802.1x Windows XP Supplicant
Hello,
I have been recently trying to get the built in Windows XP supplicant to function in the following way: using EAPOL-MSCHAPv2 with Username/Password/Domain credentials at the Windows login screen. No certificates, just a pre-shared key between the RADIUS server and the applicant switch. It does not seem to work though... does anyone have experience configuring 802.1x in a similar fashion?
Your input would be immensely appreciated, thank you!
Steve
A few questions regarding your setup:
1. Need AAA configuration for the switch
2. Have you established that requests from XP client is getting to the ACS?
3. What is the failure reason in ACS logs?
With this information, further guidance can be provided.
Similar Messages
-
Hi,
We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
Swith port configuration looks likt this:
interface FastEthernet0/31
description 802.1x Poort
switchport access vlan xxx
switchport mode access
switchport nonegotiate
switchport voice vlan xxx
no logging event link-status
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 120
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout supp-timeout 300
dot1x max-reauth-req 3
dot1x timeout held-period 300
dot1x timeout auth-period 3
no mdix auto
storm-control broadcast level 10.00
storm-control multicast level 10.00
no cdp enable
spanning-tree portfast
service-policy input xxxx
end
Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
ISE Version: 1.2.0.899
Patch Information: 5,6,8
Help would be much appreciatedHi Jan,
Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
"authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore. -
Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth
Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication? I have an authorization profile that permits the user login only after machine 'WasAuthenticated'. I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication. Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot. Surely this isn't right. What if a user logs on without any connection with cached credentials and then wants to use wireless? Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states? I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
Regards,
ScottMicrosoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
Sent from Cisco Technical Support iPhone App -
802.1x Windows 2012 IAS
Hello I´m trying to setup 802.1x on an old 3560 switch.
The Switch is a:
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560-48TS 12.2(25)SEE3 C3560-ADVIPSERVICESK
I´m using Windows 2012 IAS as RADIUS with the following policies:
I have the folling config on the switch:
aaa group server radius RadiusAuth
server 172.29.8.12 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authentication login local enable
aaa authentication dot1x default group RadiusAuth
aaa authorization network default group RadiusAuth
dot1x system-auth-control
interface FastEthernet0/31
description 802.1x tests
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout tx-period 5
dot1x guest-vlan 106
spanning-tree portfast
radius-server host 172.29.8.12 auth-port 1645 acct-port 1646
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server timeout 4
radius-server deadtime 2
radius-server key KEYSECRET
radius-server vsa send authentication
And I cant authenticate , I think it is a RADIUS problem.
I have this aditional debug info related with RADIUS and Dot1x:
004898: Aug 5 12:32:28: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to down
004899: 7w6d: RADIUS(00000019): Storing nasport 50031 in rad_db
004900: 7w6d: RADIUS(00000019): Config NAS IP: 0.0.0.0
004901: 7w6d: RADIUS/ENCODE(00000019): acct_session_id: 27787264
004902: 7w6d: RADIUS(00000019): sending
004903: 7w6d: RADIUS/ENCODE: Best Local IP-Address 172.29.11.1 for Radius-Server 172.29.8.12
004904: 7w6d: RADIUS(00000019): Send Access-Request to 172.29.8.12:1645 id 21645/77, len 173
004905: 7w6d: RADIUS: authenticator A7 3A 07 F8 8D 5B C1 76 - 67 8E 66 54 05 04 0C DB
004906: 7w6d: RADIUS: User-Name [1] 19 "DOMAIN\User"
004907: 7w6d: RADIUS: Service-Type [6] 6 Framed [2]
004908: 7w6d: RADIUS: Framed-MTU [12] 6 1500
004909: 7w6d: RADIUS: Called-Station-Id [30] 19 "00-17-94-97-D9-23"
004910: 7w6d: RADIUS: Calling-Station-Id [31] 19 "00-24-BE-C7-09-6F"
004911: 7w6d: RADIUS: EAP-Message [79] 24
004912: 7w6d: RADIUS: 02 02 00 16 01 44 49 47 49 54 41 49 4E 45 52 5C [?????DOMAIN\]
004913: 7w6d: RADIUS: 6F 6C 6F 70 65 7A [USER]
004914: 7w6d: RADIUS: Message-Authenticato[80] 18
004915: 7w6d: RADIUS: 31 C9 68 BA B8 E9 DC 78 6E 87 7E A4 89 D5 0C 81 [1?h????xn?~?????]
