable All" button.
c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
======================================================
Clean Boot + binary search
In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
we find out the root cause. Please let me know if this action plan is OK for you.
2.Collect etl trace on the problematic client.
netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
****Try to reproduce this issue****
netsh trace stop
Please send the net.etl to us for underlying analysis.
For any concerns, please let us know.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
802.1X Machine Authentication ONLY!
Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
Has anyone implemented this? Is it a feasible design?
Thanks
DarrenHi Darren,
good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
* ACS 5.x:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
* ACS 4.x:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
Help Please :) LInksys WRVS4400N 802.1X port authentication setup
HI all,
I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
1x Linksys WRVS4400N
1x Microsoft Server 2003 with IAS and Active Directory services
1x Dell Laptop (Used for testing Radius Athentication)
I Created 4 VLAN(s) to test with this LAB
VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
VLAN 1: Default
Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
VLAN 10: Servers
Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
VLAN 20: IT
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
VLAN 30: Design
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
This is how my Radius is setup
Mode: Enabled
RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
UDP Port: 1812
Secret: Password1
Port(s) 1 & 2: Force Authorized
Port(s) 3 & 4: Force UnAuthorized
On the Server this is what I have configured
1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
Tunnel-Medium-Type: 802
Tunnel-PVT-Group-ID: 20
Tunnel-Type: Virtual LAN
My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
If anybody can help me out that would be great!
Cheers
Graham1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
3. The VLAN configuration looks very odd to me. If I see it correctly you have:
Port 1: General mode, PVID 1, 1U
Port 2: General mode, PVID 10, 1T, 10U
Port 3: Access mode, PVID ???, 20U, 30U
Port 4: Access mode, PVID ???, 20U, 30U
I wonder why you are even able to set this up...
a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything? -
Radius server for 802.1x port authentication
Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
ThanksCheck connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function. -
Pb 802.1X Computer authentication
Hello
I want to know if some GPO parameters can prevent computer authentication 802.1X ?
Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
And certain PC works fine and other not
And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
If you have a solution to prevent out/in PC in the domain ?
Thanks for your helpHello
When i do the command csagent -v the result is:
ACSRemoteAgent version 4.1(3.12)
and I have an Appliance ACS:
Cisco Secure ACS 4.1.3.12
Appliance Management Software 4.1.3.12
Appliance Base Image 4.1.1.4
CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
and in the file cswinAgent i have this error
CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
I don't know if this that you want
I have just change the domain name (DOMAIN-TEST) to confidential resaon
Thanks -
ESW 520 802.1x MAB authentication problem
Hello,
I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
Radius authentication failed for USER: aa1effbb8fd4 MAC: aa-1E-FF-bb-8F-D4 AUTHTYPE: Radius authentication failed
RADIUS Status:Authentication failed : 11509 Access Service does not allow any EAP protocols
15004 Matched rule
15012 Selected Access Service - MAB
11507 Extracted EAP-Response/Identity
11509 Access Service does not allow any EAP protocols
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
For that Access Service I have configured only Host Lookup.
The same ACS configuration is working perfectly on Catalyst 3560G switche.
It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
Do you have any idea what can be the problem.Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
Also can you post the port configuration and the show ver of the ESW?
Thanks,
Tarik Admani
*Please rate helpful posts* -
ESW 520 802.1x re authentication problem
Hello
I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
If I connect same hosts on Catalyst 2960 switch, they work successfully.Hi ngtransge
There are tree possible explanations about why the authentications fails.
A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.
To verify the client has a domain certificate:
1. Click Start and click Run.
2. Type mmc, and then press ENTER.
3. On the File menu, click Add/Remove Snap-in.
4. Click Certificates, click Add, select Computer account, and then click Next.
5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.
B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.
C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)
Greetings, Johnnatn Rodriguez Miranda -
NAP / 802.1x wired authentication issues
NAP/NPS Server = 2012R2 NPS Role installedClient Swiches: HP Proliant 5400 seriesSupplicant: Windows 7 Pro domain joined, built in Windows 802.1x suplicant.We are using user and machine based authentication (to accomodate RDP sessions) with health checks (AV installed and Firewall enabled on all network profiles). User authentication policies are above Machine authentication policies in NPS so that when a user logs in, it superceedes the machine's authentication and switches VLANs based on the user's AD group membership. If a user or machine fails authentication, or fails the health check, they are quarantined on our 666 VLAN (We call it the Leper Colony!).Everything pretty much works...except one small thing...PROBLEMWhen a computer first boots up (maybe other times, I dont know), before presenting a user with a login screen, it gets...
This topic first appeared in the Spiceworks CommunityHi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.
-
I have just bought my iphone 4S 32GB from three weeks ago and 'am facing a problem that in the middle of my calls it suddenly says call failed and it keeps on doing it every call i make .. I Don't know what to DO Please anyone help me i've got OS 5.0.1 and it's factory unlocked i've boughted from USA and it was sent to me where 'am living now in Egypt ...ANy Helpppppppppp Pleasee
try general>settings>reset>reset all settings and start up as an new phone.
-
ISE 1.2 not logging failed authentications on guest portal (CWA)
Hi there
I think this is a bug but wanted to check, if someone knows a good reason why failed authentication attemps with non-existing user account are not logged on ISE 1.2 (CWA).
The different cases:
Case 1: existing user / wrong password -> logged
Case 2: no user / any password -> logged
Case 3: no user / no password -> logged
Case 4: non-existing user / any password -> not logged
In my opinion this is a critical case to be logged because this could be an indicator of a DoS attack or a password penetration test.
Thanks in advance and best regards
DominicHi vatullu
thanks man, you helped me a lot.
Regards
Dominic
Maybe you are looking for
-
On Windows Vista and tried several times to start up my iTunes, but keep getting 'application failed MSVCR80.dll error-7 (windows 126) is this an easy fix ...?
-
Purchase order unable to print even after PO release
I am trying to release a PO thru ME9F but unable to print . PO is released. Could you tel me is this the std behavior...Wat is restricting the PO print out... Waiting for your reply.. Thanks, Murad Shaikh...
-
Adding a doubleclick event on Inline Graphic Image
Hello all, I'm trying to add a doubleClickEvent to an InlineGraphicElement, so that a popup window appears, and I can enter a new width and height. I'm having trouble adding a listener for the doubleClick event to an image that I'm about to add as an
-
WD ABAP - When would I choose ?
Hi All , Can you all please share the decision making criterias for WD ABAP rather than WD Java ? Other than the resources/skills availability , are there any other technical reasons to choose WD ABAP development rather than Java. With the latest NW
-
Unable to use Acrobat 8 as printer in windows 7 x64
I recently upgrade from windows vista to 7. Then I download all the Adobe patches up to 8.1.7. Now, I cannot use PDF as printer when I am on a website or in other programs such as QB.