Authentication result 'no-response'
Hi I have a simple MDA config
interface FastEthernet0/4
switchport access vlan 84
switchport mode access
switchport voice vlan 70
ip access-group default_acl in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
When I try to conect to this port - ONLY PHONE it Authentificates successfuly via mab, When I try to connect only PC it authentificates successfuly via dot1x, but when I try to connect PC through PHONE - Phone authentificate successfuly, but PC -not, on my ISE server log I see only MAB trying for PC, no dot1x attempts.
ARHIV-ROOM36(config-if)#
Jan 29 12:08:04.380: %LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down
Jan 29 12:08:05.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
ARHIV-ROOM36(config-if)#exi
ARHIV-ROOM36(config)#exi
Jan 29 12:08:06.536: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
Jan 29 12:08:07.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
ARHIV-ROOM36(config)#exi
ARHIV-ROOM36#
Jan 29 12:08:08.021: %SYS-5-CONFIG_I: Configured from console by ask on vty0 (10.110.11.253)
ARHIV-ROOM36#
Jan 29 12:08:09.170: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
Jan 29 12:08:10.076: %AUTHMGR-5-START: Starting 'dot1x' for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSessionID
0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:08:18.591: %DOT1X-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSession
ID
Jan 29 12:08:18.591: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0023.8b84.fa32)
on Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.591: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 Au
ditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.591: %AUTHMGR-5-START: Starting 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID 0
A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %MAB-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 Audi
tSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0023.8b84.fa32) on In
terface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:08:18.608: %AUTHMGR-5-FAIL: Authorization failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessio
nID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:08:21.678: %DOT1X-5-FAIL: Authentication failed for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSession
ID
Jan 29 12:08:21.678: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (ccef.485c.f4b9)
on Interface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A
Jan 29 12:08:21.678: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (ccef.485c.f4b9) on Interface Fa0/4 Au
ditSessionID 0A6E0A0400000078A11BF97A
Jan 29 12:08:21.678: %AUTHMGR-5-START: Starting 'mab' for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSessionID 0
A6E0A0400000078A11BF97A
Jan 29 12:08:21.728: %MAB-5-SUCCESS: Authentication successful for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSe
ssionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:08:21.728: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccef.485c.f4b9) on Int
erface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:08:22.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccef.485c.f4b9) on Interface Fa0/4 Audit
SessionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:09:19.334: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:09:31.850: %DOT1X-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSession
ID
Jan 29 12:09:31.850: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0023.8b84.fa32)
on Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.850: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 Au
ditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.850: %AUTHMGR-5-START: Starting 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID 0
A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %MAB-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 Audi
tSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0023.8b84.fa32) on In
terface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:09:31.866: %AUTHMGR-5-FAIL: Authorization failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessio
nID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#sh run | i aaa
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
ARHIV-ROOM36#sh run | i radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host 10.5.45.128 auth-port 1812 acct-port 1813 key 7 xxxx
radius-server vsa send accounting
radius-server vsa send authentication
Hi,
1) Yesterday I change IOS on this switch from
c2960c405-universalk9-mz.122-55.EX3
to
c2960c405-universalk9-mz.150-2.SE1.bin
2) Same thing, on my ISE server I see only attempt to authentificate my PC via MAB
This I see at the end of log
when phone bootup and authenticate
Jan 30 14:22:24.087: %MAB-5-SUCCESS: Authentication successful for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSe
ssionID 0A6E0A0400000030000EB3C3
Jan 30 14:22:24.087: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccef.485c.f4b9) on Int
erface Fa0/4 AuditSessionID 0A6E0A0400000030000EB3C3
ARHIV-ROOM36#
Jan 30 14:22:24.473: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccef.485c.f4b9) on Interface Fa0/4 Audit
SessionID 0A6E0A0400000030000EB3C3
This I see when plug my PC to the phone
2222.txt
3) Cisco/Linksys SPA502G
Yesterday, I change firmware from 7.4.6, to 7.5.4(on other phone same series SPA502G) and no I see when phone bootup and authenticate
Jan 30 14:41:28.750: %MAB-5-SUCCESS: Authentication successful for client (649e.f377.39f8) on Interface Fa0/4 AuditSe
ssionID 0A6E0A040000003E0020225F
ARHIV-ROOM36#
Jan 30 14:41:28.750: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (649e.f377.39f8) on Int
erface Fa0/4 AuditSessionID 0A6E0A040000003E0020225F
ARHIV-ROOM36#
Jan 30 14:41:29.505: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (649e.f377.39f8) on Interface Fa0/4 Audit
SessionID 0A6E0A040000003E0020225F
This I see when plug my PC to the new firmware phone
3333.txt
So my PC authentificate successfuly.
So I thiks it's a bug in phone firmware, bu I check every release notes for this phone firmware, and nothing about this BUG, so I'm confused.
4) NO I dont have any Norton, Mcafee and so on
Is that possible tha phone block Eaopl messages of dot1x?
Similar Messages
-
802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'
Hello
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
[Config some part of authenticator]
interface FastEthernet0/1
switchport access vlan 34
switchport mode access
authentication event fail retry 1 action authorize vlan 47
authentication event server dead action authorize vlan 35
authentication event no-response action authorize vlan 47
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 15
spanning-tree portfast
[Symptoms]
After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
[Summary]
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
[Logs]
During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
1. supplicant and authenticator orderflow at wireshar:
- supplicant EAPOL Start
- authenticator EAP Request Identity
- supplicat Response Identity, 3 times
- supplicant EAPOL Start
- authenticator EAP Failure
- authenticator EAP Request Identity x2
- supplicat Response Identity x2
and again, more detail about flow from whireshar chart at the end
2. authenticator console saw like this:
*Mar 1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
krasw8021x>
*Mar 1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
and finaly
*Mar 1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
3. Authentication server:
- NPS doesn'e recived any RADIUS Access-Request/Response.
[supplicant EAPOL flow chart, source wireshark]
|Time | Cisco_f9:98:81 | Dell_12:cf:80 |
| | | Nearest |
|0,041 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,045 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,051 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|0,065 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,063 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|18,065 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|18,268 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,303 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,307 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,307 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|37,073 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|67,941 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|98,805 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|129,684 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|144,697 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|160,125 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|175,561 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|190,996 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,002 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,204 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|212,103 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|227,535 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|242,970 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
/regards PiterHi,
Did you ever try to configure re-authentication?
Is the client is up and running if you connect it to the switch?
Sent from Cisco Technical Support iPad App -
ISE 1.2 Authentication Failures at First time Connection
Hi,
I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network. hopefully I'm still in open mode :)
As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
The phones which are not Cisco phones authenticated with MD5 (a simple username and pass ) i think the problem should not related with the auth protocol.
Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
or with the same the ISE, why because i have almost the same behavior for all end-devices.
I kindly remain your comments...
2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
S301#
2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
S301#
2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
S301#
2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
Regards
T.CI'm not using authentication method with certificates for none end-devices
Workstations with the windows default authentication protocol EAP/MSCHAPv2
In front of them there are non Cisco IP-phones with auth. method EAP/MD5
Finally I also have some printers again with option EAP/MD5
For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
The misunderstanding points are 3
Why there is so much delay for all devices to authenticate?
Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
I have noticed randomly some devices one moment to succeed and the next moment to failed
So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
Port config
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
result template
Switch#sh auth sess int g1/0/46
Interface: GigabitEthernet1/0/46
MAC Address: xxxx.xxxx.xxxx
IP Address: xx.xxx.xx.xxx
User-Name: xxxxxxxxxxxx
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A114D0A00001972016208E1
Acct Session ID: 0x00001BB7
Handle: 0x6D0009B6
Runnable methods list:
Method State
dot1x Failed over
mab Failed over -
Authentication Host-Mode Multi-Auth not working
hi
In my lab environment I configured 802.1x with "Multi-Auth" mode for multiple clients on a single protected port to be authenticated agains Microsoft NPS AAA server.
Switch ports configured with Single-Host or Mult-Host options are working fine but "Multi-Auth" mode its not working. My hardware details and configurations are as follows
Catalyst Model = WS-C2960S-24TSL running IOS 12.2(55)SE2
Current configuration : 10423 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa group server radius NPS
server-private x.x.x.x auth-port 1645 acct-port 1646 key <removed>
aaa authentication dot1x default group NPS
aaa authorization network default group NPS
aaa session-id common
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport mode access
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport voice vlan 98
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
interface GigabitEthernet1/0/7
switchport access vlan 5
switchport mode access
authentication host-mode multi-host
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface Vlan5
ip address x.x.x.x x.x.x.x
interface Vlan98
no ip address
radius-server vsa send accounting
radius-server vsa send authentication
end
My debug log for Authentication, dot1x and AAA is as follows.
