topic Re: CLIENT AUTHENTICATION FAILURE in Network Access Control

CLIENT AUTHENTICATION FAILURE

isaaco001 — Thu, 14 Mar 2019 09:15:52 GMT

Hi all,

I have setup ise on vmware and using a real switch for authentication configurations and a test pc. Network device is setup in ise together with mac-address of client however there is authentication failure! i have disabled windows firewall on host and test pc but no success. Kindly advise how i can sort this. Please find the switch configs attached!

Thanks!

Re: CLIENT AUTHENTICATION FAILURE

Damien Miller — Thu, 14 Mar 2019 11:03:54 GMT

Can you provide us with the ISE authentication details log. ISE often gives a pretty direct reason for an authentication failure, or we can at least infer quite a bit from it.

Re: CLIENT AUTHENTICATION FAILURE

balaji.bandi — Thu, 14 Mar 2019 11:17:01 GMT

In addition to other post.

You need to check radius connectivity on ports 1812 and 1813 udp.

If you type show aaa server in the switch you will see the radius status dead.

Can you also Enable debug : ( to see what is wrong) , since if the packet not reached to ISE, ISE would not have any logs in this case.

debug radius
debug authentication all
debug authentication feature all

Re: CLIENT AUTHENTICATION FAILURE

isaaco001 — Thu, 14 Mar 2019 12:27:54 GMT

Hi Balaji,

Firstly,thanks for the prompt response. I have captured logs from switch(please find attached). Kindly, clarify which device i am checking for ports 1812/1813 and if its switch how will i check this. I have check form ISE GUI ,operations>live authentication(is this the correct place?), there is much there just old authentication failure.

Just to clarify f0/1 is connected to my laptop where ise is running, f0/3 is connected to test pc.

i come across this lines in the logs,does it mean dot1x is not enabled on test pc?

Jan 2 04:47:38.428: AUTH-FEAT-CRITICAL-EVENT (Fa0/3) Critcal authc fail, mac a0d3.c19c.5956, auth_event 2
*Jan 2 04:47:38.428: AUTH-FEAT-CRITICAL-EVENT (Fa0/3) Critical auth not applicable. Feature is not enabled

Thanks once more!

Re: CLIENT AUTHENTICATION FAILURE

isaaco001 — Thu, 14 Mar 2019 12:31:06 GMT

Hi Damien,

Thanks for the quick response! from ISE side i didn't see much in the operations>live authentication section just old authentication failures. I hope am checking the right place. Here is snapshot attached.

Re: CLIENT AUTHENTICATION FAILURE

ldanny — Thu, 14 Mar 2019 12:35:46 GMT

In your snapshot you will see the column "details"

Please click on that and provide a screen shot of those lots.

As well please provide your Authentication policy you have setup.

Re: CLIENT AUTHENTICATION FAILURE

isaaco001 — Thu, 14 Mar 2019 12:50:49 GMT

Hi Idanny,

Thanks for your response. I have taken snapshots of the detail column. Its a fresh installation and am just beginning to use ise so i didn't set any authentication policy on ise.

Re: CLIENT AUTHENTICATION FAILURE

isaaco001 — Thu, 14 Mar 2019 13:01:49 GMT

Hi,

An update on authentication policy.See attached!

Thanks.

Re: CLIENT AUTHENTICATION FAILURE

isaaco001 — Fri, 15 Mar 2019 14:57:21 GMT

Hi,

Please find more debugs from todays tshooting. Thanks.

SW1#
*Jan 2 03:03:18.387: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:04:06.999: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#test aaa group radisu us j Joseph @i Winter2019 ke legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

SW1#
*Jan 2 03:04:50.905: RADIUS: Pick NAS IP for u=0x593D66C tableid=0 cfg_addr=0.0.0.0
*Jan 2 03:04:50.905: RADIUS(00000000): Config NAS IPv6: ::
*Jan 2 03:04:50.905: RADIUS: ustruct sharecount=1
*Jan 2 03:04:50.905: Radius: radius_port_info() success=0 radius_nas_port=1
*Jan 2 03:04:50.905: RADIUS/ENCODE: Best Local IP-Address 192.168.159.2 for Radius-Server 192.168.159.145
*Jan 2 03:04:50.905: RADIUS(00000000): Send Access-Requ
SW1#est to 192.168.159.145:1645 id 1645/6, len 58
*Jan 2 03:04:50.905: RADIUS: authenticator FD 02 72 DE 6F 30 CD 7A - C1 2C 09 6A B0 2D 02 9E
*Jan 2 03:04:50.905: RADIUS: NAS-IP-Address [4] 6 192.168.159.2
*Jan 2 03:04:50.905: RADIUS: NAS-Port-Type [61] 6 Async [0]
*Jan 2 03:04:50.905: RADIUS: User-Name [1] 8 "Joseph"
*Jan 2 03:04:50.905: RADIUS: User-Password [2] 18 *
*Jan 2 03:04:50.905: RADIUS(00000000): Sending a IP
SW1#v4 Radius Packet
*Jan 2 03:04:50.905: RADIUS(00000000): Started 5 sec timeout
*Jan 2 03:04:50.972: RADIUS: Received from id 1645/6 192.168.159.145:1645, Access-Accept, len 122
*Jan 2 03:04:50.972: RADIUS: authenticator F1 D9 34 78 8E DE 1A 14 - 96 23 04 67 EA 4A D3 8A
*Jan 2 03:04:50.972: RADIUS: User-Name [1] 8 "Joseph"
*Jan 2 03:04:50.972: RADIUS: State [24] 40
*Jan 2 03:04:50.972: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 63 30 [ReauthSession:c0] SW1#
*Jan 2 03:04:50.972: RADIUS: 61 38 39 66 39 31 30 30 30 30 30 30 30 35 35 43 [a89f91000000055C]
*Jan 2 03:04:50.972: RADIUS: 38 42 42 37 46 32 [ 8BB7F2]
*Jan 2 03:04:50.972: RADIUS: Class [25] 48
*Jan 2 03:04:50.972: RADIUS: 43 41 43 53 3A 63 30 61 38 39 66 39 31 30 30 30 [CACS:c0a89f91000]
*Jan 2 03:04:50.972: RADIUS: 30 30 30 30 35 35 43 38 42 42 37 46 32 3A 49 53 [000055C8BB7F2:IS]
*Jan 2 03:04:50.972: RADIUS: 45 31 2F 33 34 32 30 30 33 38 35 33 2F
SW1#36 [ E1/342003853/6]
*Jan 2 03:04:50.972: RADIUS: Termination-Action [29] 6 1
*Jan 2 03:04:50.980: RADIUS: saved authorization data for user 593D66C at 593AC94
SW1#
*Jan 2 03:05:32.429: %DOT1X-5-FAIL: Authentication failed for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:05:32.429: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:05:32.429: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:08:05.068: %DOT1X-5-FAIL: Authentication failed for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:08:05.068: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:09:38.005: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
SW1#
*Jan 2 03:12:10.661: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
SW1#
*Jan 2 03:14:43.988: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-NOM