https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487586#M87134 <P>Hello,</P><P>&nbsp;</P><P>I have unchecked, it does not work. Win8.1 latest updates</P> Wed, 26 Nov 2014 17:36:09 GMT Istvan kelemen 2014-11-26T17:36:09Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487580#M87116 <P>Hi,</P><P>I have configured dot1x based on a cisco config guide. I have tried on both 3550 and 3560 neither worked. I was using radius and local database. The port stays amber.</P><P>3560's config:</P><P>Aaa new-model</P><P>Aaa authentication login default group radius local</P><P>Aaa authentication dot1x default group radius local</P><P>Dot1x system-auth-control</P><P>&nbsp;</P><P>Int fa0/15</P><P>Switchport mode access</P><P>Switchport access vlan 10</P><P>Authentication port-control auto</P><P>&nbsp;</P><P>OS's what i tried: win8.1 ubuntu 12.10/13.10 : PEAP</P><P>&nbsp;</P><P>Any suggestion? Thanks!</P> Mon, 11 Mar 2019 04:33:44 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487580#M87116 Istvan kelemen 2019-03-11T04:33:44Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487581#M87122 Hello stvnkelemen, Get us the below outputs: 1] show dot1x int &lt;&gt; detail [2] show authentication session interface &lt;&gt; [3] What kind of authentication are we using for dot1x? [4] show port-security interface &lt;&gt; [5] show tech of the switch. [6] Document that you've followed. [7] show dot1x summary Dot1x communication steps: - First packet from supplicant to Switch is EAPOL-Start(Optional messae depending on software on supplicant). - From Switch to supplicant: EAP-Identity-request (Mandatory) - Supplicant to Sw: EAP-Identity-response (Mandatory) - SW strip off the .1x header and put the original EAP packet inside an ip packet as a radius form of data. (EAP auth exchange). from this point SW will just pass data in between supplicant and AAA server. Note: All Dot1x frames sent to/from supplicant to/from authenticator use the reserved destination MAC 01-80-C2-00-00-03. Regards, Bikramjit Thu, 20 Mar 2014 18:39:57 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487581#M87122 Bikramjit Majumdar 2014-03-20T18:39:57Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487582#M87126 <P>Dear Bimajumd,</P><P>Thanks for helping me!</P><P>Here you go:</P><P>Configuration guide attached as pdf.</P><P>&nbsp;</P><P>&nbsp;Sh ver: &nbsp;WS-C3560-24PS &nbsp; &nbsp; &nbsp;12.2(55)SE8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; C3560-IPSERVICESK9-M</P><P>&nbsp;</P><P>&nbsp;</P><P>SW1#show dot1x interface f0/15 details</P><P>Dot1x Info for FastEthernet0/15<BR />-----------------------------------<BR />PAE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = AUTHENTICATOR<BR />PortControl &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = AUTO<BR />ControlDirection &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;= Both<BR />HostMode &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;= SINGLE_HOST<BR />QuietPeriod &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = 60<BR />ServerTimeout &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = 0<BR />SuppTimeout &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = 30<BR />ReAuthMax &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = 2<BR />MaxReq &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;= 2<BR />TxPeriod &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;= 30</P><P>Dot1x Authenticator Client List Empty</P><P>Port Status &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = UNAUTHORIZED</P><P>&nbsp;</P><P>SW1#show authentication session interface f0/15<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Interface: &nbsp;FastEthernet0/15<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MAC Address: &nbsp;Unknown<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;IP Address: &nbsp;Unknown<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; User-Name: &nbsp;UNRESPONSIVE<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Status: &nbsp;Running<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Domain: &nbsp;DATA<BR />&nbsp; &nbsp; &nbsp; Security Policy: &nbsp;Should Secure<BR />&nbsp; &nbsp; &nbsp; Security Status: &nbsp;Unsecure<BR />&nbsp; &nbsp; &nbsp; &nbsp;Oper host mode: &nbsp;single-host<BR />&nbsp; &nbsp; &nbsp;Oper control dir: &nbsp;both<BR />&nbsp; &nbsp; &nbsp; Session timeout: &nbsp;N/A<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Idle timeout: &nbsp;N/A<BR />&nbsp; &nbsp; Common Session ID: &nbsp;0A0063010000000500076EDE<BR />&nbsp; &nbsp; &nbsp; Acct Session ID: &nbsp;0x00000007<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Handle: &nbsp;0x0F000005</P><P>Runnable methods list:<BR />&nbsp; &nbsp; &nbsp; &nbsp;Method &nbsp; State<BR />&nbsp; &nbsp; &nbsp; &nbsp;dot1x &nbsp; &nbsp;Running</P><P>&nbsp;</P><P>&nbsp;</P><P>SW1#show port-security interface f0/15<BR />Port Security &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: Disabled<BR />Port Status &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: Secure-down<BR />Violation Mode &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : Shutdown<BR />Aging Time &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : 0 mins<BR />Aging Type &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : Absolute<BR />SecureStatic Address Aging : Disabled<BR />Maximum MAC Addresses &nbsp; &nbsp; &nbsp;: 1<BR />Total MAC Addresses &nbsp; &nbsp; &nbsp; &nbsp;: 0<BR />Configured MAC Addresses &nbsp; : 0<BR />Sticky MAC Addresses &nbsp; &nbsp; &nbsp; : 0<BR />Last Source Address:Vlan &nbsp; : 0000.0000.0000:0<BR />Security Violation Count &nbsp; : 0</P><P><BR />Win8.1 Authentication method: Protected EAP (PEAP)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>The authentication is failed... i think there is some protocol mismatch, i am looking the debug now</P><P>&nbsp;</P><P>debug dot1x all</P><P>&nbsp;</P><P>*Mar &nbsp;1 00:04:25.312: dot1x-ev(Fa0/15): Interface state changed to UP<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth Fa0/15: initial state auth_initialize has enter<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_initialize_enter called<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_initialize, got event 0(cfg_auto)<BR />*Mar &nbsp;1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_initialize -&gt; auth_disconnected<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_disconnected_enter called<BR />*Mar &nbsp;1<BR />SW1# 00:04:25.321: &nbsp; &nbsp; dot1x_auth Fa0/15: idle during state auth_disconnected<BR />*Mar &nbsp;1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_disconnected -&gt; auth_restart<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_restart_enter called<BR />*Mar &nbsp;1 00:04:25.321: dot1x-ev(Fa0/15): Sending create new context event to EAP for 0x88000001 (0000.0000.0000)<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: initial state auth_bend_initialize has enter<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_bend_initiali<BR />SW1#ze_enter called<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: initial state auth_bend_initialize has idle<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_initialize, got event 16383(idle)<BR />*Mar &nbsp;1 00:04:25.321: @@@ dot1x_auth_bend Fa0/15: auth_bend_initialize -&gt; auth_bend_idle<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called<BR />*Mar &nbsp;1 00:04:25.321: dot1x-ev(Fa0/15): Created a client entry (0x88000001)<BR />*Mar &nbsp;1 00:04:25.321: dot1x-ev(Fa0/15): Dot1<BR />SW1#x authentication started for 0x88000001 (0000.0000.0000)<BR />*Mar &nbsp;1 00:04:25.321: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/15<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): Posting !EAP_RESTART on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_restart, got event 6(no_eapRestart)<BR />*Mar &nbsp;1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_restart -&gt; auth_connecting<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_enter called<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm<BR />SW1#(Fa0/15): 0x88000001:auth_restart_connecting_action called<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): Posting RX_REQ on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_connecting, got event 10(eapReq_no_reAuthMax)<BR />*Mar &nbsp;1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_connecting -&gt; auth_authenticating<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_enter called<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_authenticating_action calle<BR />SW1#d<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): Posting AUTH_START for 0x88000001<BR />*Mar &nbsp;1 00:04:25.321: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_idle, got event 4(eapReq_authStart)<BR />*Mar &nbsp;1 00:04:25.321: @@@ dot1x_auth_bend Fa0/15: auth_bend_idle -&gt; auth_bend_request<BR />*Mar &nbsp;1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_enter called<BR />*Mar &nbsp;1 00:04:25.321: dot1x-ev(Fa0/15): Sending EAPOL packet to group PAE address<BR />*Mar &nbsp;1 00:04:25.321: dot1x-ev(Fa0/15): Role determination not require<BR />SW1#d<BR />*Mar &nbsp;1 00:04:25.321: dot1x-registry:registry:dot1x_ether_macaddr called<BR />*Mar &nbsp;1 00:04:25.329: dot1x-ev(Fa0/15): Sending out EAPOL packet<BR />*Mar &nbsp;1 00:04:25.329: EAPOL pak dump Tx<BR />*Mar &nbsp;1 00:04:25.329: EAPOL Version: 0x3 &nbsp;type: 0x0 &nbsp;length: 0x0005<BR />*Mar &nbsp;1 00:04:25.329: EAP code: 0x1 &nbsp;id: 0x1 &nbsp;length: 0x0005 type: 0x1<BR />*Mar &nbsp;1 00:04:25.329: dot1x-packet(Fa0/15): EAPOL packet sent to client 0x88000001 (0000.0000.0000)<BR />*Mar &nbsp;1 00:04:25.329: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_request_action cal<BR />SW1#led<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): Role determination not required<BR />*Mar &nbsp;1 00:04:25.589: dot1x-packet(Fa0/15): queuing an EAPOL pkt on Auth Q<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev:Enqueued the eapol packet to the global authenticator queue<BR />*Mar &nbsp;1 00:04:25.589: EAPOL pak dump rx<BR />*Mar &nbsp;1 00:04:25.589: EAPOL Version: 0x1 &nbsp;type: 0x1 &nbsp;length: 0x0000<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev:<BR />dot1x_auth_queue_event: Int Fa0/15 CODE= 0,TYPE= 0,LEN= 0</P><P>*Mar &nbsp;1 00:04:25.589: dot1x-packet(Fa0/15): Received an EAPOL<BR />SW1# frame<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): Received pkt saddr =0023.18e4.9a7c , daddr = 0180.c200.0003,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pae-ether-type = 888e.0101.0000<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): Couldn't find the supplicant in the list<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): New client detected, notifying AuthMgr<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): Sending event (0) to Auth Mgr for 0023.18e4.9a7c<BR />*Mar &nbsp;1 00:04:25.589: dot1x-packet(Fa0/15): Received an EAPOL-Start packet<BR />*Mar &nbsp;1 00:04:25.589: EAPOL pak d<BR />SW1#ump rx<BR />*Mar &nbsp;1 00:04:25.589: EAPOL Version: 0x1 &nbsp;type: 0x1 &nbsp;length: 0x0000<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): Posting EAPOL_START on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.589: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_authenticating, got event 4(eapolStart)<BR />*Mar &nbsp;1 00:04:25.589: @@@ dot1x_auth Fa0/15: auth_authenticating -&gt; auth_aborting<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_exit called<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_aborting_enter called<BR />*M<BR />SW1#ar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): 802.1x method gets the go ahead from Auth Mgr for 0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:25.589: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID 0A0063010000000100040C6B<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): Posting AUTH_ABORT for 0x88000001<BR />*Mar &nbsp;1 00:04:25.589: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_request, got event 1(authAbort)<BR />*Mar &nbsp;1 00:04:25.589: @@@ dot1x_auth_bend Fa0/15: auth_bend_request<BR />SW1# -&gt; auth_bend_initialize<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_bend_initialize_enter called<BR />*Mar &nbsp;1 00:04:25.589: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: idle during state auth_bend_initialize<BR />*Mar &nbsp;1 00:04:25.589: @@@ dot1x_auth_bend Fa0/15: auth_bend_initialize -&gt; auth_bend_idle<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): Posting !AUTH_ABORT on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.589: &nbsp; &nbsp; dot1x_auth Fa0/15: during state<BR />SW1# auth_aborting, got event 20(no_eapolLogoff_no_authAbort)<BR />*Mar &nbsp;1 00:04:25.589: @@@ dot1x_auth Fa0/15: auth_aborting -&gt; auth_restart<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_aborting_exit called<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_restart_enter called<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): Resetting the client 0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:25.589: dot1x-ev(Fa0/15): Sending create new context event to EAP for 0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:25.