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 98, data VLAN 5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Setting domain ALL to UNATHED
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: dot1x-ev(Gi1/0/5): Interface state changed to UP
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Enabling dot1x in switch shim
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Link UP
*Mar 1 01:58:51.360: AAA/BIND(00000004): Bind i/f
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Assigned AAA ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Retrieved Accounting Session ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Allocated new Auth Manager context (handle 0x83000002)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Adding method dot1x to runnable list for Auth Mgr context 0x
*Mar 1 01:58:51.360: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0000000000000002006CD0E0
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Sending START to dot1x (handle 0x83000002)
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: initial state auth_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_initialize_enter called
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_disconnected_enter called
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: idle during state auth_disconnected
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_initialize_enter called
*Mar 1 01:58:51.360: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle
*Mar 1 01:58:51.360: dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)
*Mar 1 01:58:51.360: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Created a client entry (0x4100002D)
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Received handle 0x4100002D from method
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
*Mar 1 01:58:51.360: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x4100002D
*Mar 1 01:58:51.360: dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_enter called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_connecting_action called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0x4100002D
*Mar 1 01:58:51.365: dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 1 01:58:51.365: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_enter called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_authenticating_action called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0x4100002D
*Mar 1 01:58:51.365: dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 1 01:58:51.365: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:58:51.365: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:58:51.365: EAPOL pak dump Tx
*Mar 1 01:58:51.365: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:58:51.365: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:58:51.365: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_request_action called
*Mar 1 01:58:53.352: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:58:54.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:22.188: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:22.188: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:22.188: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:22.188: EAPOL pak dump Tx
*Mar 1 01:59:22.188: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:22.188: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:22.188: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:53.016: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:53.016: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:53.016: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:53.016: EAPOL pak dump Tx
*Mar 1 01:59:53.016: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:53.016: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:53.016: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received an EAP Timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x4100002D
*Mar 1 02:00:23.844: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_timeout_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_timeout_action called
*Mar 1 02:00:23.844: dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x4100002D
*Mar 1 02:00:23.844: dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_exit called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authc_result_enter called
*Mar 1 02:00:23.844: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AUTHC_RESULT from dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authc Result: no-response
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Existing AAA ID: 0x00000004
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AAA ID 0x00000004 from method
*Mar 1 02:00:23.844: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
*Mar 1 02:00:23.844: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending AUTHZ_FAIL to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received Authz fail for the client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Authc Failed' to 'Failed over'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending DELETE to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Deleting client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) No more runnable methods
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Authc Failed' to 'No Methods'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Building default attribute list for unresponsive client
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Signalling Authc fail for client 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.844: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'No Methods' to 'Authz Failed'
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Signalling Authz fail for client 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) dot1x_switch_authz_fail: Called for GigabitEthernet1/0/5 and 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Setting domain DATA to UNATHED
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-SYNC (Gi1/0/5) Syncing update for context (0000.0000.0000)
*Mar 1 02:00:23.849: AUTH-EVENT: Started Auth Manager tick timer
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Started 'restart' timer (60s) for client 0000.0000.0000
*Mar 1 02:00:23.849: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x4100002D
*Mar 1 02:00:23.849: dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)
*Mar 1 02:00:23.849: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held
*Mar 1 02:00:23.849: dot1x-ev:Delete auth client (0x4100002D) message
*Mar 1 02:00:23.849: dot1x-ev:Auth client ctx destroyed
*Mar 1 02:00:23.849: dot1x-ev:Aborted posting message to authenticator state machine: Invalid clientMultiauthentication Mode
Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
NOTE :
•Only one voice VLAN is supported on a multiauth port.
•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
for more information :
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html -
802.1x authentication problem on C2960S-48TS-L with Linux clients
Hi,
Due to implementing wired 802.1x in my company I fased with problem of authentication of some Linux computers (Ubuntu 13.10+) via mab at the one of my Access switches(C2960S-48TS-L). The problem exist on IOS 12.55 and 15.0(2)SE6.
It seems that Authenticator can't detect MAC address of supplicant. In debug the MAC address is (Unknown MAC) or (0000.0000.0000).
Before authentication I could see registered MAC address on the switchport interface(without 802.1x settings on the port):
sh mac address-table interface g1/0/2 "before 802.1x authentication"
Vlan Mac Address Type Ports
2 0015.990f.60d9 STATIC Gi1/0/2
The host should get to Vlan 2 after failed authentication(according to port settings). But actually after trying to authenticate the host on this port
loses connection with network and doesn't get in 2 Vlan
sh mac address-table interface g1/0/2 "after 802.1x authentication"
Vlan Mac Address Type Ports
sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/24 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000000023E32
Gi1/0/25 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000200024193
Gi1/0/2 (unknown) mab UNKNOWN Running 6A7D1FAF000000280011BA1A
sh dot1x interface g1/0/2 details
Dot1x Info for GigabitEthernet1/0/2
PAE = AUTHENTICATOR
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 3
sh run int g1/0/2
interface GigabitEthernet1/0/2
description ## User Port ##
switchport access vlan 2
switchport mode access
switchport voice vlan 5
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
ip arp inspection limit rate 120
authentication event fail retry 0 action authorize vlan 2
authentication event server dead action authorize vlan 2
authentication event no-response action authorize vlan 2
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 3900
authentication timer inactivity 300
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 3
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
I have tried to change authentication host-mode to multi-domain but the problem remains.
"debug dot1x all" in the attached file.
Please help me to resolve this issueI have removed port security but still have failed authentication on the port
002262: Mar 26 16:23:26.516: dot1x-ev(Gi1/0/2): Deleting client 0x9A000053 (0000.0000.0000)
002263: Mar 26 16:23:26.516: dot1x-ev:Delete auth client (0x9A000053) message
002264: Mar 26 16:23:26.516: dot1x-ev:Auth client ctx destroyed
002265: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: initial state auth_initialize has enter
002266: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_initialize_enter called
002267: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_initialize, got event 0(cfg_auto)
002268: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_initialize -> auth_disconnected
002269: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_disconnected_enter called
002270: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: idle during state auth_disconnected
002271: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_disconnected -> auth_restart
002272: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_enter called
002273: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Sending create new context event to EAP for 0x6D000054 (0000.0000.0000)
002274: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has enter
002275: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_initialize_enter called
002276: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has idle
002277: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: during state auth_bend_initialize, got event 16383(idle)
002278: Mar 26 16:23:26.715: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_initialize -> auth_bend_idle
002279: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002280: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Created a client entry (0x6D000054)
002281: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Dot1x authentication started for 0x6D000054 (0000.0000.0000)
002282: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): Posting !EAP_RESTART on Client 0x6D000054
002283: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_restart, got event 6(no_eapRestart)
002284: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_restart -> auth_connecting
002285: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_enter called
002286: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_connecting_action called
002287: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting RX_REQ on Client 0x6D000054
002288: Mar 26 16:23:26.721: dot1x_auth Gi1/0/2: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
002289: Mar 26 16:23:26.721: @@@ dot1x_auth Gi1/0/2: auth_connecting -> auth_authenticating
002290: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_enter called
002291: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_authenticating_action called
002292: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting AUTH_START for 0x6D000054
002293: Mar 26 16:23:26.721: dot1x_auth_bend Gi1/0/2: during state auth_bend_idle, got event 4(eapReq_authStart)
002294: Mar 26 16:23:26.721: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_idle -> auth_bend_request
002295: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002296: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002297: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Role determination not required
002298: Mar 26 16:23:26.721: dot1x-registry:registry:dot1x_ether_macaddr called
002299: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002300: Mar 26 16:23:26.721: EAPOL pak dump Tx
002301: Mar 26 16:23:26.721: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002302: Mar 26 16:23:26.721: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002303: Mar 26 16:23:26.721: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002304: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_request_action called
002305: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002306: Mar 26 16:23:29.814: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002307: Mar 26 16:23:29.814: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002308: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002309: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002310: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002311: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Role determination not required
002312: Mar 26 16:23:29.814: dot1x-registry:registry:dot1x_ether_macaddr called
002313: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002314: Mar 26 16:23:29.814: EAPOL pak dump Tx
002315: Mar 26 16:23:29.814: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002316: Mar 26 16:23:29.814: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002317: Mar 26 16:23:29.814: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002318: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002319: Mar 26 16:23:32.907: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002320: Mar 26 16:23:32.907: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002321: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002322: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002323: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002324: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Role determination not required
002325: Mar 26 16:23:32.913: dot1x-registry:registry:dot1x_ether_macaddr called
002326: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002327: Mar 26 16:23:32.913: EAPOL pak dump Tx
002328: Mar 26 16:23:32.913: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002329: Mar 26 16:23:32.913: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002330: Mar 26 16:23:32.913: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002331: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received an EAP Timeout
002332: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting EAP_TIMEOUT for 0x6D000054
002333: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 12(eapTimeout)
002334: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_timeout
002335: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_timeout_enter called
002336: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_timeout_action called
002337: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: idle during state auth_bend_timeout
002338: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_timeout -> auth_bend_idle
002339: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002340: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting AUTH_TIMEOUT on Client 0x6D000054
002341: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authenticating, got event 14(authTimeout)
002342: Mar 26 16:23:36.001: @@@ dot1x_auth Gi1/0/2: auth_authenticating -> auth_authc_result
002343: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_exit called
002344: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authc_result_enter called
002345: Mar 26 16:23:36.001: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002346: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Sending event (2) to Auth Mgr for 0000.0000.0000
002347: Mar 26 16:23:36.001: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002348: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received Authz fail for the client 0x6D000054 (0000.0000.0000)
002349: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Deleting client 0x6D000054 (0000.0000.0000)
002350: Mar 26 16:23:36.001: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002351: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting_AUTHZ_FAIL on Client 0x6D000054
002352: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authc_result, got event 22(authzFail)
002353: Mar 26 16:23:36.006: @@@ dot1x_auth Gi1/0/2: auth_authc_result -> auth_held
002354: Mar 26 16:23:36.006: dot1x-ev:Delete auth client (0x6D000054) message
002355: Mar 26 16:23:36.006: dot1x-ev:Auth client ctx destroyed
002356: Mar 26 16:23:36.006: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client -
Cisco 2960 802.1x authentication fail
Physical switch version:
C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
The goal of this lab is only authenticated by the MAC address of the laptop.
Currently,I have a trouble as following and don't know what is this root cause .
Please give me a guide point.
Thanks so much
*Mar 2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upI have a few questions:
1. What type of Radius server do you have?
2. Can you post a screen shot of your Radius AAA policies
3. Do you have the mac address entered in your Radius server
4. Provide the output from the following commands:
- show aaa servers
- show authentication session interface interface_name_number
Thank you for rating helpful posts! -
802.1x on Cisco 3750 switch: How to stop retrying the authentication for the un-authorized guests
Hi experts,
I'm trying to stop the authentication retry for the guests. They won't have the credential to be authorzied and will be put in the guest VLAN. However the switch seems by default always retries the authentication every 15 seconds or so. It's fine if the guests are few but I'm implementing it at a hotel where most users are guests (like 1000 of them at the same time...).
I really need to turn it off or at least find some timer to decrease the frenquency... It's urgent because the hotel is about to open... The following is the config I put on an interface:
switchport access vlan 1055
switchport mode access
switchport nonegotiate
switchport voice vlan 657
ip access-group ACL_PortIso_IDF21 in
authentication event fail action authorize vlan 1055
authentication event no-response action authorize vlan 1055
authentication host-mode multi-domain
authentication port-control auto
authentication violation protect
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-reauth-req 10
dot1x timeout held-period 300
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
no ip igmp snooping tcn flood
Thanks!Elly,
Soon I will have a Windows laptop plugged in. Then I will be able to run the wireshark. Now I have to run the "debug dot1x packets" since the attached device is a phone.
So first I "clear dot1x session int f3/0/13". After a couple of "failure" eventually it will show this:
"%AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa3/0/13"
(Weird... why it's showing "success"? Anyway when the authentication restarts again after several minutes there won't be any "sucess" any more, as shown in my previous text file. They are)
Then I have the debug turnned on:
.Jan 25 12:47:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
INDJWSW01-2104#
.Jan 25 12:47:21: EAPOL pak dump Tx
.Jan 25 12:47:21: EAPOL Version: 0x3 type: 0x0 length: 0x0005
.Jan 25 12:47:21: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
.Jan 25 12:47:21: dot1x-packet(Fa3/0/13): EAPOL packet sent to client 0x5600009F (0019.f302.a378)
INDJWSW01-2104#
.Jan 25 12:47:23: EAPOL pak dump Tx
.Jan 25 12:47:23: EAPOL Version: 0x3 type: 0x0 length: 0x0005
.Jan 25 12:47:23: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
.Jan 25 12:47:23: dot1x-packet(Fa3/0/13): EAPOL packet sent to client 0x5600009F (0019.f302.a378)
INDJWSW01-2104#
.Jan 25 12:47:25: EAPOL pak dump Tx
.Jan 25 12:47:25: EAPOL Version: 0x3 type: 0x0 length: 0x0005
.Jan 25 12:47:25: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
.Jan 25 12:47:25: dot1x-packet(Fa3/0/13): EAPOL packet sent to client 0x5600009F (0019.f302.a378)
INDJWSW01-2104#
.Jan 25 12:47:27: %DOT1X-5-FAIL: Authentication failed for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
.Jan 25 12:47:27: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
.Jan 25 12:47:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
INDJWSW01-2104#
.Jan 25 12:47:27: %AUTHMGR-5-START: Starting 'mab' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
.Jan 25 12:47:28: %MAB-5-FAIL: Authentication failed for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
.Jan 25 12:47:28: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'mab' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
.Jan 25 12:47:28: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
.Jan 25 12:47:28: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0019.f302.a378) on Interface Fa3/0/13 AuditSessionID 0A8F7325000010629B960A41
Then the message will repeat and repeat forever... It seems that the switch Tx the packets first... Any ideas???
Thanks! -
Dot1x authentication some problom
HI
helleo
wo have a dot1x authentication problom,
When I enter the configuration of the dot1x configuration in the interface, User authentication interface into err-disable state
Below is the interface configuration
interface FastEthernet0/45
switchport access vlan 21
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
mab eap
dot1x pae both
dot1x timeout quiet-period 3
dot1x timeout tx-period 5
spanning-tree portfast
Switch authentication failed log
n 4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
Jun 4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
Jun 4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to downn 4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
Jun 4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
Jun 4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
Jun 4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to downAUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
Interface host mode limits the number of hosts that can be attached to an interface. The limit was exceeded and caused a security violation. The interface is error disabled.
Therefore what NAJAF has said, could be one reason, or the your CAM table is full, so try clear mac address-table command and clear port-security command if address is secured on a port. -
Delay the first dot1x authentication message after a port comes up
Cisco ISE: 1.2
Switch IOS: 15.0.2.EX4
Hello,
I have configured the APs to authenticate with 802.1X via the switch.
When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
When I use debug commands I see
%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
Thank you for all answersHello,
Thank you for your reply. That document is very interesting.
I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
- You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
- A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
It's possible to do this with the Cisco APs
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
So in my humble opinion, the mab/profiling solution is good but not optimal. -
Windows XP SP3 can't authenticate in 802.1x
Hi all,
I'm trying to get working a fresh install with 802.1x in it. I have a serious issue with Windows XP SP3 not authenticating at all... I can see (with a Wireshark) EAPoL Start messages going out from the host, but nothing happens after. The switch is pretending that it has a timeout on dot1x exchanges. We don't have any issue with Windows 7 at all !!!!
I'm giving you details about the setup :
Switches : Cisco switching architecture (IOS IP Services K9 12.2(55)SE)
Authentication Server : Cisco Secure ACS 4.2
Directories : Microsoft Active Directory and OpenLDAP for the directories
PKI : External (opensource)
Clients : Windows XP SP3 and a very few Windows 7
EAP Method for the moment : PEAP MSCHAPv2
Concerning switches, typical config is the following (only necessary things appear) :
swi-test-802.1x#sh run
Building configuration...
Current configuration : 6481 bytes
aaa new-model
aaa group server radius ACS
server X.X.X.X auth-port 1645 acct-port 1646
deadtime 60
aaa authentication login ACS_RADIUS group ACS local
aaa authentication dot1x default group ACS local
aaa authorization exec ACS_RADIUS group ACS local
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS
aaa accounting exec ACS_RADIUS start-stop group ACS
aaa accounting network ACS_RADIUS start-stop group ACS
aaa session-id common
ip device tracking
dot1x system-auth-control
interface FastEthernet0/X
description Typical FlexAuth port 802.1x
switchport mode access
switchport voice vlan 160
ip access-group Acl_Default_Acl in
authentication event fail action next-method
authentication event server dead action authorize vlan 99
authentication event no-response action authorize vlan 99
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended Acl_Default_Acl
permit ip any any
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key XXX
radius-server vsa send accounting
radius-server vsa send authentication
end
If I'm using Windows 7, no problem...
I've tried to modify different registry keys concerning authMode, SupplicantMode (twice applicable but only right until XP SP2), BlockTime for reauth, following everytime Microsoft recommandations and the different published kb...
I've tried with GPO for a global change or modifying XML template of the interface, but nothing changes...
I'm giving you the debugs (radius authentication and dot1x events) :
swi-test-802.1x#
swi-test-802.1x#
*Mar 1 01:19:25.727: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 1 01:19:25.735: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 1 01:19:26.230: dot1x-ev(Fa0/1): Interface state changed to DOWN
*Mar 1 01:19:26.230: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on FastEthernet0/1
*Mar 1 01:19:28.327: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 1 01:19:28.336: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 1 01:19:28.697: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar 1 01:19:29.510: %AUTHMGR-5-START: Starting 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.510: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
*Mar 1 01:19:29.510: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Mar 1 01:19:29.510: RADIUS/ENCODE(0000000B): acct_session_id: 11
*Mar 1 01:19:29.510: RADIUS(0000000B): sending
*Mar 1 01:19:29.510: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
*Mar 1 01:19:29.510: RADIUS(0000000B): Send Access-Request to 10.248.64.20:1645 id 1645/19, len 206
*Mar 1 01:19:29.510: RADIUS: authenticator 3C AE B6 01 13 26 4E 77 - 94 33 B1 40 B7 A6 06 F8
*Mar 1 01:19:29.510: RADIUS: User-Name [1] 14 "60eb699a0e0f"
*Mar 1 01:19:29.510: RADIUS: User-Password [2] 18 *
*Mar 1 01:19:29.510: RADIUS: Service-Type [6] 6 Call Check [10]
*Mar 1 01:19:29.510: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 01:19:29.510: RADIUS: Called-Station-Id [30] 19 "00-1A-6D-FE-AA-83"
*Mar 1 01:19:29.510: RADIUS: Calling-Station-Id [31] 19 "60-EB-69-9A-0E-0F"
*Mar 1 01:19:29.510: RADIUS: Message-Authenticato[80] 18
*Mar 1 01:19:29.510: RADIUS: 2F C3 4E 65 14 AF D3 8E B9 E5 29 C3 28 13 C6 B8 [ /Ne)(]
*Mar 1 01:19:29.510: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 01:19:29.510: RADIUS: Vendor, Cisco [26] 49
*Mar 1 01:19:29.510: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AF80215000000030048C250"
*Mar 1 01:19:29.510: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 01:19:29.510: RADIUS: NAS-Port [5] 6 50001
*Mar 1 01:19:29.510: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 1 01:19:29.510: RADIUS: NAS-IP-Address [4] 6 10.248.2.21
*Mar 1 01:19:29.519: RADIUS(0000000B): Started 5 sec timeout
*Mar 1 01:19:29.527: RADIUS: Received from id 1645/19 10.248.64.20:1645, Access-Reject, len 50
*Mar 1 01:19:29.527: RADIUS: authenticator B0 3B E5 8F 22 D1 C1 66 - F6 8F 1A 7E 88 49 AA BB
*Mar 1 01:19:29.527: RADIUS: Reply-Message [18] 12
*Mar 1 01:19:29.527: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected]
*Mar 1 01:19:29.527: RADIUS: Message-Authenticato[80] 18
*Mar 1 01:19:29.527: RADIUS: 91 5F 64 12 73 8E 76 0C 31 DD 2B B7 2E EC 6E BA [ _dsv1+.n]
*Mar 1 01:19:29.527: RADIUS(0000000B): Received from id 1645/19
*Mar 1 01:19:29.527: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Mar 1 01:19:29.527: %MAB-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 1 01:19:29.527: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Created a client entry (0x9E000002)
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Dot1x authentication started for 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:19:29.535: %AUTHMGR-5-START: Starting 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:19:30.290: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Received an EAP Timeout
*Mar 1 01:20:00.414: %DOT1X-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for 60eb.699a.0e0f
*Mar 1 01:20:00.414: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Received Authz fail for the client 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Deleting client 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:20:00.414: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: %AUTHMGR-5-VLANASSIGN: VLAN 99 assigned to Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.422: dot1x-ev:Delete auth client (0x9E000002) message
*Mar 1 01:20:00.422: dot1x-ev:Auth client ctx destroyed
*Mar 1 01:20:00.422: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
*Mar 1 01:20:00.733: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.733: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
*Mar 1 01:20:00.733: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Mar 1 01:20:00.733: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
*Mar 1 01:20:00.733: RADIUS(0000000B): Started 5 sec timeout
*Mar 1 01:20:00.741: RADIUS: Received from id 1646/9 10.248.64.20:1646, Accounting-response, len 20
swi-test-802.1x#
swi-test-802.1x#
If anyone has an idea. Another thiong to mention, hosts have a Trend OfficeScan solution for Host protection, but the same on Windows 7 and everything is OK.
Thanks for your precious help.
Pierre-LouisHi Pierre-Louis,
A couple of questions here:
-We have a voice vlan defined for the port and multi-domain config.During your tests, do you have the PC connected behind an IP Phone?
-Which authentication method do you want to go for PC/IP phone?
-Whats the IP Phone model/vendor ?
In the logs , we have an Access-Reject for the client MAB auth attempt and then failover to dot1x auth.However, I dont see a Phone MAC in the logs.
On the switch debug, we see several EAPOL packets to client 60eb.699a.0e0f, which seems a Quanta computer based on the MAC vendor.
