topic Radius configuration(dot1x) problem with ios version 15 in Network Access Control

Radius configuration(dot1x) problem with ios version 15

Aret Avedis SET — Mon, 11 Mar 2019 05:41:35 GMT

Hello all,

I upgrade one 3750x from version 12.2 55 to 15.0(2)SE7 and i see that some configuration must be changed

Warning: The CLI will be deprecated soon
'radius-server host xxxxxxxx auth-port 1645 acct-port 1646 test username name key 7 sharedsecret
Please move to 'radius server <name>' CLI.

I try to adapt the configuration but the 802.1x fails :

radius server RADIUS-SRV
address ipv4 xxxxxxxxxx auth-port 1645 acct-port 1646
timeout 15
retransmit 3
automate-tester username name (username created in global configuration mode)
key 7 sharedsecret

aaa group server radius RADIUS-SRV
server-private xxxxxxxxxx key 7 sharedsecret
ip radius source-interface VlanX

aaa authentication dot1x default group RADIUS-SRV
aaa authorization network default group RADIUS-SRV

Here's the configuration for the interface with an IP phone connected :

authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5

On the logs, i have the server-dead result (not the message that the switch can't reach the radius server):

Apr 28 12:33:45.075: %AUTHMGR-5-START: Starting 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
Apr 28 12:34:05.191: %DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
Apr 28 12:34:05.191: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D

When i put the old fashion config, the IP phone is authenticated without problems, see capture from the ACS server (attached file 802.1x-OK)

With the new configuration, see attached file 802.1x-NOK ; i don't have the same field in the ACS (username field) and i have the message 11036 The Message-Authenticator RADIUS attribute is invalid

Why the authentication doesn't "come" to the ACS like before with this new configuration? What i'm missing?

Thank you

Hi avedis, Can you please

Bikash Shaw — Wed, 29 Apr 2015 12:11:45 GMT

Hi avedis,

Can you please check the connectivity between switch vlan to ACS server and Shared secret key. Please let me know.

Regards

Bikash

Hello,Thank you for your

Aret Avedis SET — Wed, 29 Apr 2015 12:42:57 GMT

Hello,

Thank you for your reply. The password is correct in both sides

Also when i put the old fashion config, the dot1x is working correctly = password is correct

Regards

Hello all,I modify the

Aret Avedis SET — Tue, 05 May 2015 10:44:48 GMT

Hello all,

I modify the configuration and now it's working :

aaa group server radius RADIUS-SRV
server-private xxxxxxxxxxxx timeout 15 retransmit 3 test username xxxxxxxxx key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip radius source-interface xxxxx
!
!
radius server RADIUS-SRV
address ipv4 xxxxxx auth-port 1645 acct-port 1646
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
aaa authentication dot1x default group RADIUS-SRV
aaa authorization network default group RADIUS-SRV

Regards

Hi,I see you are

marco.merlo — Wed, 10 Jun 2015 14:52:54 GMT

Hi,

I see you are using

automate-tester

command.

I did some test sand registered this behaviour.

If a radius server has been marked alive the switch wait for the configured deadtime interval and then for the

idle-time

to expire before sending the probe.

So if confgured dead time is 10 minutes and idle-time is 2 minutes the dead server is marked alive after 12 minutes even if it has been re-activated in 5 minutes.

Is this the expected behaviour?

Regards

Hello,The time out is in

Aret Avedis SET — Wed, 10 Jun 2015 18:35:47 GMT

Hello,

The time out is in seconds not in minutes. When i put "timeout 15 retransmit 3" it says that if the radius service is unavailable it will timeout after 15seconds * 3 times= 45sec

sh aaa dead-criteria radius xxxxxxxxxxxxxxxxx
RADIUS: No server group specified. Using radius
RADIUS Server Dead Critieria:
=============================
Server Details:
Address : xxxxxxxxxxxxxxxx
Auth Port : 1645
Acct Port : 1646
Server Group : radius
Dead Criteria Details:
Configured Retransmits : 3
Configured Timeout : 5
Estimated Outstanding Transactions: 0
Dead Detect Time : 15s
Computed Retransmit Tries: 3

Regards