<BR />SW1#589: dot1x-sm(Fa0/15): 0x88000001:auth_aborting_restart_action called<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): Posting !EAP_RESTART on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.589: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_restart, got event 6(no_eapRestart)<BR />*Mar &nbsp;1 00:04:25.589: @@@ dot1x_auth Fa0/15: auth_restart -&gt; auth_connecting<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_enter called<BR />*Mar &nbsp;1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_restart_connecting_action called<BR />*Mar &nbsp;1<BR />SW1#00:04:25.589: dot1x-sm(Fa0/15): Posting RX_REQ on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.589: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_connecting, got event 10(eapReq_no_reAuthMax)<BR />*Mar &nbsp;1 00:04:25.597: @@@ dot1x_auth Fa0/15: auth_connecting -&gt; auth_authenticating<BR />*Mar &nbsp;1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_enter called<BR />*Mar &nbsp;1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_authenticating_action called<BR />*Mar &nbsp;1 00:04:25.597: dot1x-sm(Fa0/15): Posting AUTH_START for 0x<BR />SW1#88000001<BR />*Mar &nbsp;1 00:04:25.597: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_idle, got event 4(eapReq_authStart)<BR />*Mar &nbsp;1 00:04:25.597: @@@ dot1x_auth_bend Fa0/15: auth_bend_idle -&gt; auth_bend_request<BR />*Mar &nbsp;1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_enter called<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev(Fa0/15): Sending EAPOL packet to group PAE address<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev(Fa0/15): Role determination not required<BR />*Mar &nbsp;1 00:04:25.597: dot1x-registry:registry:dot1x_ether_macaddr<BR />SW1# called<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev(Fa0/15): Sending out EAPOL packet<BR />*Mar &nbsp;1 00:04:25.597: EAPOL pak dump Tx<BR />*Mar &nbsp;1 00:04:25.597: EAPOL Version: 0x3 &nbsp;type: 0x0 &nbsp;length: 0x0005<BR />*Mar &nbsp;1 00:04:25.597: EAP code: 0x1 &nbsp;id: 0x1 &nbsp;length: 0x0005 type: 0x1<BR />*Mar &nbsp;1 00:04:25.597: dot1x-packet(Fa0/15): EAPOL packet sent to client 0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_request_action called<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev(Fa0/15): Role determination not<BR />SW1#required<BR />*Mar &nbsp;1 00:04:25.597: dot1x-packet(Fa0/15): Queuing an EAPOL pkt on Authenticator Q<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev:Enqueued the eapol packet to the global authenticator queue<BR />*Mar &nbsp;1 00:04:25.597: EAPOL pak dump rx<BR />*Mar &nbsp;1 00:04:25.597: EAPOL Version: 0x1 &nbsp;type: 0x0 &nbsp;length: 0x000B<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev:<BR />dot1x_auth_queue_event: Int Fa0/15 CODE= 2,TYPE= 1,LEN= 11</P><P>*Mar &nbsp;1 00:04:25.597: dot1x-packet(Fa0/15): Received an EAPOL frame<BR />*Mar &nbsp;1 00:04:25.597: dot1x-ev(Fa0/15): Received p<BR />SW1#kt saddr =0023.18e4.9a7c , daddr = 0180.c200.0003,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pae-ether-type = 888e.0100.000b<BR />*Mar &nbsp;1 00:04:25.597: dot1x-packet(Fa0/15): Received an EAP packet<BR />*Mar &nbsp;1 00:04:25.597: EAPOL pak dump rx<BR />*Mar &nbsp;1 00:04:25.597: EAPOL Version: 0x1 &nbsp;type: 0x0 &nbsp;length: 0x000B<BR />*Mar &nbsp;1 00:04:25.597: dot1x-packet(Fa0/15): Received an EAP packet from 0023.18e4.9a7c<BR />*Mar &nbsp;1 00:04:25.606: dot1x-sm(Fa0/15): Posting EAPOL_EAP for 0x88000001<BR />*Mar &nbsp;1 00:04:25.606: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_reques<BR />SW1#t, got event 6(eapolEap)<BR />*Mar &nbsp;1 00:04:25.606: @@@ dot1x_auth_bend Fa0/15: auth_bend_request -&gt; auth_bend_response<BR />*Mar &nbsp;1 00:04:25.606: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_enter called<BR />*Mar &nbsp;1 00:04:25.606: dot1x-ev(Fa0/15): dot1x_sendRespToServer: Response sent to the server from 0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:25.606: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_response_action called<BR />*Mar &nbsp;1 00:04:25.614: dot1x-ev(Fa0/15): Received an EAP Fail<BR />*Mar &nbsp;1 00:04:25.614: dot1x-s<BR />SW1#m(Fa0/15): Posting EAP_FAIL for 0x88000001<BR />*Mar &nbsp;1 00:04:25.614: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_response, got event 10(eapFail)<BR />*Mar &nbsp;1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_response -&gt; auth_bend_fail<BR />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_exit called<BR />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_fail_enter called<BR />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_fail_action called<BR />*Mar &nbsp;1 