004916: 7w6d: RADIUS: Vendor, Cisco [26] 24
004917: 7w6d: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/31"
004918: 7w6d: RADIUS: NAS-Port [5] 6 50031
004919: 7w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
004920: 7w6d: RADIUS: NAS-IP-Address [4] 6 172.29.11.1
004921: Aug 5 12:32:32: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to up
004922: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004923: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004924: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004925: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004926: 7w6d: RADIUS(00000019): Storing nasport 50031 in rad_db
004927: 7w6d: RADIUS(00000019): Config NAS IP: 0.0.0.0
004928: 7w6d: RADIUS/ENCODE(00000019): acct_session_id: 27787264
004929: 7w6d: RADIUS(00000019): sending
004930: 7w6d: RADIUS/ENCODE: Best Local IP-Address 172.29.11.1 for Radius-Server 172.29.8.12
004931: 7w6d: RADIUS(00000019): Send Access-Request to 172.29.8.12:1645 id 21645/78, len 173
004932: 7w6d: RADIUS: authenticator 84 B1 75 9D 4C 21 0F 9D - 19 01 A6 23 DE 1B 74 1A
004933: 7w6d: RADIUS: User-Name [1] 19 "DOMAIN\User"
004934: 7w6d: RADIUS: Service-Type [6] 6 Framed [2]
004935: 7w6d: RADIUS: Framed-MTU [12] 6 1500
004936: 7w6d: RADIUS: Called-Station-Id [30] 19 "00-17-94-97-D9-23"
004937: 7w6d: RADIUS: Calling-Station-Id [31] 19 "00-24-BE-C7-09-6F"
004938: 7w6d: RADIUS: EAP-Message [79] 24
004939: 7w6d: RADIUS: 02 03 00 16 01 44 49 47 49 54 41 49 4E 45 52 5C [?????DDOMAIN\]
004940: 7w6d: RADIUS: 6F 6C 6F 70 65 7A [User]
004941: 7w6d: RADIUS: Message-Authenticato[80] 18
004942: 7w6d: RADIUS: D3 1E DC 03 5E 13 CF 93 6B 7F F4 B8 DB 20 65 A6 [????^???k???? e?]
004943: 7w6d: RADIUS: Vendor, Cisco [26] 24
004944: 7w6d: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/31"
004945: 7w6d: RADIUS: NAS-Port [5] 6 50031
004946: 7w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
004947: 7w6d: RADIUS: NAS-IP-Address [4] 6 172.29.11.1
004948: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004949: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004950: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004951: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004952: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004953: Aug 5 12:33:04: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.29.8.12:1645,1646 is not responding.
004954: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004955: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004956: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004957: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004958: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004959: 7w6d: RADIUS: No response from (172.29.8.12:1645,1646) for id 21645/77
004960: 7w6d: RADIUS/DECODE: parse response no app start; FAIL
004961: 7w6d: RADIUS/DECODE: parse response; FAIL
004962: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004963: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004964: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004965: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004966: 7w6d: RADIUS: No response from (172.29.8.12:1645,1646) for id 21645/78
004967: 7w6d: RADIUS/DECODE: parse response no app start; FAIL
004968: 7w6d: RADIUS/DECODE: parse response; FAIL
004969: Aug 5 12:35:04: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.8.12:1645,1646 has returned.
