Dot1x re-authenticate & dot1x initialize

Hi,
Im trying dot1x with critical authentication plus MAC authentication bypass,
on Cat2960 with SEE2.
Its onfigration is the following;
aaa new-model
aaa authentication login cisco local
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
dot1x critical eapol
interface GigabitEthernet0/11
switchport access vlan 101
switchport mode access
dot1x mac-auth-bypass
dot1x critical
dot1x critical recovery action reinitialize
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
radius-server dead-criteria time 5
radius-server attribute 32 include-in-access-req format %h
no radius-server attribute nas-port
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 test username TEST idle-time 1
radius-server source-ports 1645-1646
radius-server key Cisco(%$%
radius-server vsa send accounting
When RADIUS server is down after a client is authenticated and the 2 commands,
dot1x re-authenticate int and dot1x initialize int are issued,
it does not change to critical auth state, remaining authorized by server with
dot1x re-authenticate command.
This result is correct?
CCO says,
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/sw8021x.htm#wp1194433
If the port is already authorized and re-authentication occurs, the switch puts
the critical port in the critical-authentication state in the current VLAN,
which might be the one previously assigned by the RADIUS server.
Please give me any help.
Thanks,

Debug on dot1x initialize;
C2960#dot1x initialize int g0/11
Aug 8 00:50:00: dot1x-ev:dot1x_exec_init_interface: Initializing Authenticator instances on GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:00: dot1x-ev:vlan 101 vp is removed on the interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 0000.3926.0384 from vlan 101 on interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:dot1x_vlan_assign_client_deleted on interface GigabitEthernet0/11
Aug 8 00:50:00: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
Aug 8 00:50:00: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
Aug 8 00:50:00: dot1x-ev:Created a default authenticator instance on GigabitEthernet0/11
Aug 8 00:50:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down
Aug 8 00:50:01: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:No reply attributes received from AAA for 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, authenticating port GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:dot1x_switch_critical_vlan_policy: No Critical Auth VLAN defined for
port GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:Updating feature config
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:01: dot1x-ev:vlan 101 vp is added on the interface GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST
Aug 8 00:50:01: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/11
Aug 8 00:50:01: dot1x-ev:Received successful Authz complete for 0000.0000.0000
Aug 8 00:50:01: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address
Aug 8 00:50:01: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.
Aug 8 00:50:01: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11
Aug 8 00:50:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up
C2960#
C2960#
C2960#sh dot1x int g0/11 d
Dot1x Info for GigabitEthernet0/11
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 1
MaxReq = 2
TxPeriod = 1
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Critical-Auth = Enabled
Critical Recovery Action = Reinitialize
Dot1x Authenticator Client List Empty
Port Status = AUTHORIZED
Authorized By = Critical-Auth
Operational HostMode = MULTI_HOST
Vlan Policy = N/A
C2960#

Similar Messages

  • Help with 4506 802.1x Port Based Authentication (Wired)

    Hi all,
    I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
    I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
    I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
    I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
    The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
    dot1x port-control auto
    i've also configured the interface to be a plain L2 access port by executing
    switchport mode access
    any help will be appreciated!

    I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
    However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
    Are there special attributes that need to be configured on the switch or IAS?