00:04:25.614<BR />SW1#: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: idle during state auth_bend_fail<BR />*Mar &nbsp;1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_fail -&gt; auth_bend_idle<BR />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called<BR />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): Posting AUTH_FAIL on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.614: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_authenticating, got event 15(authFail)<BR />*Mar &nbsp;1 00:04:25.614: @@@ dot1x_auth Fa0/15: auth_authenticating -&gt; auth_authc_result<BR />*Mar &nbsp;1 00:04<BR />SW1#:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_exit called<BR />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authc_result_enter called<BR />*Mar &nbsp;1 00:04:25.614: %DOT1X-5-FAIL: Authentication failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID<BR />*Mar &nbsp;1 00:04:25.614: dot1x-ev(Fa0/15): Sending event (2) to Auth Mgr for 0023.18e4.9a7c<BR />*Mar &nbsp;1 00:04:25.614: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSession<BR />SW1#ID 0A0063010000000100040C6B<BR />*Mar &nbsp;1 00:04:25.614: %AUTHMGR-5-FAIL: Authorization failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID 0A0063010000000100040C6B<BR />*Mar &nbsp;1 00:04:25.614: dot1x-redundancy: State for client &nbsp;0023.18e4.9a7c successfully retrieved<BR />*Mar &nbsp;1 00:04:25.614: dot1x-ev(Fa0/15): Received Authz fail for the client &nbsp;0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:25.623: dot1x-sm(Fa0/15): Posting_AUTHZ_FAIL on Client 0x88000001<BR />*Mar &nbsp;1 00:04:25.623: &nbsp; &nbsp; dot1x_auth Fa0/15: durin<BR />SW1#g state auth_authc_result, got event 22(authzFail)<BR />*Mar &nbsp;1 00:04:25.623: @@@ dot1x_auth Fa0/15: auth_authc_result -&gt; auth_held<BR />*Mar &nbsp;1 00:04:25.623: dot1x-sm(Fa0/15): 0x88000001:auth_held_enter called<BR />*Mar &nbsp;1 00:04:25.623: dot1x-ev(Fa0/15): Sending EAPOL packet to group PAE address<BR />*Mar &nbsp;1 00:04:25.623: dot1x-ev(Fa0/15): Role determination not required<BR />*Mar &nbsp;1 00:04:25.623: dot1x-registry:registry:dot1x_ether_macaddr called<BR />*Mar &nbsp;1 00:04:25.623: dot1x-ev(Fa0/15): Sending out EAPOL packet<BR />*Mar &nbsp;1 00:<BR />SW1#04:25.623: EAPOL pak dump Tx<BR />*Mar &nbsp;1 00:04:25.623: EAPOL Version: 0x3 &nbsp;type: 0x0 &nbsp;length: 0x0004<BR />*Mar &nbsp;1 00:04:25.623: EAP code: 0x4 &nbsp;id: 0x1 &nbsp;length: 0x0004<BR />*Mar &nbsp;1 00:04:25.623: dot1x-packet(Fa0/15): EAPOL packet sent to client 0x88000001 (0023.18e4.9a7c)<BR />*Mar &nbsp;1 00:04:27.317: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to up</P> Thu, 20 Mar 2014 20:38:06 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487582#M87126 Istvan kelemen 2014-03-20T20:38:06Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487583#M87128 <P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Debugs suggest that supplicant did send the request to radius server however radius server rejected it. It would be worth looking at the server to know the reason of failure. You could also run debug radius on the switch to understand radius communication. Do you have validate server certificate option checked on the supplicany under ethernet adapter settings? If yes, do you have the root certificate installed on the machine? If no, please uncheck the 'validate server certificate option and attempt to authenticate again. Most likely you will see an "ssl handshake" error but it would be great if you look for an exact error message.</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">*Mar &nbsp;1 00:04:25.606: dot1x-ev(Fa0/15): dot1x_sendRespToServer: Response sent to the server from 0x88000001 (0023.18e4.9a7c)<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.606: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_response_action called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-ev(Fa0/15): Received an EAP Fail<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-s<BR style="font-size: 14.545454025268555px;" />SW1#m(Fa0/15): Posting EAP_FAIL for 0x88000001<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: during state auth_bend_response, got event 10(eapFail)<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_response -&gt; auth_bend_fail<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_exit called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_fail_enter called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_fail_action