DOT1X
005294: 7w6d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/31
005295: 7w6d: dot1x-registry:dot1x_switch_port_linkcomingup invoked on interface Fa0/31
005296: 7w6d: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/31 has changed to UP
005297: 7w6d: dot1x_auth Fa0: initial state auth_initialize has enter
005298: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_initialize_enter called
005299: 7w6d: dot1x_auth Fa0: during state auth_initialize, got event 0(cfg_auto)
005300: 7w6d: @@@ dot1x_auth Fa0: auth_initialize -> auth_disconnected
005301: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_disconnected_enter called
005302: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005303: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005304: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005305: 7w6d: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
005306: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has enter
005307: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_initialize_enter called
005308: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has idle
005309: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_initialize, got event 16383(idle)
005310: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_initialize -> auth_bend_idle
005311: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005312: 7w6d: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
005313: 7w6d: dot1x-ev:Created a default authenticator instance on FastEthernet0/31
005314: 7w6d: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/31
005315: 7w6d: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/31
005316: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005317: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005318: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005319: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005320: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005321: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005322: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005323: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005324: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005325: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005326: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005327: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005328: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005329: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005330: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005331: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005332: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005333: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005334: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005335: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005336: 7w6d: EAPOL pak dump Tx
005337: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005338: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005339: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005340: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005341: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005342: 7w6d: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
005343: 7w6d: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
005344: 7w6d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/31
005345: 7w6d: dot1x-ev:Received pkt saddr =0024.bec7.096f , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0016
005346: 7w6d: dot1x-ev:Created a client entry for the supplicant 0024.bec7.096f
005347: 7w6d: dot1x-ev:Found the default authenticator instance on FastEthernet0/31
005348: 7w6d: dot1x-registry:EAPOL traffic seen on FastEthernet0/31
005349: 7w6d: dot1x-packet:Received an EAP packet on interface FastEthernet0/31
005350: 7w6d: EAPOL pak dump rx
005351: 7w6d: EAPOL Version: 0x1 type: 0x0 length: 0x0016
005352: 7w6d: dot1x-packet:Received an EAP packet on the FastEthernet0/31 from mac 0024.bec7.096f
005353: 7w6d: dot1x-sm:Posting EAPOL_EAP on Client=39E7F78
005354: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 6(eapolEap)
005355: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_response
005356: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_enter called
005357: 7w6d: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0024.bec7.096f
005358: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_request_response_action called
005359: Aug 5 12:39:28: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to up
005360: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005361: 7w6d: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
005362: 7w6d: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
005363: 7w6d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/31
005364: 7w6d: dot1x-ev:Received pkt saddr =0024.bec7.096f , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
005365: 7w6d: dot1x-packet:Received an EAPOL-Start packet on interface FastEthernet0/31
005366: 7w6d: EAPOL pak dump rx
005367: 7w6d: EAPOL Version: 0x1 type: 0x1 length: 0x0000
005368: 7w6d: dot1x-sm:Posting EAPOL_START on Client=39E7F78
005369: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 4(eapolStart)
005370: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_aborting
005371: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authenticating_exit called
005372: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_aborting_enter called
005373: 7w6d: dot1x-sm:Posting AUTH_ABORT on Client=39E7F78
005374: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_response, got event 1(authAbort)
005375: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_response -> auth_bend_initialize
005376: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_exit called
005377: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_initialize_enter called
005378: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_initialize
005379: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_initialize -> auth_bend_idle
005380: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_idle_enter called
005381: 7w6d: dot1x-sm:Posting !AUTH_ABORT on Client=39E7F78
005382: 7w6d: dot1x_auth Fa0: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
005383: 7w6d: @@@ dot1x_auth Fa0: auth_aborting -> auth_restart
005384: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_aborting_exit called
005385: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_enter called
005386: 7w6d: dot1x-ev:Resetting the client 0024.bec7.096f
005387: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_aborting_restart_action called
005388: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005389: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005390: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005391: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_connecting_enter called
005392: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_connecting_action called
005393: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0024.bec7.096f
005394: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005395: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005396: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005397: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authenticating_enter called
005398: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_connecting_authenticating_action called
