topic Problem with DOT1X in Network Security

Problem with DOT1X

mlada16548 — Thu, 10 Sep 2020 16:42:52 GMT

Hello,

i have two cisco C3650, in one of them i was configure sucessful 802.1x but in second i want use IBNS 2.0, im create tempalte for dot1x but when i configure port and restart then i have always this same information about cred fail. I'm using windows NPS, AD and CA, if i connect one host to first switch his authenticate sucesfull but in second when i use "show access-session" i see: Method Dot1x, Domain Unknown, Status UnAuth.

Thanks for help.

Re: Problem with DOT1X

Francesco Molino — Fri, 11 Sep 2020 03:34:20 GMT

Can you please share the configuration you did on the second switch?

Re: Problem with DOT1X

mlada16548 — Fri, 11 Sep 2020 06:04:28 GMT

interface GigabitEthernet1/0/11
description ######
switchport mode access
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky ####.####.####
switchport port-security
access-session port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber TEST

policy-map type control subscriber TEST

event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event agent-found match-all
10 class always do-until-failure
30 authenticate using dot1x priority 10
event authentication-failure match-first
10 class always do-until-failure
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

radius server radius
address ipv4 192.168.40.45 auth-port 1645 acct-port 1646 key ######

dot1x system-auth-control
dot1x auth-fail eapol

aaa authentication login default group radius local
aaa authentication enable default group radius
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius

Re: Problem with DOT1X

mlada16548 — Fri, 11 Sep 2020 06:19:32 GMT

in logg i have only one messange:

%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (xxxx.xxxx.xxxx) with reason (Cred Fail) on Interface Gi1/0/11 AuditSessionID C0A8230E00013533E1B44AC2

Re: Problem with DOT1X

mlada16548 — Fri, 11 Sep 2020 08:21:07 GMT

Ok i now what i have a problem, in secon switch im using wrong radius server name in configuration. Sorry for waisting your time.