Dot1x "authentication event fail action authorize" missing vlan info in show running-config 3750 12.2.55-SE7

Similar Messages

• Authentication Failed and No Response VLAN

  Documentation states:
  I'm running 12.2(33)SXI. The documentation states:
  With Cisco IOS Release 12.2(33)SXH and later releases, when you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1X-capable but that fail authentication are not granted network access. When operating as a guest VLAN, a port functions in multiple-hosts mode regardless of the configured host mode of the port.
  http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1135086
  I've configured the following (in addition to the normal 802.1x commands) on the port to which the client is connected:
  authentication event no-response action authorize vlan 100
  authentication event fail action authorize vlan 100
  Where vlan 100 is the guest VLAN--i.e. I want any client that has either 1) no 802.1x supplicant configured on the workstation or 2) does not have a valid login/password, to be placed on this VLAN. The problem I run into is that neither of these two things are happening. I can authenticate users with valid login credentials against AD and internal database but when a user without valid credentials attempts to log on or one without a supplicant attempts to connect, I see the debugs in the switch just sending EAP polls to the client. I would expect that it should put the client on the guest VLAN after the attempts time out or if the user provides invalid credentials. This doesn't happen. Please advise. Thanks.

  It seems that the following command seemed to do the trick for us:
  dot1x guest-vlan supplicant
  Basically, even though I had the guest VLAN specified at the interface level, until I entered the above command at the global level, the client (that has no 802.1x supplicant or one that entered wrong credentials) was not being placed in the guest VLAN. Once I entered the above command, it seems to be getting placed in the guest VLAN.

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Authentication order and ISE authorization policys

  Hello
  I'm looking at configuring ISE to authenticate AD joined PC's (using Anyconnect NAM for user and machine authentication with EAP chaining) and to profile Cisco IP phones. The Pc's and phones connect on the same switchport. The switchport configuration for this was:
  switchport
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  authentication event fail action next-method
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  snmp trap mac-notification change added
  snmp trap mac-notification change removed
  dot1x pae authenticator
  The above config worked fine with the "show authentication sessions" on the switch showing dot1x as the method for the DATA domain and mab for VOICE. I decided to reverse the authentication order/priority on the switch interface so that the phone would be authenticated first with mab. This resulted in the "show authentication sessions" on the switch showing mab as the method for both DATA and VOICE domains.
  To prevent this I created an authorization policy on ISE to respond with an "Access-Reject" when the "UseCase = Host Lookup" and the Endpoint Identity Group was Unknown (the group containing the AD PC's). This worked fine - the switch would attempt to authenticate both PC and phone using mab. When an "Access-Reject" was received for the PC, the switch would move onto the next method and the PC would be successfully authenticated using dot1x.
  The only problem with this is that the ISE logs soon become full with the denys caused by the authorisation policy - is there any way to acheive the above scenario without impacting on the logs?
  Thanks
  Andy

  Hi Andy-
  Have you tried to have the config in the following manner:
  authentication order mab dot1x
  authentication priority dot1x mab
  This "order" will tell the switchport to always start with mab but the "priority" keyword will allow the switchport to accept dot1x authentications for dot1x capable devices. 
  For more info check out this link:
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
  Thank you for rating helpful posts!

• 4.0.1 to 4.1.1 -- LDAP Directory Authentication Scheme fails

  Using the out of the box LDAP directory authentication scheme that worked fine in v. 4.0.1 is failing in v. 4.1.1. User authentication is failing with 'Invalid Login Credentials'. Debug shows that the User is 'nobody'. Looking at v. 4.0.1, User shows 'Admin'. Also, the 'LDAP test link' is no longer available in 4.1.1 - that's a bummer.
  Example debug 4.1.1:
  4161     426774014496602     nobody     103     101     50     6 minutes ago     0.8562
  Example debug 4.0.1:
  661     3340172823117775     ADMIN     130     101     57     36 seconds ago     0.3298
  Does anyone know if something was changed with the standard LDAP directory scheme? Or am I missing some configuration?