However no EAPOL packets seen from client side.You did indicate seeing an EAPOL Start from the host PC on a sniffer trace.
-Are you sniffing on the client adapter itself or the switchport to which client is connected?
-If we have an IP phone inbetween, do you also see the EAPOL start packet from the client when sniffing on the switchport ?
Windows XP ,SP3 has some changes as compared to earlier SP versions:
http://support.microsoft.com/kb/949984
The following output would help to further isolate on problem.You will need to ensure that we have timesync between sniffer traces and debug logs for correlation.
On switch, save logging output of:
debug radius
debug dot1x all
debug authentication all
debug authentication feature mab_pm all
debug authentication feature mda all
debug authentication feature voice all
Simultaneously you can capture sniffer trace by spanning switch port interface to which Phone/PC is connected.Please don't use any filters during the sniffer capture.
After above steps please do a shut/no shut for tested port interface and replicate the problem with Win XP SP3.
Following the test, you can also obtain the output of "show auth sessions int
HTH,
Alex -
Today my colleagues and I deploy ISE found the following question.
Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
Why is that?
Two ise ,Distributed Deployment,
I test redundancy。I closed the main equipment,The following error:
LOG:==============================================
The normal time:
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: 172.30.60.11
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000410155DA40
Acct Session ID: 0x0000006C
Handle: 0x73000041
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: 172.30.60.10
User-Name: daiyue
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C02000000400154E52C
Acct Session ID: 0x0000006D
Handle: 0x91000040
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
When there is a problem:
6509-vss#
Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#
6509-vss(config-if)#
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
6509-vss(config-if)#end
6509-vss#show
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
6509-vss#show authentication
Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
6509-vss#show authentication sessions int
6509-vss#show authentication sessions interface g1/9/36
Interface: GigabitEthernet1/9/36
MAC Address: 0021.cc68.a63e
IP Address: Unknown
User-Name: 0021cc68a63e
Status: Running
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004E01CCCA18
Acct Session ID: 0x00000086
Handle: 0x7300004E
Runnable methods list:
Method State
mab Failed over
dot1x Running
Interface: GigabitEthernet1/9/36
MAC Address: 0026.2df8.a25f
IP Address: Unknown
User-Name: shenshu
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1E3C020000004D01CCB640
Acct Session ID: 0x00000089
Handle: 0xB400004D
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
LOG:============================================Please consider the order of authnetication method fail from here
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028 -
ISE 1.1.3 posture status OK but network connection failed
hello,
I am on my way to make this ISE works.
Now I am able to do posture assessment and reauthenticate with success.
The logs says that's OK, I have two lines.
NACAgent on the host do the job correctly but the NIC says : "Network failure" despite NACagent grants the access.
Any Ideas folks ???
Regards.
Vincent.
The switch says :
03:04:28: %AUTHMGR-5-START: Starting 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %DOT1X-5-FAIL: Authentication failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID
03:04:59: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
03:04:59: %AUTHMGR-5-FAIL: Authorization failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
Here is the SW's config :
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 192.168.6.10 server-key 123456789
aaa session-id common
no ip domain-lookup
ip domain-name security.com
ip dhcp excluded-address 192.168.6.29 192.168.6.100
ip dhcp pool test
network 192.168.6.0 255.255.255.0
ip dhcp snooping vlan 1
ip device tracking
dot1x system-auth-control
dot1x critical eapol
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet1/0/1
switchport mode access
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface Vlan1
ip address 192.168.6.100 255.255.255.0
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
snmp-server community snmp RO
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.6.10 version 2c snmp mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
ntp clock-period 36029254
ntp server 192.168.6.29
endHello Tarik, thanks for trying to help !
I guess that we all have configured the Sw and ISE as described in the documentation.
It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.
No IP Phone at all.
How to configure dACL on ISE ? ( pre-posture, redirect ) ????
What are the ports ? ( 8443, 8905n any ?)
Do we need a ACL to be set in the Sw before the dACL is applied ???
Please answer those questions first, and we will provide you some logs.
I'am not able to have a stable behaviour any more.
Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)
We waste of lot of time trying not to debug the software, but trying to find which parts work together.
Thanks again Tarik. -
ISE first authorization sucess and then fail (MAB)
Hi,
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
"Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
0002SWC002(config)#int fa0/13
0002SWC002(config-if)#shut
0002SWC002(config-if)#
Jan 7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
Jan 7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
0002SWC002(config-if)#no shut
0002SWC002(config-if)#
Jan 7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Jan 7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
Jan 7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
Jan 7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
Jan 7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
Jan 7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
Jan 7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
Jan 7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
IP-WAIT
Jan 7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
05FC00000020D7C192D1
Jan 7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
Jan 7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
Jan 7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
After this the proces starts over again.
This is the switch port config:
interface FastEthernet0/13
description VoIP/Data
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00 1.00
storm-control multicast level 2.00 1.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
service-policy input ax-qos_butnet
ip dhcp snooping limit rate 5
end
Is there a problem with the client (computer) or in ISE/Switch?Hi Tarik,
First off; thank you for helping me troubleshoot this problem.
I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
When I look at the debugs I see this difference
With the original ACL I get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
When using "permit icmp any any" i get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
I have added debugs in attachment.
device1_orig_acl - the none working device with original ACL
device1_any_any - the none working device with permit icmp any any
working_device_orig_acl - the device that works with the original ACL
Do you have an answer to why this is happening?
Regards,
Philip -
Impossible to use mAb with Alcatel phone
Hello
I try to configure mab authentication with alcatel Phone "ipTouch".
The radius is an ISE version 1.2.1
It is impossible to autenticate with mab.
On the Ise the error is:
"Event 5434 Endpoint conducted several failed authentications of the same scenario"
" Failure Reason 11514 Unexpectedly received empty TLS message; treating as a rejection by the client"
On the switch the error message is:
2960-09#
Dec 15 11:13:50.090: %AUTHMGR-5-START: Starting 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID
0A0A510A0000010A2E95860F
Dec 15 11:13:50.125: %MAB-5-FAIL: Authentication failed for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID
0A0A510A0000010A2E95860F
Dec 15 11:13:50.125: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9fc8.a9eb) on
Interface Gi1/0/11 AuditSessionID 0A0A510A0000010A2E95860F
Dec 15 11:13:50.125: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11
AuditSessionID 0A0A510A0000010A2E95860F
2960-09#
Dec 15 11:13:50.125: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID
0A0A510A0000010A2E95860F
Here is the switch config
+++++++++++++++++
interface GigabitEthernet1/0/11
description HOST PORT WITH AUTHENTICATION
switchport access vlan 68
switchport mode access
switchport nonegotiate
switchport voice vlan 78
authentication event server dead action reinitialize vlan 68
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 300
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
end
global switch config
+++++++++++++++
aaa new-model
aaa authentication login default local group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.1.30.11 server-key 7 023201575A080B34080F
client 10.1.30.12 server-key 7 122D001B430508116E6A
dot1x system-auth-control
dot1x critical eapol
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 1 tries 3
radius-server host 10.1.30.11 auth-port 1812 acct-port 1813 key 7 0030160A55550F134B60
radius-server host 10.1.30.12 auth-port 1812 acct-port 1813 key 7 0030160A55550F134B60
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication
Could you please help me.
Michel MisonneHi
Yes the mac is in the Identity endpoint.
During this night, the Phone reboot and now it is OK !!!
I do not know why ?
I changed nothing !
But here is the debug.
Also the ise is configured with authentication protocol Pap-Ascii = Enable
and "Calling stat id" and "Check pass" checked."
The onfig of the phone is
-Mac to login
-MD5 profile = OFF
-Tls Profile OFF
Her is te debug. ( when it works well)
conf t
Enter configuration commands, one per line. End with CNTL/Z.
