802.1x port authentication failing after getting a access-accept packet

Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model              SW Version            SW Image
*    1 54    WS-C3750X-48       15.2(1)E              C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580:     eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580:     eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580:     eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1   Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1   Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606:     Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614:     eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name           [1]   28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type        [6]   6   Framed                    [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco       [26] 27
Oct 24 10:53:47.614: RADIUS:   Cisco AVpair       [1]   21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU          [12] 6   1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id   [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message         [79] 33
Oct 24 10:53:47.614: RADIUS:   02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS:   62 75 72 6E 2E 61 64 6D 69 6E        [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS:   EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED             [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name        [102] 2   *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco       [26] 49
Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco       [26] 20
Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address      [4]   6   192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port            [5]   6   60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class               [25] 46
Oct 24 10:53:47.622: RADIUS:   76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50          [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622:     eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1   Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

Hi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface    MAC Address    Method       Domain          Status    Fg Session ID
Gi1/0/13     803f.5d09.189e N/A          UNKNOWN      Unauth         C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
          Mac Address Table
Vlan    Mac Address       Type        Ports
80    803f.5d09.189e    DYNAMIC     Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace

Similar Messages

802.1x Port Authentication via RADIUS

I am investigating implementing 802.1x port authentication on our network.
I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
I have configured the switch with the following commands
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x key test
and the port to be authorised has been configured with
dot1x port-control auto
As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasnt available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=3
Realm = def
User = Administrator
Code = Access request
ID = 26
Length = 169
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
NAS-IP-Address = x.x.x.x
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = Administrator
Called-Station-Id = 00-11-00-11-00-11
Calling-Station-Id = 11-00-11-00-11-00
Service-Type = Framed
Framed-MTU = 1500
State = 0x3170020000FCB47C00
EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=4
Realm = def
User = Administrator
Code = Access reject
ID = 26
Length = 0
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
*Mar 2 01:58:38: dot1x-ev:Username is Administrator
*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
*Mar 2 01:58:38: dot1x-ev:Sent to Bend
*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
Again there doesnt appear to be a password, shouldn't I see one?
Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
I would recommend either:
a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
Eval copies are available on their websites.
Hope this helps,

Radius server for 802.1x port authentication

Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
Thanks

Check connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function.

About 802.1x port authentication using TACACS+

Hi
I have some question. Please help me. Thanks.
Question1. May I use that 802.1x port authentication using TACACS+
Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
Any help would be greatly appreciated.
Thanks.

Thanks to you.
Where to find the documents about Tacacs+ doesn't support EAP?
I cast more time and I cannot find the documents.
Please help me....
Thanks.

BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

Dear all
        In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message:
       " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
      Anyone has encountered similar issue?
   BO version: BO XI 3.1 SP5
   Authenticate: Windows AD
Thanks and Regards

Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
http://service.sap.com/sap/support/notes/1323391
http://service.sap.com/sap/support/notes/1199995
-Ambarish-

802.1x port authentication and Windows Radius, possible?

Hello,
I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server? See out users are all all on a Windows domain and I want to authenticate using their active directory credentials. I think I am fine with the switch config, but it is the Windows IAS/Raduis server. I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
Thanks

Andy:
Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
See this link, it could be useful for you: https://supportforums.cisco.com/thread/2090403
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Help Please :) LInksys WRVS4400N 802.1X port authentication setup

HI all,
I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
1x Linksys WRVS4400N
1x Microsoft Server 2003 with IAS and Active Directory services
1x Dell Laptop (Used for testing Radius Athentication)
I Created 4 VLAN(s) to test with this LAB
VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
VLAN 1: Default
Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
VLAN 10: Servers
Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
VLAN 20: IT
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
VLAN 30: Design
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
This is how my Radius is setup
Mode: Enabled
RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
UDP Port: 1812
Secret: Password1
Port(s) 1 & 2: Force Authorized
Port(s) 3 & 4: Force UnAuthorized
On the Server this is what I have configured
1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
Tunnel-Medium-Type: 802
Tunnel-PVT-Group-ID: 20
Tunnel-Type: Virtual LAN
My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
If anybody can help me out that would be great!
Cheers
Graham

1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
3. The VLAN configuration looks very odd to me. If I see it correctly you have:
Port 1: General mode, PVID 1, 1U
Port 2: General mode, PVID 10, 1T, 10U
Port 3: Access mode, PVID ???, 20U, 30U
Port 4: Access mode, PVID ???, 20U, 30U
I wonder why you are even able to set this up...
a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything?