  Hi Julie,
  sorry, there is too little context for me to answer this question. I have no idea where and how you got that debug output, for example.
  As for testing, the LDAP authentication scheme calls wwv_flow_custom_auth_ldap.authenticate. It's no official API and we may revoke the grant in future versions, but in 4.1, you can for test LDAP auth in SQL workshop with
  declare
      l_status boolean;
  begin
      l_status := wwv_flow_custom_auth_ldap.authenticate (
                                   p_ldap_host     => ...host...,
                                   p_ldap_port     => ...port...,
                                   p_dn            => ...dn_string...,
                                   p_search_filter => ...search_filter...,
                                   p_password      => ...password...,
                                   p_use_ssl       => ...ssl_mode... (Y for SSL, A for SSL with authentication, N for no SSL),
                                   p_use_exact_dn  => ...use_exact_dn... (Y or N) );
      dbms_output.put_line(case when l_status then 'authenticated' else 'auth error' end);
  end;Regards,
  Christian

• AAA authorization show run in priv 7

  Hi,Any one can help...
  I have set up AAA on my network.
  aaa authentication login default group tacacs+ group security local
  aaa authorization exec default group tacacs+ group security local
  aaa accounting exec default start-stop group tacacs+ group security
  tacacs-server host x.x.x.x
  tacacs-server directed-request
  tacacs-server key 7 xyz
  I want set prvilige on group basis.
  I have created a group called test in ACS server and set comnand authorization on pergroup basis
  & added show command with permit running-config as arguments.
  My objective is give the user of test group priv level 7 but they can use show running-config.
  Any help?
  thanks in advance

  Hi,
  Thanks for your reply.It's nearly the exact what I wanted.However show running-config only shows like these
  7206a#sh run
  Building configuration...
  Current configuration : 53 bytes
  boot-start-marker
  boot-end-marker
  end
  However #Show config
  shows the proper running-config
  Thanks

• VLAN IDs not showing up in 2960 switch configuration

  We have Layer 2 2960 switches that all connect back to our 4500 core. the core has the Interface VLAN defs. But, in the access switches I can do a SHO VLAN and see all the VLANs in my network, but they do not show up in my running config. The guides all say to use the VLAN global command to define VLANs, but will just entering the switchport access vlan x put them in the VLAN database as well? We also do not have VTP defined. Any ideas?

  Hello Kmattison,
  >> but will just entering the switchport access vlan x put them in the VLAN database as well? 
  yes this is correct. And it may explain what you see vlan entries in the vlan database without a corresponding vlan command in the running config.
  Hope to help
  Giuseppe

• Workbook: Document store operation failed due to missing authorization

  Hello authorizer gurus,
  I have got 3.5.
  I have transported.
  I try to open a workbook.
  I am getting a Error Message:
             Document store operation failed due to missing authorization
  Newly saved Queries as workbook can be openend.
  What's wrong ?
  Thank You
  Martin Sautter

  Martin,
  To get a detailed message about the error (including which authorization objects the user needs to have to be able to perform the action that caused the error) use ST22. It sounds like they are missing the Open authorization for workbooks.
  Cheers,
  Rusty

• 'Document store operation failed due to missing authorization'

  Hi all,
    I am getting the error message 'Document store operation failed due to missing authorization' when trying to save the workbook as the existing Workbook after changing the structure for it. We are using the Authorization Hierarchies.
  What is the problem and how can I fix it, PLEASE ???
  Thanks.
  Message was edited by: Venkat Kodi

  check out the related thread:
  What is this error

• Dot1x authentication some problom

  HI
     helleo
     wo have a dot1x authentication  problom,
     When I enter the configuration of the dot1x configuration in the interface, User authentication interface into err-disable state
     Below is the interface configuration
  interface FastEthernet0/45
  switchport access vlan 21
  switchport mode access
  authentication host-mode multi-auth
  authentication port-control auto
  mab eap
  dot1x pae both
  dot1x timeout quiet-period 3
  dot1x timeout tx-period 5
  spanning-tree portfast
  Switch authentication failed log
  n  4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
  Jun  4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID  0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
  Jun  4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to downn  4 16:52:16.381: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.381: %AUTHMGR-5-START: Starting 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %MAB-5-FAIL: Authentication failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:52:16.423: %AUTHMGR-5-FAIL: Authorization failed for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:17.165: %AUTHMGR-5-START: Starting 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X-5-SUCCESS: Authentication successful for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID
  Jun  4 16:53:21.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c41.380f.f187) on Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 2c41.380f.f187 on Fa0/45 AuditSessionID 0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID  0A51F11D000000266273D33D
  Jun  4 16:53:21.376: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/45, putting Fa0/45 in err-disable state
  Jun  4 16:53:22.400: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to down

  AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/45, new MAC address (2c41.380f.f187) is seen.AuditSessionID 0A51F11D000000266273D33D
  Interface host mode limits the number of hosts that can be attached to an interface. The limit was exceeded and caused a security violation. The interface is error disabled.
  Therefore what NAJAF has said, could be one reason, or the your CAM table is full, so try clear mac address-table command and clear port-security command if address is secured on a port.