  • Configuring wired 802.1x with Cisco 2950 and NPS 2012 problem

    Hi,
    I am trying to setup wired authentication on my corporate network. For testing purposes, I have setup a Cisco 2950 switch for RADIUS authentication.
    On the first day of the test, access messages were appearing on the event log of the 2012 Server and  we were trying to address the issues with EAP and policy.(Network Policy and Access services)
    Then, suddenly no events are written to the event log for the wired authentication. Accounting data is written to the log file at c:\windows\system32\logfiles, but nothing happens on the event log as if the NPS is not answering. We are using the same server for wireless 802.1x and all is working fine.
    Checking the wired autoconfig log on the client, Restart Reason : Onex Auth Timeout appears.
    Logging seems to be configured properly, there are no entries in event log. Below is the debug information from the 2950 switch;
    KAT2-BATISW1#
    00:18:28: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
    0/17
    00:18:28: dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthern
    et0/17
    00:18:28: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEth
    ernet0/17
    00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
    17 (admin=Both, current oper=Both)
    00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
     Both
    00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
    00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_initialize_enter called
    00:18:28: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
    00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
    uto)
    00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
    00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_disconnected_enter_action called
    00:18:28: dot1x-sm:
    dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
    D
    00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
    17 (admin=Both, current oper=Both)
    00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
     Both
    00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
    hernet0/17
    00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
    HORIZED
    00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to send po
    rt to unauthorized on vlan 0
    00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
    astEthernet0/17
    00:18:28: dot1x-ev:    GuestVlan configured=0
    00:18:28: dot1x-ev:supplicant 0000.0000.0000 is default
    00:18:28: dot1x-ev:supplicant 0000.0000.0000 is last
    00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:18:28: dot1x-ev:0000.0000.0000 is now unauthorized on port FastEthernet0/17
    00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
    hernet0/17
    00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
    00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
    00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
    00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_enter called
    00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
    00:18:28: dot1x-sm:Dot1x Initialize State Entered
    00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
    00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
    6383(idle)
    00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
    00:18:28: dot1x-sm:Dot1x Idle State Entered
    00:18:28: dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 cu
    rrent_id=0
    00:18:28: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at memloc 80D
    71C74
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
    FastEthernet0/17
    00:18:28: dot1x-ev:
    dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
    00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
    00:18:28: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/17)
    00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
    00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
    FastEthernet0/17
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
    000.0000.0000
    00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
    00:18:28: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
    00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
    00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
    00:18:28: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
    00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
    00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
    00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
    00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_initialize_enter called
    00:18:28: dot1x-ev:auth_initialize_enter:0024.1d10.d7c5: Current ID=0
    00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
    uto)
    00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
    00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_disconnected_enter_action called
    00:18:28: dot1x-sm:
    dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
    D
    00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
    17 (admin=Both, current oper=Both)
    00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
     Both
    00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
    hernet0/17
    00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
    HORIZED
    00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0024.1d10.d7c5 to send po
    rt to unauthorized on vlan 0
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
    astEthernet0/17
    00:18:28: dot1x-ev:    GuestVlan configured=0
    00:18:28: dot1x-ev:supplicant 0024.1d10.d7c5 is last
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28: dot1x-ev:0024.1d10.d7c5 is now unauthorized on port FastEthernet0/17
    00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
    hernet0/17
    00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
    00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
    00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
    00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
    00:18:28: dot1x-sm:Dot1x Initialize State Entered
    00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
    00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
    6383(idle)
    00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
    00:18:28: dot1x-sm:Dot1x Idle State Entered
    00:18:28: dot1x-ev:Created port supplicant block 0024.1d10.d7c5 expected_id=1 cu
    rrent_id=1
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
    FastEthernet0/17
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
    FastEthernet0/17
    00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
    024.1d10.d7c5
    00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
    00:18:28: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/17)
    00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
    00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
    00:18:28: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 21 (Fa0/17)
    00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
    pId)
    00:18:28: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
    00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
    00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
    00:18:28: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
    00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
    alled
    00:18:28: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
    00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
    start)
    00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
    00:18:28: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
    D353C, swidb=807D4898 on intf=Fa0/17
    00:18:28: dot1x-ev:Managed Timer in sub-block attached as leaf to master
    00:18:28: dot1x-sm:Started the ServerTimeout Timer
    00:18:28: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and leng
    th = 21
    00:18:28: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967283
    00:18:28: dot1x-ev:Couldn't Find a process thats already handling the request fo
    r this id 0
    00:18:28: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
    .1d10.d7c5, VLAN 0 on pending request queue
    00:18:28: dot1x-ev:Found a free slot at slot 0
    00:18:28: dot1x-ev:Found a free slot at slot 0
    00:18:28: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
    24.1d10.d7c5, VLAN 0 from pending request queue
