topic Re: Cisco Switch authentication issue on window computer in Network Access Control

Cisco Switch authentication issue on window computer

keith-mk-li — Tue, 17 Sep 2024 09:25:53 GMT

Dear All,

I have a question would like to ask the different from the 2 commands ? and the command at Site A has enabled the authentication, whereas in Site B didn't, and in Site A all computer can access to network whereas in Site B its not obtaining any IP addresses at all, as the authentication has not been active in site B switch ports, i do not understand why laptop can not obtain IP addresses, as in both switches has self certificates and AAA configured on it, just wonder anything else need to configure in the computer itself ? the previously colleagues has left to company, and i do not have enough information on what it has been done by him, any help would be appreicated

From Site A

interface GigabitEthernet1/0/9

description User

switchport access vlan 100

switchport mode access

device-tracking attach-policy IPDT_POLICY

authentication periodic

authentication timer reauthenticate server

access-session closed

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

service-policy type control subscriber ISE_POLICY

from site B

interface GigabitEthernet1/0/5

description User data port

switchport mode access

authentication event fail action next-method

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 180

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

Piaa

Re: Cisco Switch authentication issue on window computer

balaji.bandi — Tue, 17 Sep 2024 11:33:17 GMT

Depends what model of switches here, how your Layer 3 VLAN SVI have helper address or not ?

Try adding on Site B. Access VLAN XXX (switchport access vlan 100) config and check.

below guide help you for more information :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: Cisco Switch authentication issue on window computer

MHM Cisco World — Tue, 17 Sep 2024 11:36:39 GMT

authentication order mab dot1x <<- change the order make it dot1x mab

authentication priority dot1x mab

Then check

MHM

Re: Cisco Switch authentication issue on window computer

thomas — Tue, 17 Sep 2024 14:33:39 GMT

Did they successfully authenticate? You have not provided any information about the authentications from the respective switch.

Without any other details, it sounds like a DHCP problem.

Re: Cisco Switch authentication issue on window computer

keith-mk-li — Wed, 18 Sep 2024 08:44:05 GMT

The DHCP is leasing IP from the site itself, please find below running config and aaa loggings, i found there is no authentication sessions in the switch at all, kindly check any if the setting is correct ? in ISE i don't see any logging from this ip segment in this site

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.18 14:29:01 =~=~=~=~=~=~=~=~=~=~=~=
login as: cisco
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

Switch>en
Password:
Switch#sh run

Building configuration...

Current configuration : 58518 bytes
!
! Last configuration change at 15:34:19 HKG Tue Sep 17 2024 by adm_kli
! NVRAM config last updated at 12:01:52 HKG Mon Sep 16 2024 by adm_klam
!
version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
--More-- aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 300
!
aaa authentication login NO_AUTH none
aaa authentication login SSH-LOGIN local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
!
!
!
!
aaa server radius dynamic-author
client 10.12.101.10 server-key 7 01360xxxxxxxxxxxxxxx
client 10.12.101.11 server-key 7 14321xxxxxxxxxxxxxxx
!
--More-- aaa session-id common
clock timezone HKG 8 0
switch 1 provision ws-c2960x-48lps-l
switch 2 provision ws-c2960x-48lps-l
switch 3 provision ws-c2960x-48lps-l
!
!
login on-success log
vtp mode transparent
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-2xxxxxxxxxxx
!
!
--More-- crypto pki certificate chain TP-self-signed-2xxxxxxxx
certificate self-signed 01
quit
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 3
name Devices
!
vlan 100
name WiFi
!

!
!
--More-- !
!
!
!
!
!
!
!
!
interface Port-channel1
description uplink to C9200 Switch
switchport mode trunk
!
interface Port-channel2
description uplink to Server
switchport mode access
switchport nonegotiate
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
--More-- description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
--More-- authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
--More-- dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

==========================================================================================

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.18 16:33:36 =~=~=~=~=~=~=~=~=~=~=~=
login as: cisco
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

