topic Re: Missing Something Obvious for 802.1x? in Network Access Control

Missing Something Obvious for 802.1x?

Marvin Rhoads — Mon, 11 Mar 2019 06:10:55 GMT

Could I get a second pair of eyes on this switch configuration?

I'm setting up a 2960X (WS-C2960XR-48LPD-I) with IOS image c2960x-universalk9-mz.152-3.E2 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 1.4) is reachable and RADIUS shared secret is verified at both ends. A RADIUS server test from the cli returns successful results. EAPOL test of the supplicant returns success as well.

I get no 802.1x action on the port though. Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.

#sh authentication sessions int gi1/0/36 det
No sessions match supplied criteria.
#sh int gi1/0/36 status

Port      Name               Status       Vlan       Duplex  Speed Type 
Gi1/0/36  ISE Test - Jack #B connected    1          a-full a-1000 10/100/1000BaseTX
#

#dot1x test eapol-capable int gi1/0/36
#
014057: Oct 23 16:49:49 EDT: %DOT1X-6-INFO_EAPOL_PING_RESPONSE: The interface Gi1/0/36 has an 802.1x capable client with MAC 28d2.4492.bc6f
#

#sh run | i system-auth
dot1x system-auth-control
#

#sh run | sec radius server
radius server <redacted>
 address ipv4 <redacted> auth-port 1812 acct-port 1813
 automate-tester username isetest
 key 7 <redacted>
#sh run | sec aaa          
aaa new-model
aaa group server radius ISE
 server name <redacted>
aaa authentication enable default enable
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
 client <redacted> server-key 7 <redacted>
aaa session-id common
#
#sh run int gi1/0/36
Current configuration : 636 bytes
!
interface GigabitEthernet1/0/36
 description ISE Test - Jack #B7 in Workroom
 switchport mode access
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 53
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Seems fine to me, did you try

jan.nielsen — Fri, 23 Oct 2015 23:59:32 GMT

Seems fine to me, did you try a simple debug aaa authentication/authorization? or debug radius if that gives you no output?

Thanks Jan - I think I

Marvin Rhoads — Sat, 24 Oct 2015 00:25:39 GMT

Thanks Jan - I think I figured it out. I was turning it over in my head on the drive home.

This particular customer has a lot of ports in VLAN 1 (yes I know - not a best practice but it's a brownfield and I'm not at liberty to change everything just yet). So those ports (including the one I was testing with) did not have

switchport access vlan 1

...as they default to VLAN 1

Lack of that command causes the RADIUS authentication sequence to never kick off - which is why I saw nothing at all when I had turned on the debugs. (I tried both aaa auth and radius debugs.)

I went in remotely just now and put the same commands I was using on my test port plus I hard set the VLAN 1 on a port that had a printer connected. I checked the authentication session for that port (and the radius debug) and - voila - we have a session.

It's a hard habit to break to set "switchport access vlan 1"; but I guess the couple hours I spent banging my head on this one will reinforce the lesson. 🙂

Weekend - time for a break!

I was going to suggest

phosawyer — Fri, 06 Nov 2015 13:00:02 GMT

I was going to suggest something similar.

Had a customer whose switch was doing something similar. Turned out the 2960 (I dont remember which iOS version, 12.2 possibly) needed the switchport command and then authentications were fine.

I missed the fact there was no switchport access vlan command on your snippet!

Re: Thanks Jan - I think I

dario.didio — Mon, 11 Jun 2018 11:52:28 GMT

Hi Marvin,

Could you elaborate why, when the command 'switchport access vlan 1' is missing from a switchport, RADIUS authentication never starts? Why is it required to have a port explicitly in a VLAN?

Thanks for the info.

Br,

Dario

Re: Missing Something Obvious for 802.1x?

lionwala012 — Tue, 15 Mar 2022 09:56:56 GMT

Thank you for sharing with us, and we sincerely hope you will continue to update or post other articles.

Re: Missing Something Obvious for 802.1x?

saadqazi3452837 — Fri, 18 Mar 2022 13:32:15 GMT

Some of our Windows 10 workstations have been having authentication issues since the 1903 upgrade. Do you know of any more sources of information on this topic? https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment?