Wired 802.1x 3550, MS IAS and AD

Similar Messages

• Configuring wired 802.1x with Cisco 2950 and NPS 2012 problem

  Hi,
  I am trying to setup wired authentication on my corporate network. For testing purposes, I have setup a Cisco 2950 switch for RADIUS authentication.
  On the first day of the test, access messages were appearing on the event log of the 2012 Server and  we were trying to address the issues with EAP and policy.(Network Policy and Access services)
  Then, suddenly no events are written to the event log for the wired authentication. Accounting data is written to the log file at c:\windows\system32\logfiles, but nothing happens on the event log as if the NPS is not answering. We are using the same server for wireless 802.1x and all is working fine.
  Checking the wired autoconfig log on the client, Restart Reason : Onex Auth Timeout appears.
  Logging seems to be configured properly, there are no entries in event log. Below is the debug information from the 2950 switch;
  KAT2-BATISW1#
  00:18:28: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
  0/17
  00:18:28: dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthern
  et0/17
  00:18:28: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEth
  ernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_initialize_enter called
  00:18:28: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
  00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
  uto)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_disconnected_enter_action called
  00:18:28: dot1x-sm:
  dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
  D
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
  HORIZED
  00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to send po
  rt to unauthorized on vlan 0
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
  astEthernet0/17
  00:18:28: dot1x-ev:    GuestVlan configured=0
  00:18:28: dot1x-ev:supplicant 0000.0000.0000 is default
  00:18:28: dot1x-ev:supplicant 0000.0000.0000 is last
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:0000.0000.0000 is now unauthorized on port FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
  00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_enter called
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
  00:18:28: dot1x-sm:Dot1x Initialize State Entered
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
  6383(idle)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:28: dot1x-sm:Dot1x Idle State Entered
  00:18:28: dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 cu
  rrent_id=0
  00:18:28: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at memloc 80D
  71C74
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:
  dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  000.0000.0000
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:28: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
  00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
  00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_initialize_enter called
  00:18:28: dot1x-ev:auth_initialize_enter:0024.1d10.d7c5: Current ID=0
  00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
  uto)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_disconnected_enter_action called
  00:18:28: dot1x-sm:
  dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
  D
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
  HORIZED
  00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0024.1d10.d7c5 to send po
  rt to unauthorized on vlan 0
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
  astEthernet0/17
  00:18:28: dot1x-ev:    GuestVlan configured=0
  00:18:28: dot1x-ev:supplicant 0024.1d10.d7c5 is last
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:0024.1d10.d7c5 is now unauthorized on port FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
  00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
  00:18:28: dot1x-sm:Dot1x Initialize State Entered
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
  6383(idle)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:28: dot1x-sm:Dot1x Idle State Entered
  00:18:28: dot1x-ev:Created port supplicant block 0024.1d10.d7c5 expected_id=1 cu
  rrent_id=1
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:28: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 21 (Fa0/17)
  00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:18:28: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:18:28: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:18:28: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:18:28: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:18:28: dot1x-sm:Started the ServerTimeout Timer
  00:18:28: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and leng
  th = 21
  00:18:28: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967283
  00:18:28: dot1x-ev:Couldn't Find a process thats already handling the request fo
  r this id 0
  00:18:28: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
  .1d10.d7c5, VLAN 0 on pending request queue
  00:18:28: dot1x-ev:Found a free slot at slot 0
  00:18:28: dot1x-ev:Found a free slot at slot 0
  00:18:28: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
  24.1d10.d7c5, VLAN 0 from pending request queue
  00:18:28: dot1x-ev:Request id = -13 and length = 21
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
  t0/17
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Username is DUZEY\SAYTAMANER
  00:18:28: dot1x-ev:MAC Address is 0024.1d10.d7c5
  00:18:28: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:30: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
  00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:46: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
  00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:18:46:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
  apStart)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
  led
  00:18:46: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
  00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
  nitialize)
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
  00:18:46: dot1x-sm:Dot1x Initialize State Entered
  00:18:46:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:46: dot1x-sm:Dot1x Idle State Entered
  00:18:46:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
  Abort_noeapLogoff)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:18:46: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:18:46: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:46: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
  00:18:46: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:46: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:46: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
  00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:18:46:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:18:46: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:18:46: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:18:46: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:18:46: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:18:46: dot1x-sm:Started the ServerTimeout Timer
  00:18:46: dot1x-ev:Going to Send Request to AAA Client on RP for id = 1 and leng
  th = 21
  00:18:46: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967284
  00:18:46: dot1x-ev:Found a process thats already handling therequest for this id
   1
  00:18:48: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_ERROR)
  00:18:48: dot1x-ev:Received VLAN is No Vlan
  00:18:48: dot1x-ev:Enqueued the response to BackEnd
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:dot1x_process_txWhen_expire called
  00:18:58:     dot1x_auth Fa0/17: during state auth_connecting, got event 19(txWh
  en_expire)
  00:18:58: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_connecting
  00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_connecting_action calle
  d
  00:18:58: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for def
  ault supplicant
  00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:19:07: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
  00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:19:07:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
  apStart)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
  led
  00:19:07: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
  00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
  nitialize)
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
  00:19:07: dot1x-sm:Dot1x Initialize State Entered
  00:19:07:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:19:07: dot1x-sm:Dot1x Idle State Entered
  00:19:07:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
  Abort_noeapLogoff)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:19:07: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:19:07: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:19:07: dot1x-packet:Tx EAP-Request(Id), id 2, ver 1, len 5 (Fa0/17)
  00:19:07: dot1x-registry:registry:dot1x_ether_macaddr called
  00:19:07: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:19:07: dot1x-packet:Rx EAP-Response(Id), id 2, ver 1, len 21 (Fa0/17)
  00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:19:07:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:19:07: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:19:07: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:19:07: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:19:07: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:19:07: dot1x-sm:Started the ServerTimeout Timer
  00:19:07: dot1x-ev:Going to Send Request to AAA Client on RP for id = 2 and leng
  th = 21
  00:19:07: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967285
  00:19:07: dot1x-ev:Couldn't Find a process thats already handling the request fo
  r this id 2
  00:19:07: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
  .1d10.d7c5, VLAN 0 on pending request queue
  00:19:07: dot1x-ev:Found a free slot at slot 0
  00:19:07: dot1x-ev:Found a free slot at slot 0
  00:19:07: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
  24.1d10.d7c5, VLAN 0 from pending request queue
  00:19:07: dot1x-ev:Request id = -11 and length = 21
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
  t0/17
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Username is DUZEY\SAYTAMANER
  00:19:07: dot1x-ev:MAC Address is 0024.1d10.d7c5
  00:19:07: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:19: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
  0/17
  00:19:19: dot1x-ev:supp_info=80D7E584 txWhen_timer=80D7E5D4 quietWhile_timer=80D
  7E594reAuthWhen_timer=80D7E5B4 awhile_timer=80D7E5F4
  00:19:19: dot1x-ev:destroy supplicant block for 0024.1d10.d7c5
  00:19:19: dot1x-ev:supp_info=80D71C74 txWhen_timer=80D71CC4 quietWhile_timer=80D
  71C84reAuthWhen_timer=80D71CA4 awhile_timer=80D71CE4
  00:19:19: dot1x-ev:destroy supplicant block for 0000.0000.0000
  00:19:19: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:19:19: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:19:19: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  This is driving me crazy, working on it for a whole week and no results..
  Thank you..

