802.1x on ES2020

jupoole — Thu, 28 Sep 2017 17:09:01 GMT

ISE Team,

Not sure if everyone is aware but we offer an embedded switch called an ES2020 for tactical/hardened remote access kits. Customer is trying to do .1x and having issues with the dead timer settings (see logs below) on that platform. I looked at the compatibility matrix and I don’t see the ES2020 on there. I am curious if this “should” work and do we support this? I am assuming no one really knew about the switch as it is not widely used and it wasn’t really tested. Thoughts?

ES2020

https://www.cisco.com/c/en/us/products/switches/embedded-service-2020-series-switches/index.html

Here are the logs:

Cisco 2020 running 15.2-5E2c.

"Open" authentication (PACL applied).

"authentication event server alive action reinitialize"

At the end of "server-dead" timeout, while attempting to regain connectivity to radius, the switch "deauthorizes" the port for a period (restricting the client) while attempting to regain radius.

*Jan 2 00:11:33: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 1.
*Jan 2 00:11:34: %DOT1X-5-FAIL: Authentication failed for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000C0009C465
*Jan 2 00:11:35: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000C0009C465
.
.
*Jan 2 00:15:41: %RADIUS-6-SERVERALIVE: Group radius: Radius server XXX.XXX.201.166:1645,1646 is responding again (previously dead).
*Jan 2 00:15:41: %RADIUS-4-RADIUS_ALIVE: RADIUS server XXX.XXX.201.166:1645,1646 is being marked alive.
*Jan 2 00:15:52: %RADIUS-4-RADIUS_ALIVE: RADIUS server XXX.XXX.210.12:1645,1646 is being marked alive.
*Jan 2 00:15:58: %RADIUS-4-RADIUS_DEAD: RADIUS server XXX.XXX.201.166:1645,1646 is not responding.
*Jan 2 00:16:10: %DOT1X-5-FAIL: Authentication failed for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000D000EB3CC
*Jan 2 00:16:13: %RADIUS-4-RADIUS_DEAD: RADIUS server XXX.XXX.210.12:1645,1646 is not responding.
*Jan 2 00:16:53: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 24.
*Jan 2 00:16:55: %MAB-5-FAIL: Authentication failed for client (1866.da2d.1587) on Interface Fa1/18 AuditSessionID 0A64CEE30000000D000EB3CC

Re: 802.1x on ES2020

hslai — Tue, 03 Oct 2017 21:46:06 GMT

I would suggest to engage Cisco TAC so TAC may help in verifying the global and interface configurations, etc. ISE compatiblity matrix says,

Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior (similar to Cisco IOS 12.x) for standards-based authentication.

...

If I were you, I would perform a wired capture and see any exchanges between the switch and ISE.

Sales Connect has a product page https://salesconnect.cisco.com/#/program/PAGE-5849 which might provide some info.

Re: 802.1x on ES2020

thomas — Fri, 27 Oct 2017 14:04:20 GMT

Re: 802.1x on ES2020

jupoole — Fri, 27 Oct 2017 14:17:31 GMT

FYI. The 2020 doesn't work.

Justin

408 895 2605

topic Re: 802.1x on ES2020 in Network Access Control

802.1x on ES2020

Re: 802.1x on ES2020

Re: 802.1x on ES2020

Re: 802.1x on ES2020