Switch>en
Password:
Switch#sh aaa server

RADIUS: id 1, priority 1, host 10.12.101.10, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 18000s
Dead: total time 18000s, count 1
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 19, timeouts 19, failover 1, retransmission 14
Request: start 0, interim 0, stop 5
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 5
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 12w4h38m
Estimated Outstanding Access Transactions: 0
--More-- Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 10.12.101.11, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 18000s
Dead: total time 18000s, count 1
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
--More-- Account: request 19, timeouts 19, failover 5, retransmission 14
Request: start 0, interim 0, stop 5
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 5
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 12w4h37m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 44 minutes ago: 0
low - 3 hours, 44 minutes ago: 0
average: 0
Switch#sh aaa sessions
Total sessions since last reload: 108
Session Id: 176
Unique Id: 186
User Name: cisco
IP Address: 192.168.1.132
Idle Time: 0
CT Call Handle: 0
Switch# sh radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 2
Maximum waitQ length: NA NA 4
Maximum doneQ length: NA NA 1
Total responses seen: 68 134 202
Packets with responses: 68 134 202
Packets without responses: 0 4 4
Access Rejects : 0
Average response delay(ms): 1496 218 649
Maximum response delay(ms): 35379 5240 35379
Number of Radius timeouts: 8 40 48
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 279 335 335
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/68
1646/178

Elapsed time since counters last cleared: 39w3d12h30m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 68 134

Current inQ length : 0
Current doneQ length: 0

Switch#sh aaa l clients

Dynamic Author Client 10.12.101.10
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0

Dynamic Author Client 10.12.101.11
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
--More-- Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0

Dropped request packets: 0
Switch#sh aaa ss essions
Total sessions since last reload: 108
Session Id: 176
Unique Id: 186

Switch# sh aaa user all
--------------------------------------------------
Unique id 186 is currently in use.
No data for type 0
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000000B0 Unique Id=000000BA
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
090CA57C 0 00000001 session-id(408) 4 176(B0)
090CA5B0 0 00000001 start_time(418) 4 Sep 18 2024 16:33:38
--------
No data for type CMD
No data for type SYSTEM
No data for type VRRS
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type DOT1X
No data for type CALL
No data for type VPDN-TUNNEL
--More-- No data for type VPDN-TUNNEL-LINK
No data for type IPSEC-TUNNEL
No data for type MCAST
No data for type RESOURCE
No data for type SSG
No data for type IDENTITY
No data for type ConnectedApps
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NEWINFO
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
090CA57C 0 00000001 connect-progress(75) 4 No Progress
090CA5B0 0 00000001 pre-session-time(334) 4 65(41)
090CA5E4 0 00000001 elapsed_time(414) 4 0(0)
090CA618 0 00000001 pre-bytes-in(330) 4 0(0)
090CA64C 0 00000001 pre-bytes-out(331) 4 0(0)
--More-- 090CA680 0 00000001 pre-paks-in(332) 4 0(0)
090CA6B4 0 00000001 pre-paks-out(333) 4 0(0)
Debg: No data available
Radi: No data available
Interface:
TTY Num = 1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 0 Bytes Out = 0
Paks In = 0 Paks Out = 0
StartTime = 16:33:38 HKG Sep 18 2024
Component = Exec
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
--More-- Unique Id = 000000BA
Session Id = 000000B0
Attribute List:
090CA57C 0 00000081 interface(221) 4 tty1
090CA5B0 0 00000001 port-type(225) 4 Virtual Terminal
090CA5E4 0 00000081 clid(36) 14 192.168.81.161
PerU: No data available
Service Profile: No Service Profile data.
Unkn: No data available
Unkn: No data available

Switch#sh auth
Switch#sh authentication his

Switch#sh authentication his sessions
No sessions currently exist

Piaa

Re: Cisco Switch authentication issue on window computer

keith-mk-li — Wed, 18 Sep 2024 09:37:03 GMT

i found there is a GPO to changing the user computer network adapter EAP (PEAP) 802.1x, and i see in the switch "aaa authentication login NO_AUTH none", does it mean the authentication has been been active in the switch and the NIC adapter has forced to use EAP (PEAP) 802.1x, and its can not successfully authenticate that why can not reaching the LAN ? but its weird that for below, this devices need to be auth via the ISE by whitelisting the device mac address, as in the switch authenticate has not been active, how can this device to be able to reaching the LAN, any help would be appreicated

interface GigabitEthernet2/0/5
description Devices
switchport access vlan 3
switchport mode access
authentication host-mode multi-host
authentication order mab
mab
dot1x pae authenticator
spanning-tree portfast
end

Switch#sh authentication sessions int gi2/0/5
No sessions match supplied criteria.

Runnable methods list:
Handle Priority Name
9 5 dot1x
16 10 mab
14 15 webauth

Piaa

Re: Cisco Switch authentication issue on window computer

MHM Cisco World — Mon, 23 Sep 2024 10:16:27 GMT

This issue solved?

MHM

Re: Cisco Switch authentication issue on window computer

keith-mk-li — Thu, 03 Oct 2024 15:57:42 GMT

not resolve