    00:18:28: dot1x-ev:Request id = -13 and length = 21
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
    t0/17
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:28: dot1x-ev:Username is DUZEY\SAYTAMANER
    00:18:28: dot1x-ev:MAC Address is 0024.1d10.d7c5
    00:18:28: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
    00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:30: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
    00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
    00:18:46: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
    00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
    00:18:46:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
    apStart)
    00:18:46: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
    00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
    00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
    led
    00:18:46: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
    00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
    nitialize)
    00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
    00:18:46: dot1x-sm:Dot1x Initialize State Entered
    00:18:46:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
    00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
    00:18:46: dot1x-sm:Dot1x Idle State Entered
    00:18:46:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
    Abort_noeapLogoff)
    00:18:46: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
    00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
    00:18:46: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
    024.1d10.d7c5
    00:18:46: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
    00:18:46: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
    00:18:46: dot1x-registry:registry:dot1x_ether_macaddr called
    00:18:46: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
    00:18:46: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
    00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
    00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
    00:18:46:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
    pId)
    00:18:46: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
    00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
    00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
    00:18:46: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
    00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
    alled
    00:18:46: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
    00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
    start)
    00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
    00:18:46: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
    D353C, swidb=807D4898 on intf=Fa0/17
    00:18:46: dot1x-ev:Managed Timer in sub-block attached as leaf to master
    00:18:46: dot1x-sm:Started the ServerTimeout Timer
    00:18:46: dot1x-ev:Going to Send Request to AAA Client on RP for id = 1 and leng
    th = 21
    00:18:46: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967284
    00:18:46: dot1x-ev:Found a process thats already handling therequest for this id
     1
    00:18:48: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_ERROR)
    00:18:48: dot1x-ev:Received VLAN is No Vlan
    00:18:48: dot1x-ev:Enqueued the response to BackEnd
    00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:48: dot1x-ev:Enter function dot1x_aaa_acct_end
    00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:18:48: dot1x-ev:Received QUEUE EVENT in response to AAA Request
    00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:dot1x_process_txWhen_expire called
    00:18:58:     dot1x_auth Fa0/17: during state auth_connecting, got event 19(txWh
    en_expire)
    00:18:58: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_connecting
    00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_connecting_action calle
    d
    00:18:58: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for def
    ault supplicant
    00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
    00:19:07: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
    00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
    00:19:07:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
    apStart)
    00:19:07: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
    00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
    00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
    led
    00:19:07: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
    00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
    nitialize)
    00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
    00:19:07: dot1x-sm:Dot1x Initialize State Entered
    00:19:07:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
    00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
    00:19:07: dot1x-sm:Dot1x Idle State Entered
    00:19:07:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
    Abort_noeapLogoff)
    00:19:07: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
    00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
    00:19:07: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
    024.1d10.d7c5
    00:19:07: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
    00:19:07: dot1x-packet:Tx EAP-Request(Id), id 2, ver 1, len 5 (Fa0/17)
    00:19:07: dot1x-registry:registry:dot1x_ether_macaddr called
    00:19:07: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
    00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
    00:19:07: dot1x-packet:Rx EAP-Response(Id), id 2, ver 1, len 21 (Fa0/17)
    00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
    00:19:07:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
    pId)
    00:19:07: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
    00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
    00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
    00:19:07: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
    00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
    alled
    00:19:07: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
    00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
    start)
    00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
    00:19:07: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
    D353C, swidb=807D4898 on intf=Fa0/17
    00:19:07: dot1x-ev:Managed Timer in sub-block attached as leaf to master
    00:19:07: dot1x-sm:Started the ServerTimeout Timer
    00:19:07: dot1x-ev:Going to Send Request to AAA Client on RP for id = 2 and leng
    th = 21
    00:19:07: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967285
    00:19:07: dot1x-ev:Couldn't Find a process thats already handling the request fo
    r this id 2
    00:19:07: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
    .1d10.d7c5, VLAN 0 on pending request queue
    00:19:07: dot1x-ev:Found a free slot at slot 0
    00:19:07: dot1x-ev:Found a free slot at slot 0
    00:19:07: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
    24.1d10.d7c5, VLAN 0 from pending request queue
    00:19:07: dot1x-ev:Request id = -11 and length = 21
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:07: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
    t0/17
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:07: dot1x-ev:Username is DUZEY\SAYTAMANER
    00:19:07: dot1x-ev:MAC Address is 0024.1d10.d7c5
    00:19:07: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
    00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
    00:19:19: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
    0/17
    00:19:19: dot1x-ev:supp_info=80D7E584 txWhen_timer=80D7E5D4 quietWhile_timer=80D
    7E594reAuthWhen_timer=80D7E5B4 awhile_timer=80D7E5F4
    00:19:19: dot1x-ev:destroy supplicant block for 0024.1d10.d7c5
    00:19:19: dot1x-ev:supp_info=80D71C74 txWhen_timer=80D71CC4 quietWhile_timer=80D
    71C84reAuthWhen_timer=80D71CA4 awhile_timer=80D71CE4
    00:19:19: dot1x-ev:destroy supplicant block for 0000.0000.0000
    00:19:19: dot1x-ev:Enter function dot1x_aaa_acct_end
    00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
    00:19:19: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
    hernet0/17
    00:19:19: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
    This is driving me crazy, working on it for a whole week and no results..
    Thank you..

