Wired 802.1X with ISE | Some computers cannot be authenticated

Similar Messages

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• Limit the number of session per user in the Wired dot1x environment with ISE 1.2

  Hello,
  I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
  I need to check if this feature is available or not to solve the following scenario:
  I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
  If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
  The case, that I need to deny the same user to connect on a different machine with the same credentials.
  The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
  Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
  Thanks.

  limit number of session per user using wired dot1x is not available in 1.3

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Wired 802.1x With Static IP on endopoints

  Hi all
  Someone know if a 802.1x implementation with Cisco ISE, works with static IP in the endpoints or there are any issue in this deployment?
  I have a lab deployment but does not work fine with a static IP in the client (laptop) but when i work with DHCP works fine.
  The authentication and authorization process in ISE is successfull, and the port status in switch is AUTHORIZED, the VLAN assignment is right.
  Thanks

  I have deployed ISE in the past with static IPs and did not have any issues as long as the VLAN that was being assigned to the port matches the VLAN that the subnet of the static IP resides in. 
  What is the behavior of the endpoint and what issues are you seeing?
  Thank you for rating helpful posts!

• 3750-X Dot1x for wired switch ports with ISE 1.2 doing eap-tls

  Hi,
  I currently have an authentication and authorization policy in ISE to allow machines that authenticate successfully with machine certificates to have full access.  If they fail, then they are denied.  And this works correctly.  However, the customer does not want to deny them access if they fail, but instead he would like the machines that fail authentication to have access only to the Internet.  I'm looking for some suggestions on what would be the best way to do this from a policy standpoint?  Also, this would be for devices that are IT devices, or part of the organization, as well as for devices that aren't, for example for contractors or guest and may or may not have wired dot1x services enabled on their laptop that they will be plugging in.  Any help is appreciated.
  Thanks....

  Hello. I can think of two solutions to your requirement:
  #1 (Preferred): Configure CWA (Central Web Authentication) to be your last method of authentication/authorization. That way any devices that fail both dot1x and mab would be send to the guest/web portal hosted by ISE. There users can login with either their AD credentials and/or their guest credentials. That way you can actually provide better/more access to AD type users vs true guests
  #2 (Less preferred): You can use the following command to authorize users/devices that fail dot1x to a "Guest/Internet" VLAN. Keep in mind though that if you use that then there is no "next method" so you cannot utilize mab:
    (config-if)#authentication event fail action authorize vlan  guest_vlan_id
  Thank you for rating helpful posts! 

• Some computers cannot view Captivate 4.0 lesson in LMS

  Hi guys, we have been very successful at viewing Captivate 4.0 lessons in our LMS for 2+ years but now we have very strange things happening.  OF the 50+ lessons, about 3 lessons on the LMS cannot be viewed on certain computers.  We know the problem is with the swf file from Captivate.  On the problem computers, the swf appears to load for 2 sec. then we get a black screen, or we just get a black screen from the beginning. The computers that can view the files, (and from which the lessons were published), have Flash player 8.  The lessons were published as AS2 and for Flash Player 8.
  Two of the problem lessons have animations that were imported as FLA's, we also did some localization (English to Spanish) by importing a caption/close caption file into the Captivate file. We did the same importing of captions for many more lessons but only these 3 are acting strange.
  The lessons are scormed but that is not the issue because we tried to view only the  swf of an unscormed lesson and we cannot see it on the 3 problem computers. The problem happens with Internet Explorer and Firefox. The computers where we cannot see the 3 lessons have Flash viewer 11.
  I "externalized" the animations to see if that would be the issue but that did not fix anything.
  HELP!

  Hi ,
  Frankly Speaking, as you said that the issue is occuring on specific machines only? So, I cannot find its relation with Captivate.
  Can you try removing Flash 11 from those machines and try installing  a prior version like flash 9 or 10.
  Thanks,
  Anjaneai

