Problem with radius authentication on catalyst 2960

Johan Boeckx — Tue, 05 Mar 2019 03:08:25 GMT

Hi all,

I have a problem with radius authentication on catalyst 2960 with freeradius as radius-server. The Catalyst is behind a HP5412zl layer3-switch. The rest of the network are hp-layer2 switches, which do radius authentication to the same radius server. The ios on the catalyst is c2960-lanbasek9-mz.150-1.SE3.

Appaerntly there are no requests made to the radius-server, since I dont see any requests coming in. Port 0/7 is voice port with laptop behind , /port 0/8 access-port with laptop directly connected.

config :

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

interface FastEthernet0/1

interface FastEthernet0/2

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

switchport access vlan 3

switchport mode access

switchport voice vlan 16

authentication port-control auto

mls qos trust device cisco-phone

interface FastEthernet0/8

switchport access vlan 3

switchport mode access

authentication port-control auto

spanning-tree portfast

interface GigabitEthernet0/1

switchport trunk allowed vlan 1-3

switchport mode trunk

switchport nonegotiate

interface Vlan2

ip address 10.104.253.5 255.255.255.0

ip default-gateway 10.104.253.1

radius server radius

address ipv4 10.104.254.175 auth-port 1812 acct-port 1813

key 7 045802150C2E

From the logs : (debug authentication, debug dotx11 after enabling authentication port-control auto on fa 0/8

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Removed the default method from the interface

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Disabling dot1x in switch shim

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) host access set to 0 on FastEthernet0/8

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Client delete *ALL* from platform (2)

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Ignoring delete *ALL* - previous pending

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Queued subblock to be destroyed

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Created Auth Manager SWSB (0x01EB4058)

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Set port control (3->2)

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) Enabling dot1x in switch shim

*Mar 1 03:19:09.588: AUTH-EVENT (Fa0/8) host access set to 1 on FastEthernet0/8

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Queued START

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Received internal event DELETE ALL

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Stopped 'inactivity' timer for client 0026.b99a.8f2f

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Signalling "pre" delete for client 0026.b99a.8f2f

*Mar 1 03:19:09.596: AUTH-EVENT: Enter auth_mgr_idc_client_deleted

*Mar 1 03:19:09.596: AUTH-EVENT: Enter auth_mgr_idc_remove_record

*Mar 1 03:19:09.596: AUTH-SYNC (Fa0/8) Syncing delete for context (0026.b99a.8f2f)

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Sending DELETE to (handle 0x7E00000B)

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Freeing AAA-ID 0x0000001F for 0026.b99a.8f2f

*Mar 1 03:19:09.596: AUTH-EVENT (Fa0/8) Signalling "post" delete for client 0026.b99a.8f2f in domain DATA

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) Authorized client count: 0

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) Setting vlan to 0 on DATA Vlan

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) Unauthorizing interface in shim

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) set host access to ask on FastEthernet0/8

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) host access set to 1 on FastEthernet0/8

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) set host access to ask on FastEthernet0/8

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) host access set to 1 on FastEthernet0/8

*Mar 1 03:19:09.605: AUTH-EVENT (Fa0/8) Get domain: Unknown MAC: 0026.b99a.8f2f