Cisco 2960X not sending Radius machine authentication

Ruelb2214 — Thu, 06 Apr 2023 04:06:30 GMT

Hi All,

We have machine that is joined in AD and supposed to be doing machine auth, we notice for 2960x not sending radius machine authentication, instead it only does mac address. IPPhone/Printer authentication are working fine no issue at all.

We are using Anyconnect network module, and the same XML file we use all throughout deployment, with other switch model we do not encounter the issue.

Does anyone encounter the same issue? Please share your idea

Apr 5 12:59:22.118: RADIUS(00000000): Send Access-Request to 10.62.32.19:1812 onvrf(0) id 1645/123, len 274
Apr 5 12:59:22.118: RADIUS: authenticator 96 97 20 A7 63 28 A9 71 - EA FE 25 86 29 D7 CB 5C
Apr 5 12:59:22.118: RADIUS: User-Name [1] 14 "10E7C67821E8"
Apr 5 12:59:22.118: RADIUS: User-Password [2] 18 *
Apr 5 12:59:22.118: RADIUS: Service-Type [6] 6 Call Check [10]
Apr 5 12:59:22.118: RADIUS: Vendor, Cisco [26] 31
Apr 5 12:59:22.118: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Apr 5 12:59:22.118: RADIUS: Framed-MTU [12] 6 1500
Apr 5 12:59:22.118: RADIUS: Called-Station-Id [30] 19 "6C-41-0E-BD-98-8A"
Apr 5 12:59:22.122: RADIUS: Calling-Station-Id [31] 19 "10-E7-C6-78-21-E8"
Apr 5 12:59:22.122: RADIUS: Message-Authenticato[80] 18
Apr 5 12:59:22.122: RADIUS: 17 88 CA ED AF 58 4F 00 4A A3 F8 A8 93 EE 33 DA [ XOJ3]
Apr 5 12:59:22.122: RADIUS: EAP-Key-Name [102] 2 *
Apr 5 12:59:22.122: RADIUS: Vendor, Cisco [26] 49
Apr 5 12:59:22.122: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A7106FE00000BA2643F8AEF"
Apr 5 12:59:22.122: RADIUS: Vendor, Cisco [26] 18
Apr 5 12:59:22.122: RADIUS: Cisco AVpair [1] 12 "method=mab"
Apr 5 12:59:22.122: RADIUS: NAS-IP-Address [4] 6 10.113.6.254
Apr 5 12:59:22.122: RADIUS: Nas-Identifier [32] 13 "SEL-SWC-06S"
Apr 5 12:59:22.122: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/10"
Apr 5 12:59:22.122: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Apr 5 12:59:22.122: RADIUS: NAS-Port [5] 6 50110
Apr 5 12:59:22.122: RADIUS(00000000): Sending a IPv4 Radius Packet
Apr 5 12:59:22.122: RADIUS(00000000): Started 5 sec timeout
Apr 5 12:59:22.387: RADIUS: Received from id 1645/123 10.62.32.19:1812, Access-Reject, len 92
Apr 5 12:59:22.387: RADIUS: authenticator C2 25 DA DB 9F 79 15 6F - E4 24 A3 CB AA EE 6C 9F
Apr 5 12:59:22.387: RADIUS: Message-Authenticato[80] 18
Apr 5 12:59:22.387: RADIUS: 11 80 C2 6C 8E C6 58 99 CD 95 FE 99 4A D3 C1 42 [ lXJB]
Apr 5 12:59:22.387: RADIUS: Vendor, Cisco [26] 54
Apr 5 12:59:22.387: RADIUS: Cisco AVpair [1] 48 "AuthenticationIdentityStore=Internal Endpoints"
Apr 5 12:59:22.391: RADIUS(00000000): Received from id 1645/123

Switch port configuration:

interface GigabitEthernet1/0/10
switchport mode access
switchport voice vlan 2
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

Radius/AAA configuration:

aaa group server radius SP-ISE-GROUP
server name VMISE02
server name VMISE01
aaa authentication login CONSOLE local
aaa authentication login THALOGIN group ISE-TACACS local
aaa authentication dot1x default group SP-ISE-GROUP
aaa authorization exec default group ISE-TACACS local if-authenticated
aaa authorization network default group SP-ISE-GROUP
aaa authorization auth-proxy default group SP-ISE-GROUP
aaa accounting send stop-record authentication failure
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group SP-ISE-GROUP
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting network default start-stop group SP-ISE-GROUP
aaa accounting system default start-stop group SP-ISE-GROUP
aaa server radius dynamic-author
client 10.62.x.xserver-key 7 (omitted)
client 10.62.x.x server-key 7 (omitted)
aaa session-id common

ip radius source-interface Vlan11
radius server VMISE01
address ipv4 10.62.x.x auth-port 1812 acct-port 1813
automate-tester username dummy idle-time 5
key 7 (omitted)
radius server VMISE02
address ipv4 10.62.x.x auth-port 1812 acct-port 1813
automate-tester username dummy idle-time 5
key 7(omitted)

Re: Cisco 2960X not sending Radius machine authentication

Nancy Saini — Thu, 06 Apr 2023 18:13:07 GMT

The authentication order and priority in the switchport configuration is "mab dot1x". With this configuration, dot1x will only happen if MAB fails.

Change the authentication priority to "dot1x mab" and you should see switch initiating EAPoL.

Reference : https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

Re: Cisco 2960X not sending Radius machine authentication

Sri Harsha Dasari — Fri, 07 Apr 2023 15:03:50 GMT

I agree with Nancy. Also, i dont see below command for data vlan on this port.

switchport access vlan xx

Re: Cisco 2960X not sending Radius machine authentication

thomas — Sat, 08 Apr 2023 21:53:47 GMT

@Nancy Saini had a great suggestion and you may compare your configuration with our which has example configurations following best practices.

Also, we always recommend authentication host-mode multi-auth over multi-domain. if you have problems with phones+workstations on the same port, switch to multi-auth.

topic Re: Cisco 2960X not sending Radius machine authentication in Network Access Control

Cisco 2960X not sending Radius machine authentication

Re: Cisco 2960X not sending Radius machine authentication

Re: Cisco 2960X not sending Radius machine authentication

Re: Cisco 2960X not sending Radius machine authentication