    Hi again,
    I have put the config on 2960. Now as soon as the authentication starts, this is the message on debug;
    dot1x authentication unable to start - authenticator not enabled..
    Any ideas?
    regards,
    onur

  • Wired 802.1x re-authentication passes but no connectivity after 1 hour

    I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.
    1st observation:
    The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.
    2nd observation:
    I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.
    Any ideas?

    No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.
    The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.
    At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

  • Dot1x with port security and redundant radius servers

    I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.
    This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?
    Here's the setup and configs:
    freeradius 2.1.12-4
    cisco 3560
    Switch Ports Model              SW Version            SW Image                
    *    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface GigabitEthernet0/1
    switchport access vlan 100
    switchport mode access
    switchport voice vlan 110
    authentication event no-response action authorize vlan 901
    authentication host-mode multi-domain
    authentication port-control auto
    authentication periodic
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 1
    no mdix auto
    spanning-tree portfast
    radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
    radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
    Here's an authentication string from the radius server:
    (there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)
    rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
    User-Name = "001372b639a6"
    User-Password = "001372b639a6"
    Service-Type = Call-Check
    Framed-MTU = 1500
    Called-Station-Id = "9C-AF-CA-23-D9-01"
    Calling-Station-Id = "00-13-72-B6-39-A6"
    Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
    NAS-Port-Type = Ethernet
    NAS-Port = 50001
    NAS-Port-Id = "GigabitEthernet0/1"
    NAS-IP-Address = 10.90.100.7
    Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
    Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
    Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
    Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
    Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
    Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6
    Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
    Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
    Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
    Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
    Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
    Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
    Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
    Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
    Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
    Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
    Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
    Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
    Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
    Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
    Sending Access-Accept of id 204 to 10.90.100.7 port 1645
    Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
    Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
    Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
    Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
    Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
    rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
    User-Name = "3037a616cd49"
    User-Password = "3037a616cd49"
    Service-Type = Call-Check
    Framed-MTU = 1500
    Called-Station-Id = "9C-AF-CA-23-D9-01"
    Calling-Station-Id = "30-37-A6-16-CD-49"
    Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
    NAS-Port-Type = Ethernet
    NAS-Port = 50001
    NAS-Port-Id = "GigabitEthernet0/1"
    NAS-IP-Address = 10.90.100.7
    Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
    Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
    Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
    Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
    Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
    Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49
    Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
    Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
    Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
    Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
    Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
    Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
    Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
    Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
    Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
    Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
    Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
    Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
    Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
    Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
    Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
    Sending Access-Accept of id 205 to 10.90.100.7 port 1645
    Cisco-AVPair = "device-traffic-class=voice"
    Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
    Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
    Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
    Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
    Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
    Thanks!

    802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.
    Please check the  below links which can be helpful in configurations:
    Link-1
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

  • ACS 5.3 Dot1x for Wired/Wireless

    Hi Community,
    I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
    My questions are
    1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
    2.       If Yes can someone point out to any good docs that can help  ?
    Regards,
    Hammad

    Hi Jatin,
    Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
    I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
    I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
    #$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: ABC\shuser
                   Status: Authz Success
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
            Vlan Policy: N/A
                 ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010548A006AC
         Acct Session ID: 0x000007A4
                   Handle: 0xA1000106
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    CS01#
    CS01#
    CS01#$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: host/TESTPC01.sportshub.com.sg
                   Status: Authz Failed
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
             Vlan Policy: N/A
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010648A11C04
         Acct Session ID: 0x000007AD
                   Handle: 0x61000107
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    ================================
    SWITCH PORT CONFIG:
    int ten1/1/9
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    authentication host-mode multi-auth
    authentication violation restrict
    dot1x timeout tx-period 10
    dot1x timeout quiet-period 20
    authentication timer reauthenticate server
    dot1x max-reauth-req 3
    Regards,
    Hammad

  • 3750-X Dot1x for wired switch ports with ISE 1.2 doing eap-tls

    Hi,
    I currently have an authentication and authorization policy in ISE to allow machines that authenticate successfully with machine certificates to have full access.  If they fail, then they are denied.  And this works correctly.  However, the customer does not want to deny them access if they fail, but instead he would like the machines that fail authentication to have access only to the Internet.  I'm looking for some suggestions on what would be the best way to do this from a policy standpoint?  Also, this would be for devices that are IT devices, or part of the organization, as well as for devices that aren't, for example for contractors or guest and may or may not have wired dot1x services enabled on their laptop that they will be plugging in.  Any help is appreciated.
    Thanks....

    Hello. I can think of two solutions to your requirement:
    #1 (Preferred): Configure CWA (Central Web Authentication) to be your last method of authentication/authorization. That way any devices that fail both dot1x and mab would be send to the guest/web portal hosted by ISE. There users can login with either their AD credentials and/or their guest credentials. That way you can actually provide better/more access to AD type users vs true guests
    #2 (Less preferred): You can use the following command to authorize users/devices that fail dot1x to a "Guest/Internet" VLAN. Keep in mind though that if you use that then there is no "next method" so you cannot utilize mab:
      (config-if)#authentication event fail action authorize vlan  guest_vlan_id
    Thank you for rating helpful posts! 

  • Dot1x not working in conjunction with PortSecurity on Cisco 4500

    It’s observed that – Phones are not coming up on network when 802.1x is enabled on port. After troubleshooting it’s noted that Port-Security restricts phones not to operate either in Data or Voice Vlans. Problem gets resolved by disabling port-security on port. Please confirm if it is the known limitation.
    Here is the details about device Model & IOS version of switch.
    Model: Cisco 4506-E (Sup 6-E 10GE (X2), 1000BaseX (SFP) )
    Line Card:  WS-X4648-RJ45V-E
    IOS: cat4500e-entservicesk9-mz.122-54.SG1

    Using 802.1X with Port Security
    You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.
    For information on selecting multi-host mode, see the "Resetting the 802.1X Configuration to the Default Values" section.
    These examples describe the interaction between 802.1X and port security on a switch:
    •When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.
    When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).
    A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:
    –If 802.1X detects the violation, the action is to err-disable the port.
    –If port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).
    The following describes when port security and 802.1X security violations occur:
    –In single host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X security violation.
    –In single host mode, if installation of an 802.1X client's MAC address fails because port security has already reached its limit (due to a configured secure MAC addresses), a port security violation is triggered.
    –In multi host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the port security has reached its limit triggers a port security violation.
    •When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then ensues.
    •If you administratively shut down the port, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.
    •Only 802.1X can remove the client's MAC address from the port security table. Note that in multi host mode, with the exception of the client's MAC address, all MAC addresses that are learned by port security can be deleted using port security CLIs.
    •Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate the client. Only if the reauthentication succeeds is the client's MAC address be retained in the port security table.
    •All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security table by using CLI.
    Refer::
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1151392

  • Two computers connected in the same port dot1x in 3750 in different time.