About TACACS+ and 802.1x port authentication

Hi
Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
Where to find the documents about Tacacs+ doesn't support EAP?
Regards,
Thanks.

Correct, TACACS does not support EAP, check the following links:
https://cisco.hosted.jivesoftware.com/message/7901
http://www.rfc-editor.org/rfc/rfc1492.txt

Toshiba EXCITE Pro - WIFI connection. Authentication failed after update

Hello.
Just received this Tablet.
Everything seemed ok while updating to the latest version (did that first to solve the heat problems).
After the last update *i lost my WIfi connection. Authentication failed* (didnt change something - was connecting - updating ok 1 minute before the last update).
After that i started testing ,Wps connection , No security Wifi etc etc.
*Finally at a random time (and with the initial settings) i got connected*. After i shut down the tablet the same problem occured.
After doing the same things again i finally got connected and this time it seems to be ok, even after i shut down the tablet.
However this is frustrating.
Maybe you have to sort this out?
I have seen and other people returning this tablet after having this problem.
It is not a hardware problem since its working ok before the update.
Of course tried factory reset twice.
Hope i dont have this problem again, *but i am informing in hope that you fix this in a future update.*

Toshiba sent me the fix for this. Figured I would use Facebook and they sorted a solution straight away.
It requires a complete reset. Not the soft reset from within Android.
I'll post it here as they will check through moderation I guess.
Thanks for sending a private message Ben. For us to get this resolved for you we would advise to perform a reset from the Android system recovery menu, to do the reset please follow these steps:
The reset process will delete any data, settings, and applications on your tablet. You must have a backup of any data you wish to keep before proceeding.
1. Make sure the tablet is off and not in standby.
2. Hold down the Volume Up and Power buttons simultaneously until the two Android icons appear.
3. Use the volume buttons to select the white box on the right.
4. Once selected, press the power button.
5. Use the volume buttons to select wipe cache partition and then press the power button.
6. Select Yes and press the power button.
7. Use the volume buttons to select wipe data/factory reset and then press the power button.
8. Select Yes and press the power button.
9. The tablet will now reset.
If you have any issues after the reset please get back to us as soon as possible!
Its been working well ever since. I guess the cache clean part might be the main one. You'll have to select the reboot yourself as I did at the end.
Might be best to use Facebook i'll see if I can find my post as the response was quick and efficient unlike their responses in here. I.e nowt from them so far.
They needed my name and serial numbers probably to log problems etc.
Message was edited by: bensimmo

802.1x port authentication not working

I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
Switch info:
sw-ConfB>sho ver
Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
Port config:
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
Radius Server Info:
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
Kinda lost why not Radius packet even comes from the switch. Any tips?

sw-ConfB#sho ru
Building configuration...
Current configuration : 6301 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname sw-ConfB
boot-start-marker
boot-end-marker
enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
system mtu routing 1500
crypto pki trustpoint TP-self-signed-706182400
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-706182400
revocation-check none
rsakeypair TP-self-signed-706182400
crypto pki certificate chain TP-self-signed-706182400
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/2
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/3
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/4
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/5
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/6
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/7
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/8
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/9
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/12
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface GigabitEthernet0/1
switchport trunk native vlan 200
switchport trunk allowed vlan 100,200,900
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
interface Vlan1
no ip address
interface Vlan100
ip address 10.0.1.3 255.255.255.0
interface Vlan200
ip address 10.0.2.4 255.255.255.0
interface Vlan900
ip address 10.0.9.4 255.255.255.0
ip default-gateway 10.0.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
radius-server retransmit 5
radius-server key secret
radius-server vsa send authentication

802.1X Port Authentication\ACS Question

Hello,
I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa. When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that. Thanks for any suggestions you might have.
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x violation-mode protect
dot1x reauthentication
aaa new-model
aaa authentication password-prompt PASSCODE---->
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id common

