802.1x catalyst 4948e network policy server windows authentication

Cameron Webster — Mon, 11 Mar 2019 07:33:21 GMT

I have a WS-C4948E (Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICESK9-M), Version 15.1(1)SG2) that I have been unsuccessfully trying to configure to allow 802.1x authentication through radius provided by network policy server (tried NPS on both server 2008 and 2012R2)

Relevant switch config parts:

aaa new-model
!
aaa group server radius aaa-grp-1x-radius
 server name radius-backupserver
!
aaa authentication login aaa-local local
aaa authentication dot1x default group aaa-grp-1x-radius
aaa authorization network default group radius
# also tried aaa authorization network default group aaa-grp-1x-radius
aaa accounting dot1x default start-stop group aaa-grp-1x-radius
!
aaa session-id common
authentication mac-move permit
!
dot1x system-auth-control
!
interface GigabitEthernet1/31
 switchport mode access
 mtu 9000
 authentication port-control auto
 dot1x pae authenticator
# also tried authentication control-direction in

radius server radius-backupserver
 address ipv4 192.168.1.1 auth-port 1645 acct-port 1646
 key <radius key>

I've tried every type of config on the NPS which is running with a self-signed cert. The client side is windows 7 and I've got it configured to not check for a valid cert and for user authentication.

Some more switch show commands and debug dot1x all output:

show dot1x int gi 1/31 details
Dot1x Info for GigabitEthernet1/31
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

 #show authentication session interface gigabitEthernet 1/31
 Interface: GigabitEthernet1/31
 MAC Address: ab12.cd34.de56
 IP Address: Unknown
 User-Name: DOMAIN\user
 Status: Running
 Domain: UNKNOWN
 Oper host mode: single-host
 Oper control dir: both
 Session timeout: N/A
 Idle timeout: N/A
 Common Session ID: 0A000079000263C623CE857D
 Acct Session ID: 0x000263E0
 Handle: 0x0800040C
Runnable methods list:
 Method State
 dot1x Running

#show port-security interface gigabitEthernet 1/31
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