2960-09(config)#endshutdown int gigabitEthernet 1/0/11
2960-09(config-if)#no shu
2960-09(config-if)#no shutdown
2960-09(config-if)#
2960-09(config-if)#
2960-09(config-if)#
2960-09(config-if)#
2960-09(config-if)#end
2960-09#
Dec 16 08:33:54.962: %ILPOWER-7-DETECT: Interface Gi1/0/11: Power Device detected: IEEE PD
Dec 16 08:33:56.157: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/11: Power granted
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
Dec 16 08:33:56.241: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to down
Dec 16 08:33:56.322: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.10.68.4)
2960-09#
Dec 16 08:34:02.924: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to up
Dec 16 08:34:03.924: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to up
2960-09#
Dec 16 08:34:05.088: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to down
2960-09#
Dec 16 08:34:06.095: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to down
2960-09#
Dec 16 08:34:09.800: %AUTHMGR-5-START: Starting 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:09.800: RADIUS/ENCODE(0000025F):Orig. component type = Dot1X
Dec 16 08:34:09.804: RADIUS(0000025F): Config NAS IP: 0.0.0.0
Dec 16 08:34:09.804: RADIUS(0000025F): Config NAS IPv6: ::
Dec 16 08:34:09.804: RADIUS/ENCODE(0000025F): acct_session_id: 597
Dec 16 08:34:09.804: RADIUS(0000025F): sending
Dec 16 08:34:09.804: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
Dec 16 08:34:09.804: RADIUS(0000025F): Sending a IPv4 Radius Packet
Dec 16 08:34:09.804: RADIUS(0000025F): Send Access-Request to 10.1.30.11:1812 id 1645/198,len 249
Dec 16 08:34:09.804: RADIUS: authenticator D3 5F 99 C6 EE 9F 9F 96 - 7C 1B A1 B9 32 1C 78 61
Dec 16 08:34:09.804: RADIUS: User-Name [1] 14 "00809fc8a9eb"
Dec 16 08:34:09.804: RADIUS: User-Password [2] 18 *
Dec 16 08:34:09.804: RADIUS: Service-Type [6] 6 Call Check [10]
Dec 16 08:34:09.804: RADIUS: Vendor, Cisco [26] 31
Dec 16 08:34:09.804: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Dec 16 08:34:09.804: RADIUS: Framed-IP-Address [8] 6 10.10.78.250
Dec 16 08:34:09.804: RADIUS: Framed-MTU [12] 6 1500
Dec 16 08:34:09.804: RADIUS: Called-Station-Id [30] 19 "F0-9E-63-E7-E1-8B"
Dec 16 08:34:09.804: RADIUS: Calling-Station-Id [31] 19 "00-80-9F-C8-A9-EB"
Dec 16 08:34:09.804: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.804: RADIUS: 5F 60 06 35 54 F6 CB 60 3A D6 A9 87 92 F0 0D 70 [ _`5T`:p]
Dec 16 08:34:09.804: RADIUS: EAP-Key-Name [102] 2 *
Dec 16 08:34:09.804: RADIUS: Vendor, Cisco [26] 49
Dec 16 08:34:09.807: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0A510A0000011E3329AE1E"
Dec 16 08:34:09.807: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Dec 16 08:34:09.807: RADIUS: NAS-Port [5] 6 50111
Dec 16 08:34:09.807: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/11"
Dec 16 08:34:09.807: RADIUS: NAS-IP-Address [4] 6 10.10.81.10
Dec 16 08:34:09.807: RADIUS(0000025F): Started 5 sec timeout
Dec 16 08:34:09.856: RADIUS: Received from id 1645/198 10.1.30.11:1812, Access-Accept, len 283
Dec 16 08:34:09.856: RADIUS: authenticator BC 72 21 F4 37 7D BE B1 - 03 A7 CE F3 3A DB EE DA
Dec 16 08:34:09.856: RADIUS: User-Name [1] 14 "00809fc8a9eb"
Dec 16 08:34:09.856: RADIUS: State [24] 40
Dec 16 08:34:09.856: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]
Dec 16 08:34:09.856: RADIUS: 30 41 35 31 30 41 30 30 30 30 30 31 31 45 33 33 [0A510A0000011E33]
Dec 16 08:34:09.856: RADIUS: 32 39 41 45 31 45 [ 29AE1E]
Dec 16 08:34:09.856: RADIUS: Class [25] 54
Dec 16 08:34:09.856: RADIUS: 43 41 43 53 3A 30 41 30 41 35 31 30 41 30 30 30 [CACS:0A0A510A000]
Dec 16 08:34:09.859: RADIUS: 30 30 31 31 45 33 33 32 39 41 45 31 45 3A 6D 65 [0011E3329AE1E:me]
Dec 16 08:34:09.859: RADIUS: 67 61 74 72 6F 6E 2F 32 30 37 35 39 38 39 38 34 [gatron/207598984]
Dec 16 08:34:09.859: RADIUS: 2F 34 31 30 [ /410]
Dec 16 08:34:09.859: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.859: RADIUS: 51 E9 8C 07 61 A4 F0 02 0C DC DF 1F 25 BE 39 A3 [ Qa?9]
Dec 16 08:34:09.859: RADIUS: Vendor, Cisco [26] 34
Dec 16 08:34:09.859: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
Dec 16 08:34:09.859: RADIUS: Vendor, Cisco [26] 75
Dec 16 08:34:09.859: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
Dec 16 08:34:09.859: RADIUS: Vendor, Cisco [26] 28
Dec 16 08:34:09.859: RADIUS: Cisco AVpair [1] 22 "profile-name=Unknown"
Dec 16 08:34:09.859: RADIUS(0000025F): Received from id 1645/198
Dec 16 08:34:09.859: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
Dec 16 08:34:09.859: %MAB-5-SUCCESS: Authentication successful for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:09.863: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:09.894: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 16 08:34:09.894: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 16 08:34:09.898: RADIUS(00000000): sending
Dec 16 08:34:09.957: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
Dec 16 08:34:09.957: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 16 08:34:09.957: RADIUS(00000000): Send Access-Request to 10.1.30.11:1812 id 1645/199,len 147
Dec 16 08:34:09.957: RADIUS: authenticator 1B D7 D2 13 EF 69 36 E2 - 87 4D A9 69 2A F7 29 4D
Dec 16 08:34:09.957: RADIUS: NAS-IP-Address [4] 6 10.10.81.10
Dec 16 08:34:09.957: RADIUS: User-Name [1] 41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
Dec 16 08:34:09.957: RADIUS: Vendor, Cisco [26] 32
Dec 16 08:34:09.957: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Dec 16 08:34:09.961: RADIUS: Vendor, Cisco [26] 30
Dec 16 08:34:09.961: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Dec 16 08:34:09.961: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.961: RADIUS: E7 15 BB FB 7B 5B 1A C4 50 FC E7 0E 10 AC 22 36 [ {[P"6]
Dec 16 08:34:09.961: RADIUS(00000000): Started 5 sec timeout
Dec 16 08:34:09.968: RADIUS: Received from id 1645/199 10.1.30.11:1812, Access-Accept, len 209
Dec 16 08:34:09.968: RADIUS: authenticator FA 03 DD C1 D2 87 6B 58 - 99 65 EE 96 FF D5 76 FD
Dec 16 08:34:09.968: RADIUS: User-Name [1] 41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
Dec 16 08:34:09.968: RADIUS: State [24] 40
Dec 16 08:34:09.968: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Dec 16 08:34:09.971: RADIUS: 30 31 31 65 30 62 30 30 30 30 30 30 37 38 35 34 [011e0b0000007854]
Dec 16 08:34:09.971: RADIUS: 38 46 45 45 38 31 [ 8FEE81]
Dec 16 08:34:09.971: RADIUS: Class [25] 54
Dec 16 08:34:09.971: RADIUS: 43 41 43 53 3A 30 61 30 31 31 65 30 62 30 30 30 [CACS:0a011e0b000]
Dec 16 08:34:09.971: RADIUS: 30 30 30 37 38 35 34 38 46 45 45 38 31 3A 6D 65 [00078548FEE81:me]
Dec 16 08:34:09.971: RADIUS: 67 61 74 72 6F 6E 2F 32 30 37 35 39 38 39 38 34 [gatron/207598984]
Dec 16 08:34:09.971: RADIUS: 2F 34 31 31 [ /411]
Dec 16 08:34:09.971: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.971: RADIUS: A4 02 84 1E 1A 97 E9 E9 DE 46 93 D6 30 C4 52 99 [ F0R]
Dec 16 08:34:09.971: RADIUS: Vendor, Cisco [26] 36
Dec 16 08:34:09.971: RADIUS: Cisco AVpair [1] 30 "ip:inacl#1=permit ip any any"
Dec 16 08:34:09.971: RADIUS(00000000): Received from id 1645/199
Dec 16 08:34:10.069: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:10.069: RADIUS/ENCODE(0000025F):Orig. component type = Dot1X
Dec 16 08:34:10.069: RADIUS(0000025F): Config NAS IP: 0.0.0.0
Dec 16 08:34:10.069: RADIUS(0000025F): Config NAS IPv6: ::
Dec 16 08:34:10.073: RADIUS(0000025F): sending
Dec 16 08:34:10.073: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
Dec 16 08:34:10.073: RADIUS(0000025F): Sending a IPv4 Radius Packet
Dec 16 08:34:10.073: RADIUS(0000025F): Send Accounting-Request to 10.1.30.11:1813 id 1646/240,len 423
Dec 16 08:34:10.073: RADIUS: authenticator 6C 75 45 C7 B7 66 2F 4D - 04 01 C6 CE A5 16 68 9B
Dec 16 08:34:10.073: RADIUS: Acct-Session-Id [44] 10 "00000255"
Dec 16 08:34:10.073: RADIUS: Calling-Station-Id [31] 19 "00-80-9F-C8-A9-EB"
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 49
Dec 16 08:34:10.073: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0A510A0000011E3329AE1E"
Dec 16 08:34:10.073: RADIUS: Framed-IP-Address [8] 6 10.10.78.250
Dec 16 08:34:10.073: RADIUS: User-Name [1] 14 "00809fc8a9eb"
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 32
Dec 16 08:34:10.073: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 21
Dec 16 08:34:10.073: RADIUS: Cisco AVpair [1] 15 "lldp-tlv= "
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 25
Dec 16 08:34:10.073: RADIUS: Cisco AVpair [1] 19 "lldp-tlv= "
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 23
Dec 16 08:34:10.073: RADIUS: Cisco AVpair [1] 17 "lldp-tlv= "
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 28
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco [26] 28
Dec 16 08:34:10.073: RADIUS: Tunnel-Packets-Lost [86] 101 1852075890
Dec 16 08:34:10.076: RADIUS: Nas-Identifier [32] 32 "
Dec 16 08:34:10"
Dec 16 08:34:10.076: data_left 15
2960-09#
Dec 16 08:34:10.076: RADIUS(0000025F): Started 5 sec timeout
Dec 16 08:34:10.090: RADIUS: Received from id 1646/240 10.1.30.11:1813, Accounting-response, len 20
Dec 16 08:34:10.090: RADIUS: authenticator 91 9F CE 71 1C 4B 45 93 - 49 86 52 C8 C3 44 40 B8
2960-09#
Dec 16 08:34:11.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to up
Dec 16 08:34:12.485: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to up
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#sh auth
2960-09#sh authentication ses
2960-09#sh authentication sessions int gi
2960-09#sh authentication sessions int gigabitEthernet 1/ /0/11
Interface: GigabitEthernet1/0/11
MAC Address: 0080.9fc8.a9eb
IP Address: 10.10.78.250
User-Name: 00809fc8a9eb
Status: Authz Success
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A510A0000011E3329AE1E
Acct Session ID: 0x00000255
Handle: 0x3600011F
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
2960-09# -
IEEE 802.1x with EAP-TLS issue in cisco 2960
In My Cisco 2960 switch is not working with EAP-TLS mechanism of 802.1x but its works well with other protocols like EAP-PEAP or MAC Address authentication.
Below is the configuration
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization configuration default group radius
aaa accounting update periodic 30
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
speed 100
duplex full
authentication order dot1x mab webauth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
spanning-tree bpduguard enable
Can anyone suggest me ?Thanks for the reply jatin.