• Configuring wired 802.1x with Cisco 2950 and NPS 2012 problem

  Hi,
  I am trying to setup wired authentication on my corporate network. For testing purposes, I have setup a Cisco 2950 switch for RADIUS authentication.
  On the first day of the test, access messages were appearing on the event log of the 2012 Server and  we were trying to address the issues with EAP and policy.(Network Policy and Access services)
  Then, suddenly no events are written to the event log for the wired authentication. Accounting data is written to the log file at c:\windows\system32\logfiles, but nothing happens on the event log as if the NPS is not answering. We are using the same server for wireless 802.1x and all is working fine.
  Checking the wired autoconfig log on the client, Restart Reason : Onex Auth Timeout appears.
  Logging seems to be configured properly, there are no entries in event log. Below is the debug information from the 2950 switch;
  KAT2-BATISW1#
  00:18:28: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
  0/17
  00:18:28: dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthern
  et0/17
  00:18:28: dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEth
  ernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_initialize_enter called
  00:18:28: dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
  00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
  uto)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_disconnected_enter_action called
  00:18:28: dot1x-sm:
  dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
  D
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
  HORIZED
  00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to send po
  rt to unauthorized on vlan 0
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
  astEthernet0/17
  00:18:28: dot1x-ev:    GuestVlan configured=0
  00:18:28: dot1x-ev:supplicant 0000.0000.0000 is default
  00:18:28: dot1x-ev:supplicant 0000.0000.0000 is last
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:0000.0000.0000 is now unauthorized on port FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
  00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
  00:18:28: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_enter called
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
  00:18:28: dot1x-sm:Dot1x Initialize State Entered
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
  6383(idle)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:28: dot1x-sm:Dot1x Idle State Entered
  00:18:28: dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 cu
  rrent_id=0
  00:18:28: dot1x-ev:dot1x_init_sb_oper_info:Default port supplicant at memloc 80D
  71C74
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:
  dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  000.0000.0000
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:28: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
  00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
  00:18:28: dot1x-ev:Couldn't find a supplicant block for mac 0024.1d10.d7c5
  00:18:28: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:18:28:     dot1x_auth Fa0/17: initial state auth_initialize has enter
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_initialize_enter called
  00:18:28: dot1x-ev:auth_initialize_enter:0024.1d10.d7c5: Current ID=0
  00:18:28:     dot1x_auth Fa0/17: during state auth_initialize, got event 0(cfg_a
  uto)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_initialize -> auth_disconnected
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_disconnected_enter_action called
  00:18:28: dot1x-sm:
  dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE
  D
  00:18:28: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Fa0/
  17 (admin=Both, current oper=Both)
  00:18:28: dot1x-ev:dot1x_update_port_direction: New oper direction for Fa0/17 is
   Both
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUT
  HORIZED
  00:18:28: dot1x-ev:dot1x_update_port_status: using mac 0024.1d10.d7c5 to send po
  rt to unauthorized on vlan 0
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on F
  astEthernet0/17
  00:18:28: dot1x-ev:    GuestVlan configured=0
  00:18:28: dot1x-ev:supplicant 0024.1d10.d7c5 is last
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:0024.1d10.d7c5 is now unauthorized on port FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:18:28: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28:     dot1x_auth Fa0/17: idle during state auth_disconnected
  00:18:28: @@@ dot1x_auth Fa0/17: auth_disconnected -> auth_connecting
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has enter
  00:18:28: dot1x-sm:Dot1x Initialize State Entered
  00:18:28:     dot1x_bend Fa0/17: initial state dot1x_bend_initialize has idle
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_initialize, got event 1
  6383(idle)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:28: dot1x-sm:Dot1x Idle State Entered
  00:18:28: dot1x-ev:Created port supplicant block 0024.1d10.d7c5 expected_id=1 cu
  rrent_id=1
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  FastEthernet0/17
  00:18:28: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:18:28: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:28: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/17)
  00:18:28: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:28: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:28: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 21 (Fa0/17)
  00:18:28: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:18:28: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:18:28: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:18:28: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:18:28: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:18:28:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:18:28: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:18:28: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:18:28: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:18:28: dot1x-sm:Started the ServerTimeout Timer
  00:18:28: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and leng
  th = 21
  00:18:28: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967283
  00:18:28: dot1x-ev:Couldn't Find a process thats already handling the request fo
  r this id 0
  00:18:28: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
  .1d10.d7c5, VLAN 0 on pending request queue
  00:18:28: dot1x-ev:Found a free slot at slot 0
  00:18:28: dot1x-ev:Found a free slot at slot 0
  00:18:28: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
  24.1d10.d7c5, VLAN 0 from pending request queue
  00:18:28: dot1x-ev:Request id = -13 and length = 21
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
  t0/17
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:28: dot1x-ev:Username is DUZEY\SAYTAMANER
  00:18:28: dot1x-ev:MAC Address is 0024.1d10.d7c5
  00:18:28: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
  00:18:28: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:30: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
  00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:46: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
  00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:18:46:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
  apStart)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