I have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
Thanks,

VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
end

I have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

AFP authentication fails after software updates

Hi,
I'm running a 10.4.7 server configured as an Open Directory Master. It is the only server and is mainly used for AFP and SMB file sharing. (No client shell logins).
For some time now (since 10.4.3) I'm finding that after I apply a Software Update* our AFP users can no longer log in to AppleShare. They can mount the same volumes via SMB, but cannot authenticate via AFP until I have them manually reset their password (even to the old value) in Workgroup Manager.
The ApplePasswordServer.Server.log file shows:
DIGEST-MD5 authentication failed, SASL error -13 (password incorrect)
(It's definitely not a case of mis-typed passwords, as these errors are generated by saved keychain logins...and the same keychain logins work again after the old password has been re-entered again in Workgroup Manager).
Has anybody seen any problems like this before and have any ideas how to fix it?
* I haven't been able to narrow down specifically which types of Software Updates yet.
Mac OS X (10.4.7)
Mac OS X (10.4.3)

It is one user per sharepoint for personal directories on the server. Many of the users do have access to various other sharepoints however for common projects, etc.
(None of the share points are in the sub-directories of any other sharepoints either. ie. No sharepoint has an ancestor directory that is also a sharepoint.)
When the problem occurs, all AFP users lose access to all AFP sharepoints however.
The permissions on the sharepoints themselves are ok as:
- users can access the same sharepoint with SMB
- when the user re-enters their password, AFP access is restored, without needing to change the permissions whatsoever.
I hope that is a bit clearer! Appreciate your time in responding.

"Kerberos" authentication failed while trying to access EMC or EMS

Salam,
I have successfully installed Exchange 2010 SP1 on a transitional environment, the installation went smooth without any problem and I've done most of the trasitioning configuration from Exchange Server 2003 to Exchange Server 2010.
Currently we're in the process of moving the mailboxes, but I've come across a problem recently which stopped all my work and I can no longer commence with this transition unless its solved.
Sometimes when I try to access EMC or EMS I get the hereunder error:
The following error occurred while attempting to connect to the specified Exchange server 'afhmail.arabfinancehouse.com.lb':
The attempt to connect to http://afhmail.arabfinancehouse.com.lb/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed
with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I've read most of the articles found on the internet including
http://msexchangeteam.com/archive/2010/02/04/453946.aspx to try to troubleshoot this problem but nothing has worked so far, I tried removing Win RM IIS extensions as well then adding them again with a restart and nothing. I tried the Kerbauth dll removal
also nothing and the problem keeps to occur and the situation is not stable.
Also I read in a KB article somewhere that if we have multiple domain controllers a single domain controller should be assigned on the Exchange Server (Organization Configuration, Server Configuration, Recipient Configuration) so I assigned the PDC to be selected
by those configurations at startup, yet I am still facing the same problem.
Again I emphasis that the problem comes and goes, at a time I can access EMS and at another is just gives me the Kerberos error.
Thank you very much in advance,
Kindest Regards.
Abdullah Abdullah

Hi Abdullah,
Can you open the EMS?
If yes, please run the WinRM QC and post the results here.
If possible, please use another admin's account to log on to Exchange to try to open EMC.
Frank Wang
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
network and chipset) on affected machines have also been updated.
802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
against Active Directory by RADIUS.
Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
* enabled
Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
authenticate again – successfully and with entries in the given log.
There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
- install is not needed because no updates are applicable).
Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
Any other advice is highly appreciated as well!
Thanks a lot

Hi Deason,
sorry for my very very late reply on this.
Even if I could not solve the problem yet, I can tell about some progress.
As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
$doAllTheTime = $true
$i = 0
$DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
$NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
while ($doAllTheTime -eq $true)
$i++
$NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
$NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
$ping = $null
$ping = test-connection $DomainName -count 1
if ($ping -eq $null)
"Error with connection"; return
So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
have then been deployed to our clients.
Even if this is no solution it definitely helps with a high rate of incidents -
but not entirely... so I am still looking for further steps to
solve this. Any ideas are highly appreciated.
Thank you very much for your support!!! Uhle

802.1x port authentication failing after getting a access-accept packet

Similar Messages

Maybe you are looking for