I have a client on the interface fa0/1 with a valid client certificate. And have a debug logs as below
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 8 00:03:06.266: AAA/BIND(000001C7): Bind i/f
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_initialize_enter called
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:06.266: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:06.266: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Created a client entry (0xB0000DBA)
*Mar 8 00:03:06.266: dot1x-ev(Fa0/1): Dot1x authentication started for 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.266: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.266: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.266: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.266: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.274: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.274: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.274: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.274: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.274: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.274: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.274: EAPOL pak dump Tx
*Mar 8 00:03:06.274: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.274: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.274: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (0000.0000.0000)
*Mar 8 00:03:06.274: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): queuing an EAPOL pkt on Auth Q
*Mar 8 00:03:06.794: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 0,TYPE= 0,LEN= 0
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): New client detected, notifying AuthMgr
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending event (0) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:06.794: dot1x-packet(Fa0/1): Received an EAPOL-Start packet
*Mar 8 00:03:06.794: EAPOL pak dump rx
*Mar 8 00:03:06.794: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting EAPOL_START on Client 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth Fa0/1: during state auth_authenticating, got event 4(eapolStart)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_aborting
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): 802.1x method gets the go ahead from Auth Mgr for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting AUTH_ABORT for 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 1(authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_initialize
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_initialize_enter called
*Mar 8 00:03:06.794: dot1x_auth_bend Fa0/1: idle during state auth_bend_initialize
*Mar 8 00:03:06.794: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): Posting !AUTH_ABORT on Client 0xB0000DBA
*Mar 8 00:03:06.794: dot1x_auth Fa0/1: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
*Mar 8 00:03:06.794: @@@ dot1x_auth Fa0/1: auth_aborting -> auth_restart
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_exit called
*Mar 8 00:03:06.794: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Resetting the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.794: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_aborting_restart_action called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:06.802: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:06.802: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:06.802: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:06.811: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_enter called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_authenticating_action called
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting AUTH_START for 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.811: EAPOL pak dump Tx
*Mar 8 00:03:06.811: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:06.811: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_request_action called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.811: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 1,LEN= 34
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.811: EAPOL pak dump rx
*Mar 8 00:03:06.811: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 8 00:03:06.811: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.811: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.811: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.811: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.811: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.811: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.819: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.819: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.819: RADIUS(000001C7): sending
*Mar 8 00:03:06.819: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.819: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/83, len 251
*Mar 8 00:03:06.819: RADIUS: authenticator A1 79 FA E5 F4 B7 7F 4F - 2B 73 3A 0D 1F D8 89 20
*Mar 8 00:03:06.819: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.819: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:06.819: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:06.819: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.819: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.819: RADIUS: EAP-Message [79] 36
*Mar 8 00:03:06.819: RADIUS: 02 01 00 22 01 68 6F 73 74 2F 44 30 39 30 32 4D 41 4C 4C 30 ["host/D0902MALL0]
*Mar 8 00:03:06.819: RADIUS: 30 35 2E 49 4E 2E 69 6E 74 72 61 6E 65 74 [ 05.IN.intranet]
*Mar 8 00:03:06.819: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.819: RADIUS: D6 6F 7B CD 36 46 5E F6 90 6F 85 A8 BD BD AE D8 [ o{6F^o]
*Mar 8 00:03:06.819: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:06.819: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:06.819: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:06.819: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:06.819: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.819: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:06.819: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:06.819: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:06.861: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 8 00:03:06.903: RADIUS: Received from id 1645/83 10.26.13.59:1812, Access-Challenge, len 76
*Mar 8 00:03:06.903: RADIUS: authenticator 7B 1C DC CA A8 92 E9 34 - 17 86 25 2F 9D 7E 63 96
*Mar 8 00:03:06.903: RADIUS: EAP-Message [79] 8
*Mar 8 00:03:06.903: RADIUS: 01 02 00 06 0D 20 [ ]
*Mar 8 00:03:06.903: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.903: RADIUS: DD F3 7B 33 37 6D 40 BD F3 D2 78 DF F1 14 4D E4 [ {37m@xM]
*Mar 8 00:03:06.903: RADIUS: State [24] 30
*Mar 8 00:03:06.903: RADIUS: 00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70 [ }@EP.{Lp]
*Mar 8 00:03:06.911: RADIUS(000001C7): Received from id 1645/83
*Mar 8 00:03:06.911: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:06.911: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:06.911: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.911: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:06.911: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:06.911: EAPOL pak dump Tx
*Mar 8 00:03:06.911: EAPOL Version: 0x3 type: 0x0 length: 0x0006
*Mar 8 00:03:06.911: EAP code: 0x1 id: 0x2 length: 0x0006 type: 0xD
*Mar 8 00:03:06.911: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.911: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:06.920: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 105
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:06.920: EAPOL pak dump rx
*Mar 8 00:03:06.920: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 8 00:03:06.920: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:06.920: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:06.920: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:06.920: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:06.920: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:06.920: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:06.920: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:06.920: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:06.920: RADIUS(000001C7): sending
*Mar 8 00:03:06.920: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:06.920: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/84, len 352
*Mar 8 00:03:06.920: RADIUS: authenticator 41 72 8D 6A B4 72 19 84 - 1B C8 33 F7 95 DD 07 BC
*Mar 8 00:03:06.928: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:06.928: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:06.928: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:06.928: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:06.928: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:06.928: RADIUS: EAP-Message [79] 107
*Mar 8 00:03:06.928: RADIUS: 02 02 00 69 0D 80 00 00 00 5F 16 03 01 00 5A 01 00 00 56 03 01 52 C5 45 4F 07 CA B3 29 50 A7 CE 40 76 B6 BD F0 50 D4 CE 9A 8A 02 C4 3D 40 35 B5 F0 E1 E2 75 [i_ZVREO)P@vP=@5u]
*Mar 8 00:03:06.928: RADIUS: 50 00 00 18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 [ P/528]
*Mar 8 00:03:06.928: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:06.928: RADIUS: A3 28 CE 27 20 C0 D6 2C 11 01 D6 61 1F C3 6F 03 [ (' ,ao]
*Mar 8 00:03:06.928: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:06.928: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:06.928: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:06.928: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:06.928: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:06.928: RADIUS: State [24] 30
*Mar 8 00:03:06.928: RADIUS: 00 7D 00 9B 00 C1 00 40 ED B8 45 00 FC DD 50 2E DC 0E E6 03 FC 7B AD 4C B7 E7 B1 70 [ }@EP.{Lp]
*Mar 8 00:03:06.928: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:06.928: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:06.928: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.004: RADIUS: Received from id 1645/84 10.26.13.59:1812, Access-Challenge, len 1188
*Mar 8 00:03:07.004: RADIUS: authenticator 7B 52 29 05 7E C3 EF 8E - 13 38 30 03 4B 65 64 0F
*Mar 8 00:03:07.004: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.004: RADIUS: 01 03 04 56 0D C0 00 00 05 78 16 03 01 00 51 02 00 00 4D 03 01 52 C5 45 4F 0F 04 37 77 A0 C2 68 66 4E 45 92 AB 3D 7F 94 70 AF 36 [VxQMREO7whfNE=p6]
*Mar 8 00:03:07.004: RADIUS: 1D C5 17 23 5C F1 FA CA 60 B0 20 A5 48 16 D5 3F F9 B0 FF 38 1D D5 13 B3 88 13 06 EF DC 87 5C AE 17 E7 7E 80 84 21 58 64 F7 A6 36 00 35 00 00 05 FF 01 00 01 00 16 03 01 02 1C 0B 00 02 18 00 02 15 00 02 12 30 82 02 0E 30 [#\` H?8\~!Xd6500]