  led
  00:18:46: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
  00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
  nitialize)
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
  00:18:46: dot1x-sm:Dot1x Initialize State Entered
  00:18:46:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:18:46: dot1x-sm:Dot1x Idle State Entered
  00:18:46:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
  Abort_noeapLogoff)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:18:46: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:18:46: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:18:46: dot1x-packet:Tx EAP-Request(Id), id 1, ver 1, len 5 (Fa0/17)
  00:18:46: dot1x-registry:registry:dot1x_ether_macaddr called
  00:18:46: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:18:46: dot1x-packet:Rx EAP-Response(Id), id 1, ver 1, len 21 (Fa0/17)
  00:18:46: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:46: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:18:46:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:18:46: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:18:46: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:18:46: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:18:46: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:18:46:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:18:46: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:18:46: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:18:46: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:18:46: dot1x-sm:Started the ServerTimeout Timer
  00:18:46: dot1x-ev:Going to Send Request to AAA Client on RP for id = 1 and leng
  th = 21
  00:18:46: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967284
  00:18:46: dot1x-ev:Found a process thats already handling therequest for this id
   1
  00:18:48: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_ERROR)
  00:18:48: dot1x-ev:Received VLAN is No Vlan
  00:18:48: dot1x-ev:Enqueued the response to BackEnd
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:18:48: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:dot1x_process_txWhen_expire called
  00:18:58:     dot1x_auth Fa0/17: during state auth_connecting, got event 19(txWh
  en_expire)
  00:18:58: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_connecting
  00:18:58: dot1x-sm:Fa0/17:0000.0000.0000:auth_connecting_connecting_action calle
  d
  00:18:58: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for def
  ault supplicant
  00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:19:07: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/17)
  00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:19:07:     dot1x_auth Fa0/17: during state auth_authenticating, got event 4(e
  apStart)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_authenticating -> auth_aborting
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_aborting_enter called
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_aborting_action cal
  led
  00:19:07: dot1x-ev:Received DOT1X_MSG_AUTH_ABORT: setting msg_id = 0
  00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_response, got event 5(i
  nitialize)
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_response -> dot1x_bend_initialize
  00:19:07: dot1x-sm:Dot1x Initialize State Entered
  00:19:07:     dot1x_bend Fa0/17: idle during state dot1x_bend_initialize
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_initialize -> dot1x_bend_idle
  00:19:07: dot1x-sm:Dot1x Idle State Entered
  00:19:07:     dot1x_auth Fa0/17: during state auth_aborting, got event 16(noauth
  Abort_noeapLogoff)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_aborting -> auth_connecting
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_enter called
  00:19:07: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0
  024.1d10.d7c5
  00:19:07: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/17
  00:19:07: dot1x-packet:Tx EAP-Request(Id), id 2, ver 1, len 5 (Fa0/17)
  00:19:07: dot1x-registry:registry:dot1x_ether_macaddr called
  00:19:07: dot1x-packet:Tx sa=000f.24e9.72d1, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/17
  00:19:07: dot1x-packet:Rx EAP-Response(Id), id 2, ver 1, len 21 (Fa0/17)
  00:19:07: dot1x-packet:Rx sa=0024.1d10.d7c5, da=0180.c200.0003, et 888E (Fa0/17)
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:RECEIVED mac =0024.1d10.d7c5 and Stored MAC =0024.1d10.d7c5
  00:19:07:     dot1x_auth Fa0/17: during state auth_connecting, got event 7(rxRes
  pId)
  00:19:07: @@@ dot1x_auth Fa0/17: auth_connecting -> auth_authenticating
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_exit alled
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_authenticating_enter called
  00:19:07: dot1x-ev:sending AUTH_START to BEND for supp_info=80D7E584
  00:19:07: dot1x-sm:Fa0/17:0024.1d10.d7c5:auth_connecting_authenticating_action c
  alled
  00:19:07: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D7E584
  00:19:07:     dot1x_bend Fa0/17: during state dot1x_bend_idle, got event 1(auth_
  start)
  00:19:07: @@@ dot1x_bend Fa0/17: dot1x_bend_idle -> dot1x_bend_response
  00:19:07: dot1x-sm:Dot1x Response State Entered for supp_info=80D7E584 hwidb=807
  D353C, swidb=807D4898 on intf=Fa0/17
  00:19:07: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  00:19:07: dot1x-sm:Started the ServerTimeout Timer
  00:19:07: dot1x-ev:Going to Send Request to AAA Client on RP for id = 2 and leng
  th = 21
  00:19:07: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967285
  00:19:07: dot1x-ev:Couldn't Find a process thats already handling the request fo
  r this id 2
  00:19:07: dot1x-ev:Inserted AAA request for interface FastEthernet0/17, MAC 0024
  .1d10.d7c5, VLAN 0 on pending request queue
  00:19:07: dot1x-ev:Found a free slot at slot 0
  00:19:07: dot1x-ev:Found a free slot at slot 0
  00:19:07: dot1x-ev:Processing AAA request for interface FastEthernet0/17, MAC 00
  24.1d10.d7c5, VLAN 0 from pending request queue
  00:19:07: dot1x-ev:Request id = -11 and length = 21
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:The Interface on which we got this AAA Request is FastEtherne
  t0/17
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:07: dot1x-ev:Username is DUZEY\SAYTAMANER
  00:19:07: dot1x-ev:MAC Address is 0024.1d10.d7c5
  00:19:07: dot1x-ev:RemAddr is 00-24-1D-10-D7-C5/00-0F-24-E9-72-D1
  00:19:07: dot1x-ev:Found a supplicant block for mac 0024.1d10.d7c5 80D7E584
  00:19:19: dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet
  0/17
  00:19:19: dot1x-ev:supp_info=80D7E584 txWhen_timer=80D7E5D4 quietWhile_timer=80D
  7E594reAuthWhen_timer=80D7E5B4 awhile_timer=80D7E5F4
  00:19:19: dot1x-ev:destroy supplicant block for 0024.1d10.d7c5
  00:19:19: dot1x-ev:supp_info=80D71C74 txWhen_timer=80D71CC4 quietWhile_timer=80D
  71C84reAuthWhen_timer=80D71CA4 awhile_timer=80D71CE4
  00:19:19: dot1x-ev:destroy supplicant block for 0000.0000.0000
  00:19:19: dot1x-ev:Enter function dot1x_aaa_acct_end
  00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:19:19: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80D71C74
  00:19:19: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEt
  hernet0/17
  00:19:19: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface
  This is driving me crazy, working on it for a whole week and no results..
  Thank you..