#term mon
#debug dot1x all
Mar 17 15:22:19.623: dot1x-ev(Gi1/31): Interface state changed to UP
Mar 17 15:22:19.623: dot1x_auth Gi1/31: initial state auth_initialize has enter
Mar 17 15:22:19.623: dot1x-sm(Gi1/31): 0xAC0004D7:auth_initialize_enter called
Mar 17 15:22:19.623: dot1x_auth Gi1/31: during state auth_initialize, got event 0(cfg_auto)
Mar 17 15:22:19.623: @@@ dot1x_auth Gi1/31: auth_initialize -> auth_disconnected
Mar 17 15:22:19.623: dot1x-sm(Gi1/31): 0xAC0004D7:auth_disconnected_enter called
Mar 17 15:22:19.623: dot1x_auth Gi1/31: idle during state auth_disconnected
Mar 17 15:22:19.623: @@@ dot1x_auth Gi1/31: auth_disconnected -> auth_restart
Mar 17 15:22:19.623: dot1x-sm(Gi1/31): 0xAC0004D7:auth_restart_enter called
Mar 17 15:22:19.623: dot1x-ev(Gi1/31): Sending create new context event to EAP for 0xAC0004D7 (0000.0000.0000)
Mar 17 15:22:19.623: dot1x_auth_bend Gi1/31: initial state auth_bend_initialize has enter
Mar 17 15:22:19.623: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_initialize_enter called
Mar 17 15:22:19.623: dot1x_auth_bend Gi1/31: initial state auth_bend_initialize has idle
Mar 17 15:22:19.627: dot1x_auth_bend Gi1/31: during state auth_bend_initialize, got event 16383(idle)
Mar 17 15:22:19.627: @@@ dot1x_auth_bend Gi1/31: auth_bend_initialize -> auth_bend_idle
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_idle_enter called
Mar 17 15:22:19.627: dot1x-ev(Gi1/31): Created a client entry (0xAC0004D7)
Mar 17 15:22:19.627: dot1x-ev(Gi1/31): Dot1x authentication started for 0xAC0004D7 (0000.0000.0000)
Mar 17 15:22:19.627: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/31
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): Posting !EAP_RESTART on Client 0xAC0004D7
Mar 17 15:22:19.627: dot1x_auth Gi1/31: during state auth_restart, got event 6(no_eapRestart)
Mar 17 15:22:19.627: @@@ dot1x_auth Gi1/31: auth_restart -> auth_connecting
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_connecting_enter called
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_restart_connecting_action called
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): Posting RX_REQ on Client 0xAC0004D7
Mar 17 15:22:19.627: dot1x_auth Gi1/31: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
Mar 17 15:22:19.627: @@@ dot1x_auth Gi1/31: auth_connecting -> auth_authenticating
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_authenticating_enter called
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_connecting_authenticating_action called
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): Posting AUTH_START for 0xAC0004D7
Mar 17 15:22:19.627: dot1x_auth_bend Gi1/31: during state auth_bend_idle, got event 4(eapReq_authStart)
Mar 17 15:22:19.627: @@@ dot1x_auth_bend Gi1/31: auth_bend_idle -> auth_bend_request
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_request_enter called
Mar 17 15:22:19.627: dot1x-ev(Gi1/31): Sending EAPOL packet to group PAE address
Mar 17 15:22:19.627: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.627: dot1x-registry:registry:dot1x_ether_macaddr called
Mar 17 15:22:19.627: dot1x-ev(Gi1/31): Sending out EAPOL packet
Mar 17 15:22:19.627: EAPOL pak dump Tx
Mar 17 15:22:19.627: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 17 15:22:19.627: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 17 15:22:19.627: dot1x-packet(Gi1/31): EAPOL packet sent to client 0xAC0004D7 (0000.0000.0000)
Mar 17 15:22:19.627: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_idle_request_action called
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.647: dot1x-packet(Gi1/31): queuing an EAPOL pkt on Auth Q
Mar 17 15:22:19.647: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.647: dot1x-packet(Gi1/31): Queuing an EAPOL pkt on Authenticator Q
Mar 17 15:22:19.647: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Mar 17 15:22:19.647: EAPOL pak dump rx
Mar 17 15:22:19.647: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Mar 17 15:22:19.647: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/31 CODE= 0,TYPE= 0,LEN= 0
Mar 17 15:22:19.647: dot1x-packet(Gi1/31): Received an EAPOL frame
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Received pkt saddr =ab12.cd34.de56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Couldn't find the supplicant in the list
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): New client detected, issuing Start Request to AuthMgr
Mar 17 15:22:19.647: EAPOL pak dump rx
Mar 17 15:22:19.647: EAPOL Version: 0x1 type: 0x0 length: 0x0017
Mar 17 15:22:19.647: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/31 CODE= 2,TYPE= 1,LEN= 23
Mar 17 15:22:19.647: dot1x-packet(Gi1/31): Received an EAPOL frame