    I have the following consultation.
    I have a "computer A" connected to a port of switch 3750, configured with: dot1x port-control auto
    dot1x timeout quiet-period 5
    The "computer A" is authorized.
    When I disconnect the "computer A" and I connect a "Computer B", this is not connected, but when I connect the "computer A" again if is connected.
    How many time I should expect to be able to connect the "computer B" in the same port of the 3750?

    When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering a number smaller than the default.
    The value after the quiet-period is in seconds, so in your case, the switch will wait five seconds before it re-tries for another authentication for the new device connected.
    Please rate helpful posts.

  • LMS 4.2.2 DOT1X Report

    Hi, i need a lms report to know if service dot1x  on the switchs in my lan is enable.
    Thanks a lot.
    Emiliano

    Thank you for your answer, but I need not have a report or PC user who authenticates dot1x but if the service is enabled. example:
    a report that show dot1x: enable or disable
    Thanks
    Emiliano

  • VSS Catalyst 4500X-16 SFP+ / crashing on cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin / radius / dot1x

    Hi guys,
    I am not sure if I am hitting IOS bug CSCtx61557
    according to the bug tool this is the info:
    crash after authc result 'success' from 'dot1x' for client (Unknown MAC)
    CSCtx61557
    Description
    Symptoms: The switch crashes after logging "success" from "dot1x" for client
    (Unknown MAC).
    Conditions: The symptom is observed with the following conditions:
    1. A switchport is configured with both of the following:
    authentication event server dead action authorize...
    authentication event server alive action reinitalize
    2. The radius server was down previously, and a port without traffic (for
    example: a hub with no devices attached) was authorized into the inaccessible
    authentication bypass (IAB) VLAN without an associated MAC address.
    3. The radius server becomes available again, and a dot1x client
    attempts to authenticate.
    Workaround: There is no workaround.
    I am running the following IOS on my 4500X-16 SFP+:
    cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin
    This is what I configured, and what happened:
    HOSTNAME(config)#aaa group server radius rad_eap
    HOSTNAME(config-sg-radius)# server name ACS1
    HOSTNAME(config-sg-radius)# server name ACS2
    HOSTNAME(config-sg-radius)# server name ACS3
    HOSTNAME(config-sg-radius)#$ication login default group radius local
    HOSTNAME(config)#aaa authentication login CONSOLE local
    HOSTNAME(config)#aaa authentication enable default group radius enable
    HOSTNAME(config)#aaa authentication ppp default local group radius
    HOSTNAME(config)#aaa authentication dot1x default group radius
    HOSTNAME(config)#aaa authorization exec default if-authenticated
    HOSTNAME(config)#aaa authorization network default group radius
    HOSTNAME(config)#aaa accounting update newinfo
    HOSTNAME(config)#aaa accounting dot1x default start-stop group radius
    HOSTNAME(config)#aaa accounting network default start-stop group
    eption to IOS Thread:
    Frame pointer 897BAE38, PC = 1C03EECC
    IOSD-EXT-SIGNAL: Aborted(6), Process = Exec
    -Traceback= 1#49176b00b95a50f3145e3825de17d470  c:1C008000+36ECC c:1C008000+3BE50 c:1C008000+3BF48 :1F679000+201A18C :1F679000+31CEE2C :1F679000+2C22958 :1F679000+2C293E4 :1F679000+1166260 :1F679000+2C3C20C
    Fastpath Thread backtrace:
    -Traceback= 1#49176b00b95a50f3145e3825de17d470  uld:1F224000+2DE8 uld:1F224000+2DE4 iosd_unix:1C3ED000+186A0 pthread:1AA69000+6450
    Auxiliary Thread backtrace:
    -Traceback= 1#49176b00b95a50f3145e3825de17d470  pthread:1AA69000+BB8C pthread:1AA69000+BB6C c:1C008000+F61E4 iosd_unix:1C3ED000+21270 pthread:1AA69000+6450
    Buffered messages: (last 8192 bytes only)
    6 left the port-channel Port radius
    HOSTNAME(config)#aaa accounting system default start-stop group radius
    HOSTNAME(config)#
    HOSTNAME(config)#
    HOSTNAME(config)#no authentication logging verbose
    HOSTNAME(config)#
    HOSTNAME(config)#
    HOSTNAME(config)#login block-for 300 attempts 5 within 60
    -channel1
    *Aug 28 01:08:47.873 UTC: %C4K_IOSINTF-5-LMPHWSESSIONSTATE: Lmp HW session DOWN on slot 11 port 12.
    *Aug 28 01:08:48.056 UTC: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.5.98 port 514 started - CLI initiated
    *Aug 28 01:08:48.571 UTC: %FASTHELLO-2-FH_DOWN:  Fast-Hello interface Te2/1/12 lost dual-active detection capability
