topic Re: Unable to enter auth commands within an interface.... NAC related. in Network Access Control

Unable to enter auth commands within an interface.... NAC related.

James L — Wed, 11 Mar 2020 06:58:44 GMT

Hi. Trying to setup a 3560CX in the Lab with NAC configuration to test posturing. It seems none of the Auth* commands are accepted....

Any pointers...

switch#sh lic

Index 1 Feature: ipservices

Period left: 12 weeks 6 days

License Type: Evaluation

License State: Active, Not in Use, EULA not accepted

License Priority: None

License Count: Non-Counted

Index 2 Feature: ipbase

Period left: 0 minute 0 second

switch#

switch#sh inv
NAME: "1", DESCR: "WS-C3560CX-12PC-S"
PID: WS-C3560CX-12PC-S , VID: V03 , SN:xxx

switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#int g0/1
switch(config-if)#auth
switch(config-if)#auth ?
% Unrecognized command
switch(config-if)#auth?
% Unrecognized command
switch(config-if)#auth
^
% Invalid input detected at '^' marker.

switch(config-if)#

Thanks.

Re: Unable to enter auth commands within an interface.... NAC related.

Colby LeMaire — Wed, 11 Mar 2020 13:42:34 GMT

Depending on your version of software, it could be that it is using the new commands starting with "access-session". See if you have those commands. Or post the software version you are using so we can know for sure.

Re: Unable to enter auth commands within an interface.... NAC related.

Cristian Matei — Wed, 11 Mar 2020 16:42:05 GMT

Hi,

3560x runs the old, now legacy commands for 802.1x, so commands are supported. Before trying again, make sure that:

- you've configured the port as layer 2, access mode

- dot1x is globally enabled

- for some command to show up, mostly global commands, aaa needs to be enabled as well (aaa new-model)

Regards,

Cristian Matei.

Re: Unable to enter auth commands within an interface.... NAC related.

James L — Fri, 20 Nov 2020 22:34:33 GMT

Hi Cristian,

Yes I do have the AAA config in global mode. Extract of config is below…

I am also doing TACACS back to the ISE Servers (hence why there is TACACS config as well)…

switch#sh run

Building configuration...

Current configuration : 5953 bytes

! Last configuration change at 21:09:53 AEDT Wed Mar 11 2020 by blah

! NVRAM config last updated at 21:09:54 AEDT Wed Mar 11 2020 by blah

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

service linenumber

service sequence-numbers

hostname switch

boot-start-marker

boot-end-marker

logging count

logging userinfo

logging buffered 32768

enable secret 5 aaa

username cisco privilege 15 secret 5 aaa

aaa new-model

aaa group server tacacs+ default

server name ISE01

server name ISE02

aaa group server radius dot1x_auth

server name ISE1

server name ISE2

aaa authentication login default local group tacacs+

aaa authentication login console local

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x default group dot1x_auth

aaa authorization config-commands

aaa authorization exec default local group tacacs+

aaa authorization commands 15 default local group tacacs+

aaa authorization network default group dot1x_auth

aaa accounting update newinfo

aaa accounting dot1x default start-stop group dot1x_auth

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa server radius dynamic-author

client 192.168.10.71 server-key 7 aaa

client 192.168.10.72 server-key 7 aaa

aaa session-id common

clock timezone AEST 10 0

clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00

system mtu routing 1500

ip domain-name blah.net.au

ip device tracking probe delay 10

vtp domain home

vtp mode transparent

udld aggressive

mab request format attribute 32 vlan access-vlan

dot1x system-auth-control

dot1x critical eapol

identity profile default

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

vlan 10

lldp run

interface GigabitEthernet0/1

switchport access vlan 10

spanning-tree portfast edge

<.....>

interface GigabitEthernet0/16

switchport access vlan 10

spanning-tree portfast edge

interface Vlan1

ip address dhcp

shutdown

interface Vlan10

ip address 192.168.10.127 255.255.255.0

ip default-gateway 192.168.10.1

ip forward-protocol nd

ip http server

ip http secure-server

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

ip tacacs source-interface Vlan10

ip access-list extended PREAUTH

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit udp any any eq tftp

deny ip any any log

tacacs server ISE01

address ipv4 192.168.10.71

key 7 aaa

tacacs server ISE02

address ipv4 192.168.10.72

key 7 aaa

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case

radius-server attribute 31 send nas-port-detail

radius-server dead-criteria tries 2

radius-server key 7 aaa

radius server ISE1

address ipv4 192.168.10.71 auth-port 1812 acct-port 1813

key 7 aaa

radius server ISE2

address ipv4 192.168.10.72 auth-port 1812 acct-port 1812

key 7 aaa

line con 0

exec-timeout 0 0

privilege level 15

line vty 0 4

privilege level 15

password 7 aaa

logging synchronous

transport input telnet ssh

line vty 5 14

privilege level 15

password 7 aaa

logging synchronous

transport input telnet ssh

line vty 15

privilege level 15

password 7 aaa

logging synchronous

transport input telnet ssh

ntp server 192.168.10.1

end

switch#

Re: Unable to enter auth commands within an interface.... NAC related.

Cristian Matei — Wed, 11 Mar 2020 21:30:45 GMT

Hi,

Your ports area dynamic layer 2 ports (can become access or trunk) and this is your problem. Make them static access ports via command "switchport mode access".

Regards,

Cristian Matei.

Re: Unable to enter auth commands within an interface.... NAC related.

juan.yanez — Fri, 20 Nov 2020 17:33:02 GMT

check if the "switchport mode access" command is within the configuration port.