topic Dot1x issues inside cisco switch with Cisco ACS 5.7 in Network Access Control

Dot1x issues inside cisco switch with Cisco ACS 5.7

Waisudin Farzam — Mon, 11 Mar 2019 05:58:18 GMT

dear all,

i have configured my switch to support dot1x on each port but some of the ports after restarting the pc or laptop its not working the dot1x in each port is below.

interface GigabitEthernet1/0/19
description Client Access EndPoint
switchport access vlan 3
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0021.9b6d.ea8b
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast

all the users are loged in via the domain username and password

the below error message i get inside the ACS 5.7

its urgent can somebody please send check my config if its ok or having issues please.

From the error, its clear

poongarg — Tue, 11 Aug 2015 09:54:36 GMT

From the error, its clear that ACS is not able to find the user identity in the configured identity store under your access policy. Check your access policy.

Check the details of the log, whether ACS is trying to contact AD to retrieve username from the AD or not. Whether AD is reachable and shows joined and connected.

If you have multiple domain controllers in the domain then check to which domain controller ACS is joined to. If it is joined to remote domain controller then join it manually with your local domain controller using the below command in acs-config mode.

ad-agent-configuration dns.dc.<domain.name>: [hostname1],[hostname2] ...
ad-agent-configuration dns.gc.<domain.name>: [hostname1],[hostname2] ...

Sometimes due to delay in response from AD also causes this issue.

dear brother. i have checked

Waisudin Farzam — Wed, 12 Aug 2015 07:35:43 GMT

dear brother.

i have checked both the domain and acs configs there is no issues or errors.

the only things is that clients should authenticate after they logeding to their pc or laptop with their domain username and password, but after they login there is no network connectivity and dotx errors should inside ACS that they have been authenticated via the mac address so the mac address comes to their username and password section.

but when i shutdown and unshutdown the interface they login and dot1x works fine for them so can you tell me what could be the problem brother.

see attached files for more info also my lan card properties for Dot1x authetication is that when client login it should take its autheticatioin from logeding useranema nd password which is their current domain account and password.

This is a really confusing

Andreas di Zazzo — Wed, 12 Aug 2015 13:11:37 GMT

This is a really confusing config. My suggestions:

Change order to 802.1x first, second MAB.

In the client config, change from User auth to "Computer AND User", then create an authz policy that matches computer authentications and possibly give them limited network access (so they can be allowed to perform a proper Active Directory login).

This is how you normally do wired 802.1x for domain PCs.

Any perticular reasons why you want MAB as primary method?