Dot1x host authentication failure

haidar_alm — Mon, 11 Mar 2019 05:57:37 GMT

Hi guys,

I'm working on configuring 802.1x on a 3750 and a free WinRadius server.

WinRadius is up and running, I can even test authentication using the testing tool as per image.

I've also ran the testing command from the switch to make sure that it can communicate with the Radius and it was successful:

Switch#test aaa group radius cisco cisco new-code
User successfully authenticated

However, when I try to authenticate from the host/laptop I get an authentication failure. I do get prompted to enter the username and password. however, for some reason the Radius seems to be returning an failure to authenticate.

Error on the switch shows:

*Mar 1 20:45:14.133: %LINK-3-UPDOWN: Interface FastEthernet1/0/16, changed state to up
*Mar 1 20:45:22.387: %DOT1X-5-FAIL: Authentication failed for client (ecf4.bb08.7e76) on Interface Fa1/0/16 AuditSessionID C0A80A1E0000001F0474044A
*Mar 1 20:45:22.387: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (ecf4.bb08.7e76) on Interface Fa1/0/16 AuditSessionID C0A80A1E0000001F0474044A
*Mar 1 20:45:22.387: %AUTHMGR-5-FAIL: Authorization failed for client (ecf4.bb08.7e76) on Interface Fa1/0/16 AuditSessionID C0A80A1E0000001F0474044A

Switch#sho authentication sessions int f1/0/16
Interface: FastEthernet1/0/16
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80A1E0000002004751782
Acct Session ID: 0x00000027
Handle: 0x4D000020

Runnable methods list:
Method State
dot1x Running

And on the Radius server it shows that user authentication failed.

I'm not sure where the issue is...

Switch configuration for dot1x is:

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius

authentication mac-move permit

interface FastEthernet1/0/16
switchport access vlan 10
switchport mode access
authentication port-control auto
dot1x pae authenticator

interface FastEthernet1/0/20
switchport access vlan 10

interface Vlan10
ip address 192.168.10.30 255.255.255.0
!
!
ip sla enable reaction-alerts
radius-server host 192.168.10.10 auth-port 1812 acct-port 1813 key WinRadius
!

I'm not sure what I'm doing wrong...

Can you please have a look and advise??

Haidar,

jasonmadruga84 — Sun, 26 Jun 2016 08:18:20 GMT

Haidar,

I was able to have success if I changed the settings in WinRadius. Those are:

Authorization Port 1645
Accounting Port 1646

Let me know if that helps.

-Jason

topic Haidar, in Network Access Control

Dot1x host authentication failure

Haidar,