called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614<BR style="font-size: 14.545454025268555px;" />SW1#: &nbsp; &nbsp; dot1x_auth_bend Fa0/15: idle during state auth_bend_fail<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_fail -&gt; auth_bend_idle<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): Posting AUTH_FAIL on Client 0x88000001<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: &nbsp; &nbsp; dot1x_auth Fa0/15: during state auth_authenticating, got event 15(authFail)<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: @@@ dot1x_auth Fa0/15: auth_authenticating -&gt; auth_authc_result<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04<BR style="font-size: 14.545454025268555px;" />SW1#:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_exit called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authc_result_enter called<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: %DOT1X-5-FAIL: Authentication failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-ev(Fa0/15): Sending event (2) to Auth Mgr for 0023.18e4.9a7c<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSession<BR style="font-size: 14.545454025268555px;" />SW1#ID 0A0063010000000100040C6B<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: %AUTHMGR-5-FAIL: Authorization failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID 0A0063010000000100040C6B<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-redundancy: State for client &nbsp;0023.18e4.9a7c successfully retrieved<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.614: dot1x-ev(Fa0/15): Received Authz fail for the client &nbsp;0x88000001 (0023.18e4.9a7c)<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.623: dot1x-sm(Fa0/15): Posting_AUTHZ_FAIL on Client 0x88000001<BR style="font-size: 14.545454025268555px;" />*Mar &nbsp;1 00:04:25.623: &nbsp; &nbsp; dot1x_auth Fa0/15: durin<BR style="font-size: 14.545454025268555px;" />SW1#g state auth_authc_result, got event 22(authzFail)</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Regards,</SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Jatin Katyal</SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">*Do rate helpful posts*</SPAN></SPAN></P><DIV class="stwrapper" id="stwrapper" style="position: absolute; width: 500px; z-index: 89999999; margin: 0px; padding: 0px; top: -999px; left: -999px; visibility: hidden; height: auto;"><DIV class="stCloseNew2" style="z-index: 2000000; position: absolute; right: 25px; margin: 0px; padding: 0px; cursor: pointer; height: 25px; width: 30px;">&nbsp;</DIV><IFRAME allowtransparency="true" class="stLframe" frameborder="0" height="430px" id="stLframe" name="stLframe" scrolling="no" src="https://ws.sharethis.com/secure5x/index.html" style="top: 0px; left: 0px;" width="500px"></IFRAME></DIV> Fri, 21 Mar 2014 06:12:49 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487583#M87128 Jatin Katyal 2014-03-21T06:12:49Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487584#M87131 <P>Hi,</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>I tried with Cisco ACS 4.2</P><P>It works with MD5 authentication, i guess to get it working with win7/8 i need to install certificates on server side.</P> Mon, 24 Mar 2014 23:35:25 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487584#M87131 Istvan kelemen 2014-03-24T23:35:25Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487585#M87132 <P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">you're right. Certificate is required on the server side to process EAP packet however it's optional with PEAP on the client side. All you need to do uncheck "validate server certificate" on the supplicant win7/8 settings. For now, you can install self signed certificate on the server side.</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Regards,</SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Jatin Katyal</SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">*Do rate helpful posts*</SPAN></SPAN></P> Mon, 24 Mar 2014 23:52:34 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487585#M87132 Jatin Katyal 2014-03-24T23:52:34Z https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487586#M87134 <P>Hello,</P><P>&nbsp;</P><P>I have unchecked, it does not work. Win8.1 latest updates</P> Wed, 26 Nov 2014 17:36:09 GMT https://community.cisco.com/t5/network-access-control/dot1x-auth-doesn-t-work-on-3550-60/m-p/2487586#M87134 Istvan kelemen 2014-11-26T17:36:09Z