005399: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005400: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005401: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005402: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_request_enter called
005403: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005404: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005405: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005406: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005407: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005408: 7w6d: EAPOL pak dump Tx
005409: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005410: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005411: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0024.bec7.096f)
005412: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_idle_request_action called
005413: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005414: 7w6d: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
005415: 7w6d: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
005416: 7w6d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/31
005417: 7w6d: dot1x-ev:Received pkt saddr =0024.bec7.096f , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0016
005418: 7w6d: dot1x-packet:Received an EAP packet on interface FastEthernet0/31
005419: 7w6d: EAPOL pak dump rx
005420: 7w6d: EAPOL Version: 0x1 type: 0x0 length: 0x0016
005421: 7w6d: dot1x-packet:Received an EAP packet on the FastEthernet0/31 from mac 0024.bec7.096f
005422: 7w6d: dot1x-sm:Posting EAPOL_EAP on Client=39E7F78
005423: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 6(eapolEap)
005424: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_response
005425: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_enter called
005426: 7w6d: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0024.bec7.096f
005427: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_request_response_action called
005428: 7w6d: dot1x-sm:Posting A_WHILE_EXPIRE on Client=39E7F78
005429: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_response, got event 9(aWhile_expire)
005430: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_response -> auth_bend_timeout
005431: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_exit called
005432: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_timeout_enter called
005433: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_timeout_action called
005434: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_timeout
005435: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_timeout -> auth_bend_idle
005436: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_idle_enter called
005437: 7w6d: dot1x-sm:Posting AUTH_TIMEOUT on Client=39E7F78
005438: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 14(authTimeout)
005439: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_fallback
005440: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authenticating_exit called
005441: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_fallback_enter called
005442: 7w6d: dot1x-sm:Posting AUTH_FAIL on Client=39E7F78
005443: 7w6d: dot1x_auth Fa0: during state auth_fallback, got event 15(authFail)
005444: 7w6d: @@@ dot1x_auth Fa0: auth_fallback -> auth_authc_result
005445: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authc_result_enter called
005446: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005447: 7w6d: dot1x-sm:Posting AUTHC_FAIL on Client=39E7F78
005448: 7w6d: dot1x_auth Fa0: during state auth_authc_result, got event 23(authcFail)
005449: 7w6d: @@@ dot1x_auth Fa0: auth_authc_result -> auth_held
005450: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005451: 7w6d: dot1x-sm:Posting RESTART on Client=39E7F78
005452: 7w6d: dot1x_auth Fa0: during state auth_held, got event 13(restart)
005453: 7w6d: @@@ dot1x_auth Fa0: auth_held -> auth_restart
005454: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_held_exit called
005455: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_enter called
005456: 7w6d: dot1x-ev:Resetting the client 0024.bec7.096f
005457: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005458: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005459: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005460: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_connecting_enter called
005461: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_connecting_action called
005462: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0024.bec7.096f
005463: 7w6d: dot1x-sm:Posting REAUTH_MAX on Client=39E7F78
005464: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 11(reAuthMax)
005465: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_disconnected
005466: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_disconnected_enter called
005467: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_disconnected_enter sending canned failure to version 1 supplicant
005468: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x4 id: 0x4 length: 0x0004 type: 0x0 data:
005469: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005470: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005471: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005472: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005473: 7w6d: EAPOL pak dump Tx
005474: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0004
005475: 7w6d: EAP code: 0x4 id: 0x4 length: 0x0004
005476: 7w6d: dot1x-packet:dot1x_auth_txCannedFail: EAPOL packet sent to client (0024.bec7.096f)
005477: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005478: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005479: 7w6d: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/31
005480: 7w6d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/31
005481: 7w6d: dot1x-ev:dot1x_vlan_assign_client_deleted on interface FastEthernet0/31
005482: 7w6d: dot1x_auth Fa0: initial state auth_initialize has enter
005483: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_initialize_enter called
005484: 7w6d: dot1x_auth Fa0: during state auth_initialize, got event 0(cfg_auto)
005485: 7w6d: @@@ dot1x_auth Fa0: auth_initialize -> auth_disconnected
005486: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_disconnected_enter called
005487: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005488: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005489: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005490: 7w6d: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
005491: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has enter
005492: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_initialize_enter called
005493: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has idle
005494: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_initialize, got event 16383(idle)
005495: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_initialize -> auth_bend_idle
005496: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005497: 7w6d: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
005498: 7w6d: dot1x-ev:Created a default authenticator instance on FastEthernet0/31
005499: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005500: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005501: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005502: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005503: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005504: Aug 5 12:40:17: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.8.12:1645,1646 has returned.