    *Aug 28 01:08:49.099 UTC: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 172.16.250.61 on interface Vlan250
    *Aug 28 01:15:08.753 UTC: %C4K_IOSINTF-5-LMPHWSESSIONSTATE: Lmp HW session UP on slot 11 port 1.
    *Aug 28 01:15:24.759 UTC: %VSLP-5-VSL_UP:  Ready for control traffic
    *Aug 28 01:15:27.760 UTC: %VSLP-5-RRP_ROLE_RESOLVED: Role resolved as ACTIVE  by VSLP
    *Aug 28 01:15:27.760 UTC: %EC-5-BUNDLE: Interface TenGigabitEthernet2/1/1 joined port-channel Port-channel2
    *Aug 28 01:15:28.049 UTC: %C4K_REDUNDANCY-6-DUPLEX_M
    <Thu Aug 28 01:18:32 2014> Message from sysmgr: Reason Code:[2] Reset Reason:Service [iosd] pid:[6813] terminated abnormally [6].
    Details:
    Service: IOSd service
    Description: IOS daemon
    Executable: /tmp/sw/mount/cat4500e-universalk9.SPA.152-1.E.pkg//usr/binos/bin/iosd
    Started at Wed Aug 27 22:27:48 2014 (647795 us)
    Stopped at Thu Aug 28 01:18:32 2014 (115506 us)
    Uptime: 2 hours 50 minutes 44 seconds
    Start type: SRV_OPTION_RESTART_STATELESS (23)
    Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2)
    Last heartbeat 0.00 secs ago
    PID: 6813
    Exit code: signal 6 (no core)
    CWD: /var/sysmgr/work
    PID: 6813
    UUID: 512
    FAILURE: syslogd shutdown
    I had a ICMP ping going, and it was not affected, as the Standby VSS chassis kicked in and took over, while the previous active chassis reloaded.
    2nd time it happened:
    Now this time, I had waited until the previous active chassis was back up and running and came back up as Standby hot.
    once again I pasted the same config, and bang, It happened a second time on the second chassis which was acting now as Active supervisor.
    And once again, the ICMP continuous ping was not interrupted, as the other chassis remained up, while the "new" active crashed after configuring the same configs in a slight different order.
    HOSTNAME(config)#radius server ACS2
    HOSTNAME(config-radius-server)#$5.22 auth-port 1812 acct-port 1813
    HOSTNAME(config-radius-server)# timeout 1
    HOSTNAME(config-radius-server)# key 0 XXXX
    HOSTNAME(config-radius-server)#!
    HOSTNAME(config-radius-server)#radius server ACS3
    HOSTNAME(config-radius-server)#$xxxx auth-port 1812 acct-port 1813
    HOSTNAME(config-radius-server)# timeout 1
    HOSTNAME(config-radius-server)# key 0 xxxxxxx
    HOSTNAME(config-radius-server)#
    HOSTNAME(config-radius-server)#aaa group server radius rad_eap
    HOSTNAME(config-sg-radius)# server name XXXX
    HOSTNAME(config-sg-radius)# server name XXXX
    HOSTNAME(config-sg-radius)# server name XXXX
    HOSTNAME(config-sg-radius)#
    HOSTNAME(config-sg-radius)#
    PER-3-S
    Exception to IOS Thread:
    Frame pointer 89455E38, PC = 1CC27ECC
    IOSD-EXT-SIGNAL: Aborted(6), Process = Exec
    -Traceback= 1#e495ba4f9346cc1496eecd01ebf1814a  c:1CBF1000+36ECC c:1CBF1000+3BE50 c:1CBF1000+3BF48 :20276000+201B18C :20276000+31D0DA8 :20276000+2C24800 :20276000+2C2B28C :20276000+11671B0 :20276000+2C3E0B4
    Fastpath Thread backtrace:
    -Traceback= 1#e495ba4f9346cc1496eecd01ebf1814a  iosd_unix:1CFD6000+1C230 iosd_unix:1CFD6000+1C284 iosd_unix:1CFD6000+18854 pthread:1B653000+6450
    Auxiliary Thread backtrace:
    -Traceback= 1#e495ba4f9346cc1496eecd01ebf1814a  pthread:1B653000+BB8C pthread:1B653000+BB6C c:1CBF1000+F61E4 iosd_unix:1CFD6000+21270 pthread:1B653000+6450
    Buffered messages: (last 8192 bytes only)
    INTF-5-TRANSCEIVERINSERTED: Slot=11 Port=3: Transceiver hasW-9(config-sg-radius)#
    HOSTNAME(config-sg-radius)#no authentication logging verbose
    HOSTNAME(config)#
    HOSTNAME(config)#
    HOSTNAME(config)#login block-for 300 attempts 5 within 60
     been inserted
    *Aug 28 01:26:03.864 UTC: %C4K_IOSINTF-5-TRANSCEIVERINSERTED: Slot=11 Port=4: Transceiver has been inserted
    *Aug 28 01:26:03.864 UTC: %C4K_IOSINTF-5-TRANSCEIVERINSERTED: Slot=11 Port=5: Transceiver has been inserted
    *Aug 28 01:26:03.864 UTC: %C4K_IO
    <Thu Aug 28 01:28:10 2014> Message from sysmgr: Reason Code:[2] Reset Reason:Service [iosd] pid:[6770] terminated abnormally [6].
    Details:
    Service: IOSd service
    Description: IOS daemon
    Executable: /tmp/sw/mount/cat4500e-universalk9.SPA.152-1.E3.pkg//usr/binos/bin/iosd
    Started at Thu Aug 28 01:13:52 2014 (60006 us)
    Stopped at Thu Aug 28 01:28:10 2014 (993041 us)
    Uptime: 14 minutes 18 seconds
    Start type: SRV_OPTION_RESTART_STATELESS (23)
    Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2)
    Last heartbeat 0.00 secs ago
    PID: 6770
    Exit code: signal 6 (no core)
    CWD: /var/sysmgr/work
    are these the symptoms related to  CSCtx61557 ?
    I have tested this in a test environment, where no ACS was reachable!
    Thanks
    Colin