  Hi again,
  I have put the config on 2960. Now as soon as the authentication starts, this is the message on debug;
  dot1x authentication unable to start - authenticator not enabled..
  Any ideas?
  regards,
  onur

• Wired guest vlan with ISE

  Hi all,
  For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
  Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
  Thanks
  Sent from Cisco Technical Support iPad App

  I will try to answer all of your quesitons:
  1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
            - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
  2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
            - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
  3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
            - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

• Wired Guest CWA with ISE

  Having a heck of a time getting this to work.
  First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
  If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
  My challenge is the Policies and where to insert.
  I'm using Policy Sets in ISE 1.2
  Currently, I have these statements in the Default Policy Set:
  Rule Name
  Conditions
  Permissions
  Wired Guest Portal Auth
  if Net Access:UseCase EQUALS Guest Flow
  Permit Access
  Wired Guest Redirect
  if Wired_MAB
  Wired CWA
  What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
  Couple problems:
  First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
  Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
  Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode.  This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
  Does anyone have any insight, or a document laying out in step by step terms implementing this?
  thanks in advance.

  Hi Andrew! Yes, good job on fixing the portal issue!
  And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
  Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 
  Thank you for rating helpful posts!

• I am running an AD Forest and when I don't have Internet connection on the entire network, some computers cannot log in on the domain

  Hello!
  I run an AD Forest and when my Internet connection is not working, some of my PCs cannot sign in on the domain, while the majority can do this without any problems.
  Could you please help,
  Thanks,
  Radu

  Hi,
  Usually, we have an edge device for internet connection and LAN connection, like a router. So I suppose gateway is not working properly.
  For further troubleshooting, please provide your network topology. DNS, gateway settings. Test if you can ping DC when the issue occur.

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• Wired 802.1x re-authentication passes but no connectivity after 1 hour

  I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.
  1st observation:
  The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.
  2nd observation:
  I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.
  Any ideas?

  No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.
  The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.
  At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

• In some computers I cannot find "Switch Page Direction" on the shortcut Menu or "View" Menu. Is there any setting related to this subject?

  Hi
  I have a problem with my firefox browser. please Help me!
  In some computers I cannot find "Switch Page Direction" on the shortcut Menu or "View" Menu. Is there any setting related to this subject?
  thanks

  In order to change your Firefox Configuration please do the following steps :
  # In the [[Location bar autocomplete|Location bar]], type '''about:config''' and press '''Enter'''. The about:config "''This might void your warranty!''" warning page may appear.
  # Click '''I'll be careful, I promise!''' to continue to the about:config page.
  # Look for '''bidi.browser.ui''', change its value to '''true''', restart Firefox, then right click to see the '''Switch Page Direction'''

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)