005505: 7w6d: dot1x-ev:dot1x_critical_active_state_change: Critical Auth Active state changed to FALSE
005506: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005507: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005508: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005509: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005510: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005511: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005512: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005513: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005514: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005515: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005516: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005517: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005518: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005519: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005520: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005521: 7w6d: EAPOL pak dump Tx
005522: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005523: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005524: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005525: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005526: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005527: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005528: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005529: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005530: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005531: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005532: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005533: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005534: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005535: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005536: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005537: 7w6d: EAPOL pak dump Tx
005538: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005539: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005540: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005541: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005542: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005543: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005544: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005545: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005546: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005547: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005548: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005549: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005550: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005551: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005552: 7w6d: EAPOL pak dump Tx
005553: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005554: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005555: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005556: 7w6d: dot1x-ev:Received an EAP Timeout on FastEthernet0/31 for mac 0000.0000.0000
005557: 7w6d: dot1x-sm:Posting EAP_TIMEOUT on Client=39E7F78
005558: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 12(eapTimeout)
005559: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_timeout
005560: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_timeout_enter called
005561: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_timeout_action called
005562: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_timeout
005563: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_timeout -> auth_bend_idle
005564: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005565: 7w6d: dot1x-sm:Posting AUTH_TIMEOUT on Client=39E7F78
005566: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 14(authTimeout)
005567: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_fallback
005568: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_exit called
005569: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_fallback_enter called
005570: 7w6d: dot1x-sm:Posting AUTH_FAIL on Client=39E7F78
005571: 7w6d: dot1x_auth Fa0: during state auth_fallback, got event 15(authFail)
005572: 7w6d: @@@ dot1x_auth Fa0: auth_fallback -> auth_authc_result
005573: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authc_result_enter called
005574: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005575: 7w6d: dot1x-sm:Posting AUTHC_FAIL on Client=39E7F78
005576: 7w6d: dot1x_auth Fa0: during state auth_authc_result, got event 23(authcFail)
005577: 7w6d: @@@ dot1x_auth Fa0: auth_authc_result -> auth_held
005578: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005579: 7w6d: dot1x-sm:Posting RESTART on Client=39E7F78
005580: 7w6d: dot1x_auth Fa0: during state auth_held, got event 13(restart)
005581: 7w6d: @@@ dot1x_auth Fa0: auth_held -> auth_restart
005582: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_held_exit called
005583: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005584: 7w6d: dot1x-ev:Resetting the client 0000.0000.0000
005585: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005586: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005587: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005588: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005589: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005590: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005591: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005592: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005593: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005594: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005595: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005596: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005597: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005598: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005599: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005600: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005601: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005602: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005603: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005604: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005605: 7w6d: EAPOL pak dump Tx
005606: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005607: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005608: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005609: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005610: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005611: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005612: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005613: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005614: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005615: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005616: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005617: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005618: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005619: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005620: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005621: 7w6d: EAPOL pak dump Tx
005622: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005623: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005624: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005625: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005626: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005627: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005628: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005629: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005630: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005631: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005632: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005633: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005634: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005635: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005636: 7w6d: EAPOL pak dump Tx