    Another update,
    It seems not only the 4500X platform is affected, its also 4510R+E's:
    WS-C4510R+E
    WS-X45-SUP8-E
    IOS-XE (cat4500es8-UNIVERSALK9-M), Version 03.03.01.XO
    4510R+E#sh redundancy /| i    | i state
            Current Software state = ACTIVE
           Uptime in current state = 2 hours, 39 minutes
            Current Software state = STANDBY HOT
           Uptime in current state = 6 minutes
    4510R+E(config)#login block-for 300 attempts 3 within 60
    Exception to IOS Thread:
    Frame pointer 8D104E28, PC = C9C0FF4
    IOSD-EXT-SIGNAL: Aborted(6), Process = Exec
    -Traceback= 1#9492282023e5ef761bd83af205155966  c:C98A000+36FF4 c:C98A000+3C2B0 c:C98A000+3C3A8 :10000000+201B994 :10000000+31CA4E4 :10000000+2C1DC54 :10000000+2C246E0 :10000000+116A3F0 :10000000+2C37508
    Fastpath Thread backtrace:
    -Traceback= 1#9492282023e5ef761bd83af205155966  c:C98A000+E29C0 c:C98A000+E29A0 iosd_unix:CD74000+1877C pthread:B3FE000+647C
    Auxiliary Thread backtrace:
    -Traceback= 1#9492282023e5ef761bd83af205155966  pthread:B3FE000+BBB4 pthread:B3FE000+BB94 c:C98A000+FA4E8 iosd_unix:CD74000+21270 pthread:B3FE000+647C
    Buffered messages: (last 8192 bytes only)
    at least one now can directly "redundancy failover" from config mode.....      :)

  • Dot1x, .1X and Cisco IP Phones

    Hi,
    We are busy performing dot1x tests on IP Phones. We chose the LSC approach and have generated CAPF CSRs which we have signed by our PKI infrastructure.
    Once all certificates and trust have been uploaded and when we update the CUCM CTL with the Cisco CTL client tool, we received the following error message
    “Could not get CAPF certificate(s).CAPF seems to be running on the CUCM Publisher but the certificate file(s) do not exist in the Certifiicate trust path on Server”
    We searched Neptro with an explanation on this and found that article:
    https://supportforums.cisco.com/thread/2067102
    In our setup we one issuing CA in the certification path has n key of 4096 bits. This is imposed by our Security Policy and can’t be workaround from a security policy point of view.
    We then had the CAPF CSR regenerated and had a test CA with an encryption key of only 2048 bit sign our certificate and Dot1x authentication. This worked just fine and test Ip Phones can now authenticate..
    My question is, is that a known limitation of Cisco Callmanager which is unable to handle certificates signed by a PKI in which one of the CA has a key of more that 2048 bits. Or is this a bug related to our 8.6.2.23900-10 CUCM version.
    Is there a way to bypass that limitation or a precise version of callmanager correcting it?
    THanks,
    Antoine

    You can configure the MSFT supplicant to send an EAPOL-Logoff:
    Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
    0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the connection has already been authenticated with Machine credentials, the user’s credentials are not used for authentication.
    1: Machine authentication with re-authentication functionality. Whenever a user logs in, 802.1X authentication is performed using the user’s-credentials.
    2: Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.
    In the wired-Ethernet case you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. So, AFAIK, this is the bad news .. you lose machine-auth.
    Actually, stay tuned for the ability for our IP Phones to be able to do this on behalf of a PC very soon. What will happen is when an IP Phone senses EAPOL through it, it will know who the supplicant is, and what port they're on (the phone's PC port). Assuming 2 conditions above, if link to phone's PC port goes down, IP Phone will transmit EAPOL-Logoff to PC immediately (on PCs behalf).
    Hope this helps.

