topic Re: Need some help with dot1x please in Network Access Control

Need some help with dot1x please

Mariusz00001 — Mon, 11 Mar 2019 04:23:48 GMT

Cisco 2950, ACS 5.3

ACS tested, I created a local account on the ACS and enabled authentication on the 2950. All working.

Dot1x - not working

Configuration on the switch:

Switch#sh run | i dot1x

aaa authentication dot1x default group tacacs+

aaa authorization network default group tacacs+

tacacs-server host 172.16.1.175

dot1x system-auth-control

Switch#sh run int f0/2

Building configuration...

Current configuration : 107 b

interface FastEthernet0/2

switchport mode access

dot1x port-control auto

spanning-tree portfast

Switch#sh dot1x int f0/2

Supplicant MAC <Not Applicable>

AuthSM State = CONNECTING

BendSM State = IDLE

Posture = N/A

PortStatus = UNAUTHORIZED

MaxReq = 2

MaxAuthReq = 2

HostMode = Single

Port Control = Auto

ControlDirection = Both

QuietPeriod = 60 Seconds

Re-authentication = Disabled

ReAuthPeriod = 3600 Seconds

ServerTimeout = 30 Seconds

SuppTimeout = 30 Seconds

TxPeriod = 30 Seconds

Guest-Vlan = 0

AuthFail-Vlan = 0

AuthFail-Max-Attempts = 3

And it stays like that

Debug

01:59:21: dot1x-ev:Received QUEUE EVENT in response to AAA Request

01:59:21: dot1x-ev:Dot1x matching request-response id 4294967283 found

01:59:21: dot1x-ev:Length of recv eap packet from radius = 4

01:59:21: dot1x-ev:Received VLAN Id -1

01:59:22: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up

FastEthernet0/2

02:00:38: dot1x-ev:dot1x_post_message_to_auth_sm: removing supplicant 0015.60c3

8613 SM

02:00:38: dot1x-ev:destroy supplicant block for 0015.60c3.8613

02:00:38: dot1x-ev:Enter function dot1x_aaa_acct_end

02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613

I would expect my Windows7 client to ask me for a username/pass (dot1x enabled on my NIC card)

Re: Need some help with dot1x please

Mariusz00001 — Wed, 12 Feb 2014 15:59:54 GMT

On ACS I can see

13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets

Which is not true as I can telnet to this switch using a Tacacs account

I also added a username/pass to my NIC settings. Windows says: 'authentication failed'

Re: Need some help with dot1x please

hdussa — Thu, 13 Feb 2014 09:36:31 GMT

You need to configure RADIUS for dot1x.

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server timeout 3

radius-server key blabla
!

Re: Need some help with dot1x please

Naveen Kumar — Fri, 14 Feb 2014 07:52:38 GMT

Please have a look on a very good docs for 802.1x authentication, configuration and verification commands:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116506-configure-acs-00.html

Re: Need some help with dot1x please

blenka — Thu, 20 Feb 2014 11:14:11 GMT

Please go through the link below may help you to get verified.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html