005637: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005638: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005639: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005640: 7w6d: dot1x-ev:Received an EAP Timeout on FastEthernet0/31 for mac 0000.0000.0000
005641: 7w6d: dot1x-sm:Posting EAP_TIMEOUT on Client=39E7F78
005642: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 12(eapTimeout)
005643: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_timeout
005644: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_timeout_enter called
005645: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_timeout_action called
005646: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_timeout
005647: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_timeout -> auth_bend_idle
005648: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005649: 7w6d: dot1x-sm:Posting AUTH_TIMEOUT on Client=39E7F78
005650: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 14(authTimeout)
005651: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_fallback
005652: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_exit called
005653: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_fallback_enter called
005654: 7w6d: dot1x-sm:Posting AUTH_FAIL on Client=39E7F78
005655: 7w6d: dot1x_auth Fa0: during state auth_fallback, got event 15(authFail)
005656: 7w6d: @@@ dot1x_auth Fa0: auth_fallback -> auth_authc_result
005657: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authc_result_enter called
005658: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005659: 7w6d: dot1x-sm:Posting AUTHC_FAIL on Client=39E7F78
005660: 7w6d: dot1x_auth Fa0: during state auth_authc_result, got event 23(authcFail)
005661: 7w6d: @@@ dot1x_auth Fa0: auth_authc_result -> auth_held
005662: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005663: 7w6d: dot1x-sm:Posting RESTART on Client=39E7F78
005664: 7w6d: dot1x_auth Fa0: during state auth_held, got event 13(restart)
005665: 7w6d: @@@ dot1x_auth Fa0: auth_held -> auth_restart
005666: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_held_exit called
005667: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005668: 7w6d: dot1x-ev:Resetting the client 0000.0000.0000
005669: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005670: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005671: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005672: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005673: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005674: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005675: 7w6d: dot1x-sm:Posting REAUTH_MAX on Client=39E7F78
005676: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 11(reAuthMax)
005677: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_disconnected
005678: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_disconnected_enter called
005679: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005680: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005681: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005682: 7w6d: dot1x-ev:Resetting the client 0000.0000.0000
005683: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005684: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005685: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005686: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005687: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005688: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005689: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005690: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005691: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005692: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005693: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005694: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005695: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005696: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005697: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005698: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x5 length: 0x0005 type: 0x1 data:
005699: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005700: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005701: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005702: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005703: 7w6d: EAPOL pak dump Tx
005704: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005705: 7w6d: EAP code: 0x1 id: 0x5 length: 0x0005 type: 0x1
005706: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005707: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005708: 7w6d: dot1x-registry:dot1x_switch_port_physical_linkchange invoked on interface Fa0/31
005709: 7w6d: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/31 has changed to DOWN
005710: 7w6d: dot1x-ev:Cleared all authenticator instances on FastEthernet0/31
Dot1x Info for FastEthernet0/31
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 3
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 5
RateLimitPeriod = 0
Guest-Vlan = 106
Any idea? thanks in advance.Did you try "Unencrypted authentication (PAP, SPAP)" tick in Network Policies?
It's probably going to solve your problem -
Broadcom 802.11ac Windows 8.1 won't connect to wifi router
I'm using a asrock z87E-ITX with Broadcom 802.11ac wireless adapter, and windows 8.1
my wireless adapter won't connected to my zte f660 wireless router, but it's connected to any mobile phone thetered device. The problem is when i try to connect, the wireless adapter is automatically disabled and enable it self after it.
i've tried using an external wireless adapter (TP link) and it's connected normally.Hello padidisawah,
What is your current situation?
Have you tried the solution as MVP S.Sengupta mentioned?
Please take the following steps for troubleshooting:
1. Go to Control Panel\All Control Panel Items\Troubleshooting\All Categories and run the Network Adapter Troubleshooter
2. If the wireless adapter can normally connect to other Wireless router, please check the configuration in zte f660 wireless router.
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support -
Duplicate IP 0.0.0.0 Conflict on 802.1X Windows 7 Clients
Hi,
Ever since we implemented ISE 1.x with 802.1X authentication about two years ago, a number of our Windows 7 user stations occassionally report the well known error message: "duplicate ip 0.0.0.0" . Only wired stations are affected and it happens randomly but not frequently. On further investigation I found that the conflicting device mac address in every case is in fact the bia of the switch port that the Windows 7 PC client is connected. The characteristics of each case is consistent with the Cisco device tracking process as detailed in TAC Document ID: 116529, Updated: Oct 09, 2013
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html
We have Cisco C6500 access switches with IOS Ver: 12.2(33)SXJ1.The output of "Show ip device track all" command on the switches:
access-switch#sh ip device track all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
I found that Cisco recommends three Solution options as follows:
1. ip device tracking probe delay 10
2. ip device tracking probe use-svi
3. ip device tracking probe interval <seconds>
However, the ios only shows track probe "count" and "interval" for change. There is no option to change the probe delay or use-svi in this IOS.
