Mac Authentication bypass using ACS 4.1 Appliance and 3560 Switch

b.zont — Sun, 10 Mar 2019 23:48:55 GMT

Hi,

I am trying to use Mac authetication bypass for dynamic vlan assignment but I couldn't even authenticate using ACS until now.

Here is my config :

Interface Config:

switchport access vlan 47
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication

AAA and Radius config:

aaa new-model
aaa authentication login default line
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

radius-server host 10.1.18.40 auth-port 1645 acct-port 1646 key secretkey
radius-server host 10.1.18.41 auth-port 1645 acct-port 1646 key secretkey
radius-server source-ports 1645-1646
radius-server key secretkey

On the ACS, I have configured AAA client for the switch to use RADIUS IETF. I have added the a user using the mac address of the PC I am testing as in the below format:

username : 002264b776e2

password : 002264b776e2

I have disabled the 802.1x on the Windows XP PC that I am testing. But it is not being authenticated. I have checked the shared key to make sure I have entered them correctly on both ACS and the swith.

Here is the debug output from the switch:

062524: Nov 25 13:23:41: RADIUS: AAA Unsupported     [161] 16
062525: Nov 25 13:23:41: RADIUS:   46 61 73 74 45 74 68 65 72 6E 65 74 30 2F        [FastEthernet0/]
062526: Nov 25 13:23:41: RADIUS(00000652): Storing nasport 50014 in rad_db
062527: Nov 25 13:23:41: RADIUS(00000652): Config NAS IP: 0.0.0.0
062528: Nov 25 13:23:41: RADIUS/ENCODE(00000652): acct_session_id: 1618
062529: Nov 25 13:23:41: RADIUS(00000652): sending
062530: Nov 25 13:23:41: RADIUS/ENCODE: Best Local IP-Address 10.1.16.37 for Radius-Server 10.1.18.40
062531: Nov 25 13:23:41: RADIUS(00000652): Send Access-Request to 10.1.18.40:1645 id 1645/63, len 138
062532: Nov 25 13:23:41: RADIUS: authenticator DD AF 86 D4 77 7D 84 B0 - 0A CE 11 D3 DF 90 AE AD
062533: Nov 25 13:23:41: RADIUS: User-Name           [1]   14 "002264b776e2"
062534: Nov 25 13:23:41: RADIUS: User-Password       [2]   18 *
062535: Nov 25 13:23:41: RADIUS: Service-Type        [6]   6   Call Check                [10]
062536: Nov 25 13:23:41: RADIUS: Framed-MTU          [12] 6   1500
062537: Nov 25 13:23:41: RADIUS: Called-Station-Id   [30] 19 "00-1E-14-C4-7C-90"
062538: Nov 25 13:23:41: RADIUS: Calling-Station-Id [31] 19 "00-22-64-B7-76-E2"
062539: Nov 25 13:23:41: RADIUS: Message-Authenticato[80] 18
062540: Nov 25 13:23:41: RADIUS:   20 DD 3B A9 8E 96 13 5D F4 B2 B6 BF 08 90 33 9F [ ?;????]??????3?]
062541: Nov 25 13:23:41: RADIUS: NAS-Port-Type       [61] 6   Eth                       [15]
062542: Nov 25 13:23:41: RADIUS: NAS-Port            [5]   6   50014
062543: Nov 25 13:23:41: RADIUS: NAS-IP-Address      [4]   6   10.1.16.37
062544: Nov 25 13:23:47: RADIUS: Retransmit to (10.1.18.40:1645,1646) for id 1645/63
062545: Nov 25 13:23:53: RADIUS: Retransmit to (10.1.18.40:1645,1646) for id 1645/63
062546: Nov 25 13:23:58: RADIUS: Retransmit to (10.1.18.40:1645,1646) for id 1645/63
062547: Nov 25 13:24:04: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.18.40:1645,1646 is not responding.
062548: Nov 25 13:24:04: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.18.40:1645,1646 has returned.
062549: Nov 25 13:24:04: RADIUS: Fail-over to (10.1.18.41:1645,1646) for id 1645/63
062550: Nov 25 13:24:04: RADIUS/ENCODE: Best Local IP-Address 10.1.16.37 for Radius-Server 10.1.18.41
062551: Nov 25 13:24:09: RADIUS: Retransmit to (10.1.18.41:1645,1646) for id 1645/63
062552: Nov 25 13:24:15: RADIUS: Retransmit to (10.1.18.41:1645,1646) for id 1645/63
062553: Nov 25 13:24:21: RADIUS: Retransmit to (10.1.18.41:1645,1646) for id 1645/63
062554: Nov 25 13:24:26: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.18.41:1645,1646 is not responding.
062555: Nov 25 13:24:26: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.18.41:1645,1646 has returned.
062556: Nov 25 13:24:26: RADIUS: No response from (10.1.18.41:1645,1646) for id 1645/63
062557: Nov 25 13:24:26: RADIUS/DECODE: parse response no app start; FAIL
062558: Nov 25 13:24:26: RADIUS/DECODE: parse response; FAIL

On the ACS logs I have the below messages in the failed attempts logs:

25/11/2009

13:24:09

Bad request from NAS

(Unknown)

Invalid message authenticator in EAP request

10.1.16.37

XXX-NW-DEVICES-2

XXX-Access-Sw

I know I am doing something wrong or something is missing but couldn't find what. Any ideas would be appreciated.

Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S

kussriva — Thu, 26 Nov 2009 22:49:37 GMT

Hi,

The error "Bad request from NAS" comes because of a radius shared secret key mismatch.

If you have entered the AAA client entry for the switch in a particular Network Device Group (NDG) on the ACS, please move it in the Not Assigned group.

Also make sure we have not copied and pasted the shared secret key on the device and the ACS but manually typed it in.

Regards,

Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S

b.zont — Fri, 27 Nov 2009 15:06:51 GMT

Hi,

I have put the switch in to not assigned group.

Now I am having the below error message on ACS:

27/11/2009

16:04:23

Authen failed

002264b776e2

Test Group 7

00-22-64-B7-76-E2

(Default)

Internal error

50014

10.1.16.37

XXX-NW-DEVICES-2

I am sure that I have enteres the secret key correcly.

Any other ideas ?

Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S

kush.sri2001 — Tue, 01 Dec 2009 05:21:25 GMT

Hi,

The Internal Error can come due to many reasons like ACS Appliance agent installed on an unsupported version of the Operating System or not installed properly.

Have you created the entry of the MAC address in the ACS Internal Database or in the Active Directory? If it's in the Active Directory, if possible create a test user in the ACS database and then test with it.

You can use the command "test aaa group radius (username) (password) legacy" while doing the testing. This is a test command used to check the authentication from the radius server from the IOS devices.

For more information about http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/remote_agent/rawi.html

Regards

topic Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S in Network Access Control

Mac Authentication bypass using ACS 4.1 Appliance and 3560 Switch

Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S

Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S

Re: Mac Authentication bypass using ACS 4.1 Appliance and 3560 S