*Mar 8 00:03:07.004: RADIUS: 82 01 77 A0 03 02 01 02 02 09 00 88 7A CB 35 3F 1E 3E 62 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 [wz5?>b0*H0/10USP]
*Mar 8 00:03:07.004: RADIUS: 49 4E 41 56 44 30 30 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C [INAVD0000410UPol]
*Mar 8 00:03:07.004: RADIUS: 69 63 79 4D 61 6E 61 67 65 72 30 1E 17 0D 31 33 30 38 32 [icyManager013082]
*Mar 8 00:03:07.004: RADIUS: 37 30 37 32 34 33 30 5A 17 0D 31 34 30 38 32 37 30 37 [7072430Z14082707]
*Mar 8 00:03:07.004: RADIUS: 32 34 33 30 5A 30 2F 31 15 30 13 06 03 55 04 03 13 0C 53 50 49 4E 41 56 [2430Z0/10USPINAV]
*Mar 8 00:03:07.004: RADIUS: 44 30 30 [ D00]
*Mar 8 00:03:07.004: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.004: RADIUS: 30 30 34 31 16 30 14 06 03 55 04 0A 13 0D 50 6F 6C 69 63 79 4D 61 6E 61 [00410UPolicyMana]
*Mar 8 00:03:07.004: RADIUS: 67 65 72 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 C9 B9 03 65 83 EB 39 86 14 BC 95 7B DB 07 7E C5 8A D7 DA C7 8A CA 5A 88 6E 0B 93 06 35 57 [ger00*H0e9{~Zn5W]
*Mar 8 00:03:07.012: RADIUS: 6E DE 93 CD C9 FE 8E 9F E1 5F A9 04 5C BD A9 AD 5A 04 6E 35 47 76 A1 58 E5 C4 32 D7 49 9E 17 75 20 C6 6F 45 40 [n_\Zn5GvX2Iu oE@]
*Mar 8 00:03:07.012: RADIUS: AC EF 40 6D 15 38 F9 C2 28 7E C9 68 37 52 3B BF F4 C1 5E B8 BA 46 68 43 79 B1 65 66 [@m8(~h7R;^FhCyef]
*Mar 8 00:03:07.012: RADIUS: 9E 58 ED EC 8C 95 A2 D8 BF AA 77 AC 85 90 E3 AB C6 27 3A A2 22 AC 1C 48 B3 BF BE F7 85 CF 5C BB 2D 02 03 01 00 01 A3 32 30 30 30 0F 06 03 55 1D 11 04 08 30 06 87 04 0A 1A 0D 3B 30 [Xw':"H\-2000U0;0]
*Mar 8 00:03:07.012: RADIUS: 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 03 30 0D 06 09 2A 86 48 86 F7 0D 01 01 [ U?0++0*H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.012: RADIUS: 05 05 00 03 81 81 00 C4 46 3E 38 3D 53 0F 28 34 C1 A6 ED DC 70 76 9B 70 6B A8 95 7C 44 8E 7D 6E D6 8B 6D [F>8=S(4pvpk|D}nm]
*Mar 8 00:03:07.012: RADIUS: 90 49 83 06 E4 BF 68 2F 9D 77 78 A3 76 76 19 84 AD 26 3F F3 ED AA 88 52 35 0E 35 DD 00 E5 96 88 44 30 79 A0 71 [Ih/wxvv&?R55D0yq]
*Mar 8 00:03:07.012: RADIUS: 8D 25 3E 77 A0 E0 43 92 33 55 40 E1 C8 EE 88 11 25 E2 70 28 11 6C 5A 4E 3D F1 93 57 0A 6F [?>wC3U@?p(lZN=Wo]
*Mar 8 00:03:07.012: RADIUS: 36 51 72 04 08 C0 C0 DF F0 94 A9 F7 A1 05 C8 37 D6 F8 D4 9C 20 1A 7B CD 2C 17 83 7B 8E 20 F7 2D B6 16 03 01 02 FC 0D 00 02 F4 03 01 02 40 02 EE 00 63 30 61 31 0B 30 [6Qr7 {,{ -@c0a10]
*Mar 8 00:03:07.012: RADIUS: 09 06 03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04 0A 13 0C 44 69 67 69 43 65 72 74 20 49 [UUS10UDigiCert I]
*Mar 8 00:03:07.012: RADIUS: 6E 63 31 19 30 17 06 03 55 04 0B 13 10 77 77 77 2E 64 69 67 69 63 65 72 [nc10Uwww.digicer]
*Mar 8 00:03:07.012: RADIUS: 74 2E 63 6F 6D 31 20 30 1E 06 03 55 04 03 13 17 44 69 67 69 43 65 72 [t.com1 0UDigiCer]
*Mar 8 00:03:07.012: RADIUS: 74 20 47 6C 6F 62 61 6C 20 52 6F 6F 74 20 43 41 [t Global Root CA]
*Mar 8 00:03:07.012: RADIUS: 00 48 [ H]
*Mar 8 00:03:07.012: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.012: RADIUS: 30 46 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0F10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS: 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 16 30 14 06 03 55 04 03 13 0D 49 6E 64 69 61 20 52 [0&,dIN10UIndia R]
*Mar 8 00:03:07.020: RADIUS: 6F 6F 74 20 43 41 00 4A 30 48 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E [oot CAJ0H10&,din]
*Mar 8 00:03:07.020: RADIUS: 74 72 61 6E 65 74 31 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 18 30 16 06 03 55 [tranet10&,dIN10U]
*Mar 8 00:03:07.020: RADIUS: 04 03 13 0F 45 6E 74 65 72 70 72 69 73 65 20 43 41 2D 31 00 4D [Enterprise CA-1M]
*Mar 8 00:03:07.020: RADIUS: 30 4B 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 74 72 61 6E 65 74 31 [0K10&,dintranet1]
*Mar 8 00:03:07.020: RADIUS: 12 30 10 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 02 49 4E 31 1B 30 19 06 03 55 04 03 13 12 49 4E 2D 53 50 49 4E [0&,dIN10UIN-SPIN]
*Mar 8 00:03:07.020: RADIUS: 43 52 54 30 30 30 30 33 2D 43 41 00 D5 30 81 D2 31 0B 30 09 06 03 55 04 06 13 02 55 [CRT00003-CA010UU]
*Mar 8 00:03:07.020: RADIUS: 53 31 13 30 11 06 03 55 04 [ S10U]
*Mar 8 00:03:07.020: RADIUS: EAP-Message [79] 100
*Mar 8 00:03:07.020: RADIUS: 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E [California10USun]
*Mar 8 00:03:07.020: RADIUS: 6E 79 76 61 6C 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E [nyvale10UAruba N]
*Mar 8 00:03:07.020: RADIUS: 65 74 77 6F 72 6B 73 31 40 30 3E 06 03 55 04 03 0C 37 43 6C 65 [etworks1@0>U7Cle]
*Mar 8 00:03:07.020: RADIUS: 61 72 50 61 73 73 20 4F 6E 62 6F 61 72 64 20 4C [arPass Onboard L]
*Mar 8 00:03:07.020: RADIUS: 6F 63 61 6C 20 43 65 72 74 69 [ ocal Certi]
*Mar 8 00:03:07.020: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.020: RADIUS: 12 75 40 41 6F 40 6B 6F A5 FE AB 85 F3 B3 CF A4 [ u@Ao@ko]
*Mar 8 00:03:07.020: RADIUS: State [24] 30
*Mar 8 00:03:07.020: RADIUS: 00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1 [ oQKnEKkHw]
*Mar 8 00:03:07.029: RADIUS(000001C7): Received from id 1645/84
*Mar 8 00:03:07.029: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+98, total 1110 bytes
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.037: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.037: EAPOL pak dump Tx
*Mar 8 00:03:07.037: EAPOL Version: 0x3 type: 0x0 length: 0x0456
*Mar 8 00:03:07.037: EAP code: 0x1 id: 0x3 length: 0x0456 type: 0xD
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.037: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 6
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): Received pkt saddr =d43d.7e65.4fc1 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet
*Mar 8 00:03:07.037: EAPOL pak dump rx
*Mar 8 00:03:07.037: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 8 00:03:07.037: dot1x-packet(Fa0/1): Received an EAP packet from d43d.7e65.4fc1
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): Posting EAPOL_EAP for 0xB0000DBA
*Mar 8 00:03:07.037: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 6(eapolEap)
*Mar 8 00:03:07.037: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_response
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_enter called
*Mar 8 00:03:07.037: dot1x-ev(Fa0/1): dot1x_sendRespToServer: Response sent to the server from 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.037: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_response_action called
*Mar 8 00:03:07.037: AAA/AUTHEN/8021X (000001C7): Pick method list 'default'
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7):Orig. component type = DOT1X
*Mar 8 00:03:07.046: RADIUS(000001C7): Config NAS IP: 0.0.0.0
*Mar 8 00:03:07.046: RADIUS/ENCODE(000001C7): acct_session_id: 724
*Mar 8 00:03:07.046: RADIUS(000001C7): sending
*Mar 8 00:03:07.046: RADIUS/ENCODE: Best Local IP-Address 10.26.237.11 for Radius-Server 10.26.13.59
*Mar 8 00:03:07.046: RADIUS(000001C7): Send Access-Request to 10.26.13.59:1812 id 1645/85, len 253
*Mar 8 00:03:07.046: RADIUS: authenticator 1C D7 6D 40 A3 D6 BA B1 - A7 E6 70 DA 32 83 2E 19
*Mar 8 00:03:07.046: RADIUS: User-Name [1] 31 "host/D0902MALL005.IN.intranet"
*Mar 8 00:03:07.046: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 8 00:03:07.046: RADIUS: Framed-MTU [12] 6 1500
*Mar 8 00:03:07.046: RADIUS: Called-Station-Id [30] 19 "D4-A0-2A-EE-14-81"
*Mar 8 00:03:07.046: RADIUS: Calling-Station-Id [31] 19 "D4-3D-7E-65-4F-C1"
*Mar 8 00:03:07.046: RADIUS: EAP-Message [79] 8
*Mar 8 00:03:07.046: RADIUS: 02 03 00 06 0D 00
*Mar 8 00:03:07.046: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.046: RADIUS: 73 1D 89 5C 66 19 32 B6 63 C2 64 C1 04 42 A9 F9 [ s\f2cdB]
*Mar 8 00:03:07.046: RADIUS: EAP-Key-Name [102] 2 *
*Mar 8 00:03:07.046: RADIUS: Vendor, Cisco [26] 49
*Mar 8 00:03:07.046: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A1AED0B000000EE240F5BAB"
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 8 00:03:07.046: RADIUS: NAS-Port [5] 6 50001
*Mar 8 00:03:07.046: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 8 00:03:07.046: RADIUS: State [24] 30
*Mar 8 00:03:07.046: RADIUS: 00 6F 00 51 00 4B 00 6E EE B8 45 00 4B AA 6B A9 B6 D6 C8 CC 48 1A 91 99 7F 77 D3 C1 [ oQKnEKkHw]
*Mar 8 00:03:07.046: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:07.046: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:07.046: RADIUS(000001C7): Started 3 sec timeout
*Mar 8 00:03:07.113: RADIUS: Received from id 1645/85 10.26.13.59:1812, Access-Challenge, len 378
*Mar 8 00:03:07.113: RADIUS: authenticator 1A 85 26 09 58 84 BC D4 - E0 A9 E3 C0 25 31 2D 31
*Mar 8 00:03:07.113: RADIUS: EAP-Message [79] 255
*Mar 8 00:03:07.121: RADIUS: 01 04 01 32 0D 00 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 [2ficate Authorit]
*Mar 8 00:03:07.121: RADIUS: 79 20 28 53 69 67 6E 69 6E 67 29 31 3F 30 3D 06 09 2A [y (Signing)1?0=*]
*Mar 8 00:03:07.121: RADIUS: 86 48 86 F7 0D 01 09 01 16 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D [H0d6bb4f70-f412-]
*Mar 8 00:03:07.121: RADIUS: 34 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 [4552-aee2-c7a026]
*Mar 8 00:03:07.121: RADIUS: 66 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 [[email protected]]
*Mar 8 00:03:07.121: RADIUS: 6F 6D 00 CB 30 81 C8 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 [om010UUS10UCalif]
*Mar 8 00:03:07.121: RADIUS: 6F 72 6E 69 61 31 12 30 10 06 03 55 04 07 0C 09 53 75 6E 6E 79 76 61 6C [ornia10USunnyval]
*Mar 8 00:03:07.121: RADIUS: 65 31 17 30 15 06 03 55 04 0A 0C 0E 41 72 75 62 61 20 4E 65 74 77 6F 72 [e10UAruba Networ]
*Mar 8 00:03:07.121: RADIUS: 6B 73 31 36 30 34 06 03 55 04 03 0C 2D 43 6C 65 61 72 50 61 73 [ks1604U-ClearPas]
*Mar 8 00:03:07.121: RADIUS: 73 20 4F 6E 62 6F 61 72 64 20 4C 6F 63 61 6C 20 [s Onboard Local ]
*Mar 8 00:03:07.121: RADIUS: 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 [Certificate Auth]
*Mar 8 00:03:07.121: RADIUS: 6F 72 69 74 79 31 3F 30 3D 06 09 2A 86 48 86 F7 0D 01 09 01 16 [ ority1?0=*H]
*Mar 8 00:03:07.121: RADIUS: EAP-Message [79] 55
*Mar 8 00:03:07.121: RADIUS: 30 64 36 62 62 34 66 37 30 2D 66 34 31 32 2D 34 [0d6bb4f70-f412-4]
*Mar 8 00:03:07.121: RADIUS: 35 35 32 2D 61 65 65 32 2D 63 37 61 30 32 36 66 [552-aee2-c7a026f]
*Mar 8 00:03:07.121: RADIUS: 62 61 32 31 38 40 65 78 61 6D 70 6C 65 2E 63 6F [[email protected]]
*Mar 8 00:03:07.121: RADIUS: 6D 0E 00 00 00 [ m]
*Mar 8 00:03:07.121: RADIUS: Message-Authenticato[80] 18
*Mar 8 00:03:07.121: RADIUS: 4C 46 AA B9 A5 D5 DF EA DB E7 2B 7B 51 7E 58 3F [ LF+{Q~X?]