What is your advice?
Many thanks.
SankungYou may have a look at this document if you have not seen it yet. It goes over device tracking a little more in detail and possible workarounds.
http://tekdigest.blogspot.com/2013/11/windows-7-with-address-conflict-for-ip.html
HTH
luke -
802.1x & windows Authentication
Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
and what are the challenges if windows user accounts password changed frequently..
can any body explain adv & dis adv of 802.1x before I deploy it in network..There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf -
802.1x - Windows credentials
Hello all,
I am working on an 802.1x lab and proof of concept and have 2 problems. Solving either of them will have me good-to go. Just for reference I have:
1) enabled and tested workstation authentication
2)can succesfully authenticate users and workstations against AD
First: If I use the default Windows 2000 802.1x service and have the box "Always use my Windows username and password" box checked when using PEAP, I cannot for the life of me figure out how to authenticate when I have logged in as a local user account. Windows insists on putting the local computer name in front of the username when I log in to a local account, so I cannot simply enter the default company-wide local administrator into ACS's local database.
Second: If I use the Cisco CTA client, I always get prompted for my password by CTA after I login to Windows, when I thought it should use the credentials I logged in with. I do not care if I have to enter local credentials twice, but a normal user logging into an AD account should not have to. If as I suspect this is a certificate issue my corporation does have a very good PKI infrastructure I can work off of.
My preference is not to have to install any additional software for 802.1x so if I can figure out how to authenticate when logged in as the local administrator without having to change settings, that would be best, but if I need to I can us the CTA client.
Any help would be greatly appreciated,
Nathan Spitzer
Lockheed Martin TSSNot sure if this is for wireless or not, but Windows generally does not allow for this by default, due to roaming issues. See here for more details:
<http://www.microsoft.com/technet/itsolutions/network/wifi/wififaq.mspx#EAAAA>
You could set this up with MD5 to ask it for you credentials every time though, if this is for a POC test.
CTA should be able to acieve SSO as well, but this is a non-default condition for a stand-alone install. You can setup a profile which enables SSO by default though, to achieve an SSO experience for other users. See here for more details:
<http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_book09186a008068ece8.html>
Hope this helps, -
Anyconnect NAM, does not disable windows wireless supplicant
I am having some issues with anyconnect nam for wireless. When i install nam with a profile, my wireless works fine, and authenticates as it should, no problem there. I can however not figure out how to get nam to remove the built-in windows supplicant in the tray, which shows me a tray icon, where a user can browse the list of SSID's currently broadcasted, i only want the nam supplicant's own list of ssid's to be shown. Any suggestion on how to accomplish this ?
Jan,
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html
Windows Network Status Task Tray Icon
Network Access Manager overrides Windows network management. After installing Network Access Manager, the Windows networking icon in the task bar may confuse users, because the user can no longer use the network status icon to connect to networks.
You can remove the Windows network icon from the task bar by setting 'Remove the networking icon' in a Windows group policy. This setting only affects the tray icon, the user can still create native wireless networks using the Control Panel.
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed -
Cisco ISE. Windows Native Supplicant on VMware
HOw to configure VM Ware host, with WIndows 7 guest workstation to do lab test of 802.1x authentication.
I have created workstation and linked to the port on UCS, port connects to 3850 switch on access mode. how to test it? having problems with 802.1x authentication.Thank you guys.. .I got it up and running... Not sure what the problem was..
Another problem, do you know if there is a why to run anyconnect authentication on VM Windows 7, that is connected to a trunk port on the switch. Meaning this VM host will have example of 10 servers and 5 workstations windows 7. Multiple VLANs connected to a trunk port.. Can i run 802.1x auth on 2 out of my 5 workstations??
Should i install nexus 1000v?
THanks -
WLC 2106 and Microsoft IAS and Windows XP Supplicant
For one of my SSID's I am using 802.1x with WPA2/AES. I have configured IAS on windows server 2003 and from the server message logs I am able to authenticate a user. I never complete the authentication through the eyes of the WLC though. In using debug commands on the WLC I can see an error that I can not solve.