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Received pkt saddr =ab12.cd34.de56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0017
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Couldn't find the supplicant in the list
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): New client detected, issuing Start Request to AuthMgr
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): New client notification from AuthMgr for 0xAC0004D7 - ab12.cd34.de56
Mar 17 15:22:19.647: %AUTHMGR-5-START: Starting 'dot1x' for client (ab12.cd34.de56) on Interface Gi1/31 AuditSessionID 0A000079000263CD23D520E5
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): Posting RESTART on Client 0xAC0004D7
Mar 17 15:22:19.647: dot1x_auth Gi1/31: during state auth_authenticating, got event 13(restart)
Mar 17 15:22:19.647: @@@ dot1x_auth Gi1/31: auth_authenticating -> auth_aborting
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_authenticating_exit called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_aborting_enter called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_authenticating_aborting_action called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): Posting AUTH_ABORT for 0xAC0004D7
Mar 17 15:22:19.647: dot1x_auth_bend Gi1/31: during state auth_bend_request, got event 1(authAbort)
Mar 17 15:22:19.647: @@@ dot1x_auth_bend Gi1/31: auth_bend_request -> auth_bend_initialize
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_initialize_enter called
Mar 17 15:22:19.647: dot1x_auth_bend Gi1/31: idle during state auth_bend_initialize
Mar 17 15:22:19.647: @@@ dot1x_auth_bend Gi1/31: auth_bend_initialize -> auth_bend_idle
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_idle_enter called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): Posting !AUTH_ABORT on Client 0xAC0004D7
Mar 17 15:22:19.647: dot1x_auth Gi1/31: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
Mar 17 15:22:19.647: @@@ dot1x_auth Gi1/31: auth_aborting -> auth_restart
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_aborting_exit called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_restart_enter called
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Resetting the client 0xAC0004D7 (ab12.cd34.de56)
Mar 17 15:22:19.647: dot1x-ev(Gi1/31): Sending create new context event to EAP for 0xAC0004D7 (ab12.cd34.de56)
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_aborting_restart_action called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): Posting !EAP_RESTART on Client 0xAC0004D7
Mar 17 15:22:19.647: dot1x_auth Gi1/31: during state auth_restart, got event 6(no_eapRestart)
Mar 17 15:22:19.647: @@@ dot1x_auth Gi1/31: auth_restart -> auth_connecting
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_connecting_enter called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_restart_connecting_action called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): Posting RX_REQ on Client 0xAC0004D7
Mar 17 15:22:19.647: dot1x_auth Gi1/31: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
Mar 17 15:22:19.647: @@@ dot1x_auth Gi1/31: auth_connecting -> auth_authenticating
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_authenticating_enter called
Mar 17 15:22:19.647: dot1x-sm(Gi1/31): 0xAC0004D7:auth_connecting_authenticating_action called
Mar 17 15:22:19.651: dot1x-sm(Gi1/31): Posting AUTH_START for 0xAC0004D7
Mar 17 15:22:19.651: dot1x_auth_bend Gi1/31: during state auth_bend_idle, got event 4(eapReq_authStart)
Mar 17 15:22:19.651: @@@ dot1x_auth_bend Gi1/31: auth_bend_idle -> auth_bend_request
Mar 17 15:22:19.651: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_request_enter called
Mar 17 15:22:19.651: dot1x-ev(Gi1/31): Sending EAPOL packet to group PAE address
Mar 17 15:22:19.651: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.651: dot1x-registry:registry:dot1x_ether_macaddr called
Mar 17 15:22:19.651: dot1x-ev(Gi1/31): Sending out EAPOL packet
Mar 17 15:22:19.651: EAPOL pak dump Tx
Mar 17 15:22:19.651: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Mar 17 15:22:19.651: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Mar 17 15:22:19.651: dot1x-packet(Gi1/31): EAPOL packet sent to client 0xAC0004D7 (ab12.cd34.de56)
Mar 17 15:22:19.651: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_idle_request_action called
Mar 17 15:22:19.667: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.667: dot1x-packet(Gi1/31): Queuing an EAPOL pkt on Authenticator Q
Mar 17 15:22:19.667: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Mar 17 15:22:19.667: EAPOL pak dump rx
Mar 17 15:22:19.667: EAPOL Version: 0x1 type: 0x0 length: 0x0017
Mar 17 15:22:19.667: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/31 CODE= 2,TYPE= 1,LEN= 23
Mar 17 15:22:19.667: dot1x-packet(Gi1/31): Received an EAPOL frame