  Hi again,
  I have put the config on 2960. Now as soon as the authentication starts, this is the message on debug;
  dot1x authentication unable to start - authenticator not enabled..
  Any ideas?
  regards,
  onur

• IAS and CTA 802.1x wired client?

  Hi,
  We have IAS working with 802.1X authentication. All is good except when we enable dynamic VLAN assignment we come across the Winlogon issue as per MS KB article 935638.
  We do however have available the CTA 802.1X wired client. From what I have read though it requires ACS due to use of EAP-FAST. Is this correct or is there some way I can get CTA 802.1X wired client working with MS IAS RADIUS?
  Thank you

  You will have to use ACS for authenticating using EAP-FAST for CTA 802.1x wired clients. It is not possible to get CTA 802.1X wired client working with MS IAS RADIUS.

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• Wired 802.1x re-authentication passes but no connectivity after 1 hour

  I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.
  1st observation:
  The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.
  2nd observation:
  I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.
  Any ideas?

  No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.
  The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.
  At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• RADIUS failover not working in wired 802.1x (CATOS switch)

  I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
  Any help is appreciated. Here is my config:
  #version 8.4(7)GLX
  #radius
  set radius server 10.30.XX.XX auth-port 1812 primary
  set radius server 10.18.XX.XX auth-port 1812
  set radius timeout 30
  set radius key EE08361
  Set dot1x system-auth-control enable
  set port dot1x 5/27 port-control auto
  all radius and dot1x settings are at their default values
  Any takers??!