• Dot1x authentication - Switch 3650 / Polycom phone 430

  Hi,
  I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.
  I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode,  choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.
  I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2
  The port configuration of the switch is as following:
  Switch#sh run int fa0/1
  Building configuration...
  Current configuration : 590 bytes
  interface FastEthernet0/1
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 155
  switchport priority extend trust
  service-policy input QoS-Policy-LAN
  speed 100
  duplex full
  spanning-tree portfast
  end
  I configured the switch as the following:
  switch(config)#dot1x system-auth-control
  Under the interface configuration mode:
  switch(config-if)#dot1x port-control auto
  switch(config-if)#dot1x pae authenticator
  switch(config-if)#dot1x host-mode multi-host
  I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.
  Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)
  I tried dot1x host-mode single-host
  I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)
  First added dot1x mac-auth-bypass  - disconnected and reconnected -- didn't work(neither phone , nor PC)
  Second in addition to First , i added dot1x control-direction in   --- didn't work (neither phone , nor PC).
  Then I removed both these settings and I set:
  dot1x guest-vlan 155 where 155 is the voice vlan
  dot1x auth-fail vlan 155
  Nothing was working
  Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.
  In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed
  CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.
  Thanks
  Sayed

  I run a  test that I run was making the duplex to half on all switches/phone/PC,
  I brought a small switch, connected to the the cisco 3650 with the port configuration
  and I did two more tests:
  test1,     
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode multi-host
  the PC authenticated successfully and I was able to to access the network as well as to make phone calls.
  Test2.
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode single-host
  The PC was able to authenticate  and access the network but the phone was not able.
  The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.
  I hope somebody can help me, regarding this problem
  Thanks

• Delay the first dot1x authentication message after a port comes up

  Cisco ISE: 1.2
  Switch IOS: 15.0.2.EX4
  Hello,
  I have configured the APs to authenticate with 802.1X via the switch.
  When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
  I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
  I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
  When I use debug commands I see
  %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
  Thank you for all answers

  Hello,
  Thank you for your reply. That document is very interesting.
  I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
  However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
  - You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
  - A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
  That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
  It's possible to do this with the Cisco APs
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
  I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
  So in my humble opinion, the mab/profiling solution is good but not optimal.

• Document Store Operation Failed due to missing authorisations.

  Hi
  I am using BW 3.5, One of the user is getting the following error message while accessing one of the report:
  Document Store Operation Failed due to missing authorisations.
  The user has previously accessed this report many times. But when I tied to access the report, there was no problem.
  Could any one of you advise me how to rectify this error?
  Many Thanks in advanc
  Regards
  Ishi

  Hi Suresh
  Thanks for the response; I have checked authorizations and user is authorised to access all the existing reports in BW. Checks were successful.
  What might be the reason then?
  Thanks

• The SAP SSO authentication will fail because the current user doesn't...

  Hi Experts!
  I am facing an issue and I have tried to do all the tips on answers of topics under same subject.
  Once I enter on my report and refresh, it prompts me a message that I don't have acess on one or more data providers, asking me if I want to proceed ( ID : WIS_30286) then I click yes and run the refresh and it prompts me another message: The SAP SSP authentication will fail because the current user doesn't have an alias that matches system BIDCLNT100..
  I checked the connection and tested, but the server not answers (SBO0001), on details I see the same message above.
  This on PRD, because on DEV it works fine.
  Thanks in advance!

  Hi,
  for the first part where you don't access I would suggest you do an authorization trace to ensure that the user has all the necessary authorizations.
  and on the second part - yes the user needs to have credentials for the system that you trying to access
  Ingo

• [SOLVED] Linux 3.0: Udev events failed to load

  Hey Guys,
  Nothing too alarming here. Just got this boot msg after upgrading to Kernel 3.0.
  Loading udev events    [FAIL]
  I'm checking my modules right now to see if something's missing. Any idea on how I can find out what failed?
  Thanks.
  Last edited by Dumbledore (2011-08-08 17:42:16)

  Perhaps you should take a better look at what's actually failing rather than guessing (see /var/log/boot). You've combined two messages:
  "Triggering UDev uevents" (from line 319 of /etc/rc.d/functions)
  "Loading Modules" (from line 328 of /etc/rc.d/functions)
  Either way, you probably have modules that don't exist in /etc/rc.conf listed in the MODULES array. Would be useful to see the contents of that array.