  • ISE - dot1x EAP TLS for Cisco IP Phones

    Hi Gents,
    I have a question about the CA configs for ISE or ACS.
    As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
    1. Cisco CA Certificate
    2. CUCM Locally signed Certificate or CUCM Identity Certificate
    And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
    Is there any other configs needed?
    I would highly appreicate if someone can clearify me this process.
    Regards,

    I got the answer, for the first part of the EAP TLS authentication: Phone authentication
    In an IEEE 802.1X authentication, the AAA server  is responsible for validating the certificate provided by the phone. To  do this, the AAA server must have a copy of the root CA certificate that  signed the phone's certificate. The root certificates for both LSCs and  MICs can be exported from the CUCM Operating System Administration  interface and imported into your AAA server
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
    As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
    What is needed for this?

  • ISE; machine based dot1x authentication not working

    Hi there,
    I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
    I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
    In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
    Does anybody have a tip on how to solve this?
    Thanks in advance

    If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
    This is what I got from the documentation:
    "Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."
    I intend to use machine based authentication without contacting an external identity source.
    I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
    This brings me to another question.
    If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
    Thanks in advance
    Regards,
    Patrick

  • Dot1x authentication - Switch 3650 / Polycom phone 430

    Hi,
    I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.
    I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode,  choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.
    I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2
    The port configuration of the switch is as following:
    Switch#sh run int fa0/1
    Building configuration...
    Current configuration : 590 bytes
    interface FastEthernet0/1
    switchport access vlan 121
    switchport mode access
    switchport voice vlan 155
    switchport priority extend trust
    service-policy input QoS-Policy-LAN
    speed 100
    duplex full
    spanning-tree portfast
    end
    I configured the switch as the following:
    switch(config)#dot1x system-auth-control
    Under the interface configuration mode:
    switch(config-if)#dot1x port-control auto
    switch(config-if)#dot1x pae authenticator
    switch(config-if)#dot1x host-mode multi-host
    I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.
    Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)
    I tried dot1x host-mode single-host
    I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)
    First added dot1x mac-auth-bypass  - disconnected and reconnected -- didn't work(neither phone , nor PC)
    Second in addition to First , i added dot1x control-direction in   --- didn't work (neither phone , nor PC).
    Then I removed both these settings and I set:
    dot1x guest-vlan 155 where 155 is the voice vlan
    dot1x auth-fail vlan 155
    Nothing was working
    Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.
    In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed
    CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.
    Thanks
    Sayed

    I run a  test that I run was making the duplex to half on all switches/phone/PC,
    I brought a small switch, connected to the the cisco 3650 with the port configuration
    and I did two more tests:
    test1,     
         dot1x port-control auto
         dot1x authenticator pae
         dot1x host-mode multi-host
    the PC authenticated successfully and I was able to to access the network as well as to make phone calls.
    Test2.
         dot1x port-control auto
         dot1x authenticator pae
         dot1x host-mode single-host
    The PC was able to authenticate  and access the network but the phone was not able.
    The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.
    I hope somebody can help me, regarding this problem
    Thanks

Maybe you are looking for

  • Changing colors ONLY

    OK, I have the menu done, and now I want to play with the colors of the individual menu Items. Right now they are Greenish. I have a Paragraph style (and Object styles, calling the Para styles) with Green specified as the color. What I want to do, is

  • Left outer join in ODI

    I am trying to do left outer join in ODI for the source tables in SQLserver. I have created a join between 2 columns and made it left outer join by checking the box in join properties. It is not working as expected. In the query it just does T1.Col1=

  • Role to Group Assignments

    Dear Portal Gurus, We are on EP 6.0 SP12. We have ADS against which we authenticate EP users. There is a group in ADS called (say) GRP_ESS We have assigned all ESS users to that group inside ADS. Now I want to assign the EP role (say)  "ESS" to that

  • Need help with passcode using the "Remote" app

    Hello and thanks in advance. I can't find a place on iTunes to enter the passcode from the Remote app.

  • Saving imovie projects in itunes

    I've created an imovie project from the app on my ipad2 and saved it in itunes but now my macbookpro won't open it in imovie from the itunes account. How can I use the project saved in itunes on other devices? Is there a way to burn a dvd of the proj