Mar 17 15:22:19.667: dot1x-ev(Gi1/31): Received pkt saddr =ab12.cd34.de56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0017
Mar 17 15:22:19.667: dot1x-packet(Gi1/31): Received an EAP packet
Mar 17 15:22:19.667: EAPOL pak dump rx
Mar 17 15:22:19.667: EAPOL Version: 0x1 type: 0x0 length: 0x0017
Mar 17 15:22:19.667: dot1x-packet(Gi1/31): Received an EAP packet from ab12.cd34.de56
Mar 17 15:22:19.667: dot1x-sm(Gi1/31): Posting EAPOL_EAP for 0xAC0004D7
Mar 17 15:22:19.667: dot1x_auth_bend Gi1/31: during state auth_bend_request, got event 6(eapolEap)
Mar 17 15:22:19.667: @@@ dot1x_auth_bend Gi1/31: auth_bend_request -> auth_bend_response
Mar 17 15:22:19.667: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_response_enter called
Mar 17 15:22:19.667: dot1x-ev(Gi1/31): dot1x_sendRespToServer: Response sent to the server from 0xAC0004D7 (ab12.cd34.de56)
Mar 17 15:22:19.667: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_request_response_action called
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): Posting EAP_REQ for 0xAC0004D7
Mar 17 15:22:19.687: dot1x_auth_bend Gi1/31: during state auth_bend_response, got event 7(eapReq)
Mar 17 15:22:19.687: @@@ dot1x_auth_bend Gi1/31: auth_bend_response -> auth_bend_request
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_response_exit called
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_request_enter called
Mar 17 15:22:19.687: dot1x-ev(Gi1/31): Sending EAPOL packet to group PAE address
Mar 17 15:22:19.687: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.687: dot1x-registry:registry:dot1x_ether_macaddr called
Mar 17 15:22:19.687: dot1x-ev(Gi1/31): Sending out EAPOL packet
Mar 17 15:22:19.687: EAPOL pak dump Tx
Mar 17 15:22:19.687: EAPOL Version: 0x3 type: 0x0 length: 0x0022
Mar 17 15:22:19.687: EAP code: 0x1 id: 0x2 length: 0x0022 type: 0x1A
Mar 17 15:22:19.687: dot1x-packet(Gi1/31): EAPOL packet sent to client 0xAC0004D7 (ab12.cd34.de56)
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_response_request_action called
Mar 17 15:22:19.687: dot1x-ev(Gi1/31): Role determination not required
Mar 17 15:22:19.687: dot1x-packet(Gi1/31): Queuing an EAPOL pkt on Authenticator Q
Mar 17 15:22:19.687: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Mar 17 15:22:19.687: EAPOL pak dump rx
Mar 17 15:22:19.687: EAPOL Version: 0x1 type: 0x0 length: 0x0006
Mar 17 15:22:19.687: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/31 CODE= 2,TYPE= 3,LEN= 6
Mar 17 15:22:19.687: dot1x-packet(Gi1/31): Received an EAPOL frame
Mar 17 15:22:19.687: dot1x-ev(Gi1/31): Received pkt saddr =ab12.cd34.de56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006
Mar 17 15:22:19.687: dot1x-packet(Gi1/31): Received an EAP packet
Mar 17 15:22:19.687: EAPOL pak dump rx
Mar 17 15:22:19.687: EAPOL Version: 0x1 type: 0x0 length: 0x0006
Mar 17 15:22:19.687: dot1x-packet(Gi1/31): Received an EAP packet from ab12.cd34.de56
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): Posting EAPOL_EAP for 0xAC0004D7
Mar 17 15:22:19.687: dot1x_auth_bend Gi1/31: during state auth_bend_request, got event 6(eapolEap)
Mar 17 15:22:19.687: @@@ dot1x_auth_bend Gi1/31: auth_bend_request -> auth_bend_response
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_response_enter called
Mar 17 15:22:19.687: dot1x-ev(Gi1/31): dot1x_sendRespToServer: Response sent to the server from 0xAC0004D7 (ab12.cd34.de56)
Mar 17 15:22:19.687: dot1x-sm(Gi1/31): 0xAC0004D7:auth_bend_request_response_action called

The client tries and then eventually finishes with authentication failed. Also tried configuring NPS to just require the NAS IP address but no progress.

I'd appreciate any suggestions as I seem to be making no progress. I've tried switching it off and back on again 😉

Thanks

The NPS should see RADIUS

Rahul Govindan — Fri, 17 Mar 2017 18:00:05 GMT

The NPS should see RADIUS requests and send response accordingly. Can you run a "debug radius all" to see the RADIUS transaction taking place. Also, does the NPS server logs show you what Connection Request Policy and Network Policy is being used?

The radius server was sending

Cameron Webster — Thu, 23 Mar 2017 10:41:10 GMT

The radius server was sending Access-Reject found running debug radius. That seems to be a bit of a red herring as I've just enabled unencrypted authentication (PAP,SPAP) in the radius server network policy and the switch 'test aaa group...' command now works. Is there any way to enable encrypted authentication between the switch and NPS for 802.1x requests?

(Thanks for the reply)

topic The NPS should see RADIUS in Network Access Control

802.1x catalyst 4948e network policy server windows authentication

The NPS should see RADIUS

The radius server was sending