  I have the same setup as yours. I use Steelbelt
  radius 6.0.1 on Linux and I have Cisco 2960
  catalyst. I use 802.1x over Ethernet with
  PEAP, as seen below:
  C2960#sh run int g0/23
  Building configuration...
  Current configuration : 133 bytes
  interface GigabitEthernet0/23
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x guest-vlan 668
  end
  C2960#
  C2960#sh run | inc dot
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  C2960#sh run | inc radius-
  radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
  radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
  C2960#
  Everything works and when I shutdown the
  radius server process on host 192.168.15.10,
  "sbrd stop", it still works with the secondary
  radius server 10.250.97.26.
  The difference between yours and mine is that
  I am running IOS instead of CatOS.
  System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
  David

• Wired 802.1x Continouos Authentication Restart in Win 7

  Hi,
  I'm trying to implement 802.1x authenticaion with HP switches and NPS 2008/R2.
  Seems like the switch is configured properly and a 802.1x policy was created and configured to grant network access to domain users and computers. Clients are Win 7 computers, configured to enable 802.1x authentication in PEAP method with secured password
  (EAP-MSCHAP v2) and not required to validate the server's (certificate (although the server has an issued certificate.
  The problem is that the client seems to be authenticated, and immediately restarts the authentication, which eventually fails - as I see in the logs under Wired-AutoConfig.
  I'd be thrilled to get any assistance with that issue.
  Thanks a lot,
  Lena. 

  Solved it! 
  Apparently there is an option in the port-level on the switch to enable/disable triggering of a 802.1x client to perform authentication - it is called "multicast/unicast-triggering".
  Disabling the multicast-triggering stopped the client from authenticating every 30 seconds!
  From system view of an HP v1910 switch:
  int GigabitEthernet1/0/x
  undo dot1x multicast-trigger
  Hope that it will maybe help someone in the future.
  Lena. 

• FlexConnect Access Point - Wired 802.1X or MAB Authentication

  Hi all,
  We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
  I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
  Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
  Thanks in advance.
  Regards,
  Stephen.

  Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
  1. AP, authenticates via MAB and profiling
  2. Client authenticates via PEAP/EAP-TLS, etc
  3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
  So I have ran into this issue in my deployments and you have the following options (listed in preference order):
  1. Eliminate FlexConnect :)
  2. Utilize AutoSmartPorts where:
  - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
  - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
  More info on auto smart ports:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
  3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
  Hope this helps!
  Thank you for rating helpful posts!

• Wired 802.1x automation

  I have a Wired 802.1x network.
  When I configure the 802.1x setting for the connection and click 'connect' everything works fine.
  However I need to click that same connect button in network preferences every time I reboot or logout.
  This is a multi user enviro so using a System login profile and there is no directory integration here as this is a UNI. as a result I must use a User profile.
  This problem is present on 10.4 with internet connect as well as 10.5.
  Any help would be greatly appreciated.

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,

• Wired 802.1x logon-scripts don't run

  I tested wired 802.1x authentication with a XP-client and a Cat 2960 switch. The authentication are configured with PEAP and MS-ChAP V2. The 802.1x authentication works well.
  The problem is that the 802.1x authentication starts after the windows logon. Due this problem, the logon script don't run.
  How can I force the 8021.x authentication befor the windows login starts?
  Regards
  Pascal

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,

• Wired 802.1x hardware compatible checklist

  Hi forumers'
  Would like to check what kind of access switch is support wired 802.1x, do cisco have a hardware compatible checklist for it?
  Backend Radius server would be Cisco ISE. Business requirement is able to support flexauth.
  Current infrastructure access list with
  a. Linksys switch
  b. ESW 540
  c. Cisco 2950 switch
  Thanks
  Noel

  I have a supplemental question regarding the 2003 update (KB968730).  I have a Kace KBOX that we do patching/inventory of our servers with, and it tells me that all of our 2003 servers are patched with KB968730.  However, when looking at one of
  the 2003 servers, I didn't see KB968730 in the updates list, nor in the registry.  After some research, it appears that the crypt32.dll file on the server now is already a newer version than the one in the KB968730 (it contains the version of crypt32.dll
  from MS14-049 in August 2014).  I went ahead and installed KB968730 anyways on the server, and it now shows up in the updates list.  However, the crypt32.dll file was unaffected on the machine since it was already newer.
  Upon reading the install log for KB968730, it seems that all the update did was add registry keys to say that the KB968730 was installed, but did not replace the crypt32.dll file, and no reboot was needed.
  I believe this will be the case for all of my 2003 R2 servers.  With the actual payload of the KB968730 being the crypt32.dll (and wcrypt.dll for x64), and those files already being newer than on my servers than what is in the KB968730, would it just
  be considered to be SHA2 supported...or would the presence of the reg keys that state the hotfix is installed be needed (sounds pointless to me)?
  EDIT: Not to mention that the KB968730 update never specifically mentions 2003 R2, just 2003.  The install log shows failures during file version checks and other lines, so it really looks like it simply added the registry info for the hotfix and
  that's all.