*Mar 8 00:03:07.121: RADIUS: State [24] 30
*Mar 8 00:03:07.121: RADIUS: 00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1 [ E
*Mar 8 00:03:07.121: RADIUS(000001C7): Received from id 1645/85
*Mar 8 00:03:07.121: RADIUS/DECODE: EAP-Message fragments, 253+53, total 306 bytes
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): Posting EAP_REQ for 0xB0000DBA
*Mar 8 00:03:07.130: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 7(eapReq)
*Mar 8 00:03:07.130: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_request
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_request_enter called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.130: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:07.130: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:07.130: EAPOL pak dump Tx
*Mar 8 00:03:07.130: EAPOL Version: 0x3 type: 0x0 length: 0x0132
*Mar 8 00:03:07.130: EAP code: 0x1 id: 0x4 length: 0x0132 type: 0xD
*Mar 8 00:03:07.130: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:07.130: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_request_action called
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Queuing an EAPOL pkt on Authenticator Q
*Mar 8 00:03:07.138: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 8 00:03:07.138: EAPOL pak dump rx
*Mar 8 00:03:07.138: EAPOL Version: 0x1 type: 0x0 length: 0x05D4
*Mar 8 00:03:07.138: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/1 CODE= 2,TYPE= 13,LEN= 1492
*Mar 8 00:03:07.138: dot1x-packet(Fa0/1): Received an EAPOL frame
*Mar 8 00:03:07.138: dot1x-ev(Fa0/1):
^Z
Malleswaram_2960#
*Mar 8 00:03:07.180: RADIUS: State [24] 30
*Mar 8 00:03:07.180: RADIUS: 00 EF 00 B9 00 0A 00 00 EF B8 45 00 EF D2 C4 3C 81 6C 72 0E 23 FE 11 EA 12 17 50 A1 [ E
*Mar 8 00:03:07.180: RADIUS: NAS-IP-Address [4] 6 10.26.237.11
*Mar 8 00:03:07.180: RADIUS: Acct-Session-Id [44] 10 "000002D4"
*Mar 8 00:03:07.180: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:07.893: %SYS-5-CONFIG_I: Configured from console by jameela on vty0 (10.26.20.5)
Malleswaram_2960#
*Mar 8 00:03:10.225: RADIUS(000001C7): Request timed out
*Mar 8 00:03:10.225: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:10.225: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:13.354: RADIUS(000001C7): Request timed out
*Mar 8 00:03:13.354: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:13.354: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:16.307: RADIUS(000001C7): Request timed out
*Mar 8 00:03:16.307: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:16.307: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:19.369: RADIUS(000001C7): Request timed out
*Mar 8 00:03:19.369: RADIUS: Retransmit to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:19.369: RADIUS(000001C7): Started 3 sec timeout
Malleswaram_2960#
*Mar 8 00:03:22.456: RADIUS(000001C7): Request timed out
*Mar 8 00:03:22.456: RADIUS: Fail-over denied to (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS: No response from (10.26.13.59:1812,1813) for id 1645/86
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response no app start; FAIL
*Mar 8 00:03:22.456: RADIUS/DECODE: parse response; FAIL
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received an EAP Fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting EAP_FAIL for 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth_bend Fa0/1: during state auth_bend_response, got event 10(eapFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_response -> auth_bend_fail
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_fail_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_response_fail_action called
*Mar 8 00:03:22.456: dot1x_auth_bend Fa0/1: idle during state auth_bend_fail
*Mar 8 00:03:22.456: @@@ dot1x_auth_bend Fa0/1: auth_bend_fail -> auth_bend_idle
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_bend_idle_enter called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting AUTH_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth Fa0/1: during state auth_authenticating, got event 15(authFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_authc_result
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authenticating_exit called
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_authc_result_enter called
*Mar 8 00:03:22.456: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.456: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EE240F5BAB
*Mar 8 00:03:22.456: dot1x-redundancy: State for client d43d.7e65.4fc1 successfully retrieved
*Mar 8 00:03:22.456: dot1x-ev(Fa0/1): Received Authz fail for the client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client 0xB0000DBA
*Mar 8 00:03:22.456: dot1x_auth Fa0/1: during state auth_authc_result, got event 22(authzFail)
*Mar 8 00:03:22.456: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
*Mar 8 00:03:22.456: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x4 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting FAILOVER_RETRY on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_held, got event 21(failover_retry)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_held -> auth_restart
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_exit called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_enter called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_held_restart_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_restart_connecting_action called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): Posting REAUTH_MAX on Client 0xB0000DBA
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: during state auth_connecting, got event 11(reAuthMax)
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_disconnected
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_disconnected_enter called
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): d43d.7e65.4fc1:auth_disconnected_enter sending canned failure to version 1 supplicant
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:22.464: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.464: EAPOL pak dump Tx
*Mar 8 00:03:22.464: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 8 00:03:22.464: EAP code: 0x4 id: 0x5 length: 0x0004
*Mar 8 00:03:22.464: dot1x-packet(Fa0/1): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xB0000DBA (d43d.7e65.4fc1)
*Mar 8 00:03:22.464: dot1x-sm(Fa0/1): 0xB0000DBA:auth_connecting_disconnected_reAuthMax_action called
*Mar 8 00:03:22.464: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.464: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.464: dot1x-ev(Fa0/1): Sending event (1) to Auth Mgr for d43d.7e65.4fc1
*Mar 8 00:03:22.464: dot1x-ev:Delete auth client (0xB0000DBA) message
*Mar 8 00:03:22.464: dot1x-ev:Auth client ctx destroyed
*Mar 8 00:03:22.674: AAA/BIND(000001C8): Bind i/f
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: initial state auth_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_initialize_enter called
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_disconnected_enter called
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: idle during state auth_disconnected
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_initialize_enter called
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Created a client entry (0x4A000DBB)
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Dot1x authentication started for 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_restart_connecting_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 8 00:03:22.674: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_authenticating_enter called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_connecting_authenticating_action called
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): Posting AUTH_START for 0x4A000DBB
*Mar 8 00:03:22.674: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 8 00:03:22.674: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Role determination not required
Malleswaram_2960#
*Mar 8 00:03:22.674: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 8 00:03:22.674: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:22.674: EAPOL pak dump Tx
*Mar 8 00:03:22.674: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:22.674: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:22.674: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (0000.0000.0000)
*Mar 8 00:03:22.674: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_idle_request_action called
*Mar 8 00:03:22.791: dot1x-ev(Fa0/1): New client notification from AuthMgr for 0x4A000DBB - d43d.7e65.4fc1
*Mar 8 00:03:22.791: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:25.761: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:25.761: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:25.761: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:25.761: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#n
*Mar 8 00:03:25.761: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:25.761: EAPOL pak dump Tx
*Mar 8 00:03:25.761: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:25.761: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:25.761: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debu
Malleswaram_2960#no debug
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x4A000DBB
*Mar 8 00:03:28.848: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
*Mar 8 00:03:28.848: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_request_action called
*Mar 8 00:03:28.848: dot1x-sm(Fa0/1): 0x4A000DBB:auth_bend_request_enter called
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Role determination not required
*Mar 8 00:03:28.848: dot1x-registry:registry:dot1x_ether_macaddr called
Malleswaram_2960#no debug all
*Mar 8 00:03:28.848: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 8 00:03:28.848: EAPOL pak dump Tx
*Mar 8 00:03:28.848: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 8 00:03:28.848: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 8 00:03:28.848: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x4A000DBB (d43d.7e65.4fc1)
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:03:31.180: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar 8 00:03:31.180: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
*Mar 8 00:03:31.180: AAA/MEMORY: create_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' ds0=0 port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) key=C9A1F1D1
*Mar 8 00:03:31.389: TAC+: (-1901802859): received author response status = PASS_ADD
*Mar 8 00:03:31.389: AAA/MEMORY: free_user (0x21D1684) user='jameela' ruser='Malleswaram_2960' port='tty1' rem_addr='10.26.20.5' authen_type=ASCII service=NONE priv=15
*Mar 8 00:03:31.935: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:03:31.935: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:03:31.935: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:03:31.935: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#no deb
Malleswaram_2960#no debug al
Malleswaram_2960#no debug all
All possible debugging has been turned off
Malleswaram_2960#
*Mar 8 00:04:32.677: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:04:41.938: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:04:41.938: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:04:41.938: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:42.654: %AUTHMGR-5-START: Starting 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %DOT1X-5-FAIL: Authentication failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID
*Mar 8 00:05:51.915: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
*Mar 8 00:05:51.915: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Malleswaram_2960#
*Mar 8 00:05:51.915: %AUTHMGR-5-FAIL: Authorization failed for client (d43d.7e65.4fc1) on Interface Fa0/1 AuditSessionID 0A1AED0B000000EF240F9BC3
Pls dont worry about day and time.
Maybe you are looking for
-
I have now downloaded all of my CD's to my itunes library and have since only purchased new music using itunes Store. This itunes library is stored on an old Dell Desktop that I am getting ready to replace with an iMac; how can I move the music? 86G
-
Possible bug in x64 Remote Management firewall rule
Updated to ZCM11 over the weekend and am now running some tests on some test machines with the new ZAA. The problem I'm seeing is I'm unable to remote control Win7 Pro x64 running ZAA11. I looked into the problem and the Win7 firewall is blocking the
-
Company logo not appearing in PDF (generated from Web Report)
Hello all, I have created a Web-Report using WAD and have my company logo followed by the reporting values. When I export this report as a PDF, I get to see all the values etc except the company logo. Could someone help me out with this issue pls. Th
-
About get blob data where test web services in odi
Hello, when i test a web service(data include blob column ) in odi ,i get below errors ,does it means my webservices is not correct, or does blob data get function can't be test in odi , for i can delete row in the table ,just can't get data from the
-
Auditing Information in $ERROR table operator view
Hi All, I wold like to develop process for auding data in error table in odi so that operator can look at the records and take appropriate steps. I would like to provide a separate interface outside of ODI such as web page where, user can audit the d