Wed Apr 7 03:09:40 2010: 00:23:4e:70:a9:97 Received EAPOL-Key from mobile 00:23:4e:70:a9:97
Wed Apr 7 03:09:40 2010: 00:23:4e:70:a9:97 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:4e:70:a9:97
Wed Apr 7 03:09:40 2010: 00:23:4e:70:a9:97 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:4e:70:a9:97
Wed Apr 7 03:09:40 2010: 00:23:4e:70:a9:97 Stopping retransmission timer for mobile 00:23:4e:70:a9:97
I suspect my issues revolves around the message: Ignoring invalid EAPOL version (1) in EAPOL-key message
Anyone have any idea or insight on additional debug steps that can be taken?
Regards,
JustinERD Commander (ERD 5.0) is the version that supports Windows XP. The next version is DaRT Supported Vista and later
-
802.11n windows pc card
has anyone successfully connected a windows pc card to airport extreme via 802.11n? Anyone know a compatible card?
Although there is no guarantee between vendor products, most devices developed for the same Wi-Fi standards should work together.
One example of a Windows PC Card is the Linksys WPC300N. -
Setup WLAN using 802.1X Windows PKI
Is it possible to setup the WLC 2504 to use Windows 2008 PKI to authenticate domain machines automatically to WLAN?
Here is how to setup NPS
http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/
Sent from my iPhone -
NAC L2 802.1X: Windows Logon Problem
Using CTA 4.0.2, ACS SE 4.x, and Windows AD the following occurs:
1. When login to WindowsXP using Local Account, then CTA prompts its login. I can then put the AD account. This process works!
2. When login to WindowsXP using AD Account, the error msg "domain xyz is not available", so the CTA prompt never come-up
3. When login to WindowsXP using "CACHED" AD Account, then CTA prompts its login. I can then put the AD account. This process works also!
4. Using Single Sign-on with "Never Validate Server", #2 and #3 occured.
Any input is very appreciated. Cisco TAC has been notified.
thanks,
Audie
703-292-5316Hi all,
I have the exact same problem.
I have just upgraded my ACS to 4.1 but that didnt help on the problem.
You write "CTA 4.0.2"....I suppose you mean 2.0.x ?
Did you guys do anything extra on the ACS to get this to work ?
Kind regards
KDam -
802.1x windows group policy
We have strange issue , some users disconnected and connected again within few seconds.
which result Cisco NAC agent started again to check posture status , but no logs on the switch that the ports were down also IP Phones connected between switch and PC.
we noticed that there is group policy pushed from Domain in the same time.
any one faced this issue (when apply group policy , the network card reset?)1- CP-7945
2- Windows 8.1.
3- WS-C3750X-24P.
4-
switchport mode access
switchport voice vlan x
ip arp inspection limit rate x
authentication event fail action next-method
authentication event server dead action reinitialize vlan x
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 12
spanning-tree portfast
ip verify source
Maybe you are looking for
-
How do I delete all my contacts from my iPod Touch?
I'm giving my iPod touch to my grandson and want to delete all my contacts from my iPod Touch. These have been synched from Mobile Me (.Mac). I've unchecked the synch contact box in the setting section of iTunes, but the contacts do not get deleted.
-
Lookup in same batch of messages
hi all, is it possible to do a lookup in same batch of messages? Ex. FTP-XI-R/3 A textfile was transferred in FTP. I need to do a lookup if there are any 2 similar messages (messages containing same value in a certain field).
-
Hi! I want to use an extern Webservice, provided by a webserver in the intranet. First of all: i tried this in to different systems. One of them did it. The other did not. I create a proxy for the webservice and create a lshort abap programm like thi
-
I was wondering if anyone was having trouble with their USB port. I tried hooking up an external HD and it can't seem to notice the drive under the "Disks" portion of APUtility. The drive, however, does work with my AP extreme 802.11n (1st gen, not t
-
Safari - locations do not open - freeze partway
Safar will not open sometimes - gets partway through opening an address/location and then stops. This happens with apple.com, google.com as well as other sites. If history is deleted completely this will work but not reliably.