topic Re: DOT1X-5-FAIL: Authentication failed for client in Network Security

DOT1X-5-FAIL: Authentication failed for client

akgupt89 — Sat, 15 May 2021 18:20:46 GMT

I have configured my access switch interfaces with DOT1X authentication from Radius server. And my end host connected with these interfaces are getting their IP from DHCP server. But since my end host clients are not able to authenticate successfully, hence DHCP is not assigning them IP. I am able to ping the ISE servers from switch. Kindly suggest possible solution or do I need to check with ISE server owner.

Below is the logs captured from switch.

switch#sh logging | i 1/23
May 14 2021 21:02:46.033 UTC: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi1/23
May 15 2021 03:01:44.304 UTC: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi1/23
switch#sh run int gig1/23
Building configuration...

Current configuration : 1040 bytes
!
interface GigabitEthernet1/23
switchport access vlan XXXX
switchport mode access
switchport voice vlan YYYY
ip access-group ACL-NAME in
no logging event link-status
speed auto 10 100 1000
authentication event fail action next-method
authentication event server dead action authorize vlan XXXX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping limit rate 15
end

switch# sh run | i dot1x

aaa authentication dot1x default group ISE_SERVERS

aaa accounting dot1x default start-stop group ISE_SERVERS

Re: DOT1X-5-FAIL: Authentication failed for client

MHM Cisco World — Sat, 15 May 2021 20:06:17 GMT

Hi Friend,
this Mode is called Low-Mode,
Low-Mode is the mode that config VLAN DATA for the interface and config the pre-Auth ACL,

the Flow is as Following :-

1- the client connect to interface it get vlan as you config
2- the client is limit access depend on the Pre-Auth you config
3- if the client success 802.1x then the Radius will send dACL to make the client full access
4- if the client not success then it will try MAB "as your config"
5- the client also failed the MAB then what happened ?
A- Next-method only if you config the WebAuth
B- Failed VLAN

you config the next-method without WebAuth and this meaning return to first step, and this make port closed and this loop is continuos.

change the failed from next-method to VLAN X "full access"

Re: DOT1X-5-FAIL: Authentication failed for client

shixeliyevanazrin — Sat, 28 Oct 2023 08:07:23 GMT

Could anybody find what caused this problem? any solution?

Re: DOT1X-5-FAIL: Authentication failed for client

jorenilson.santos — Fri, 03 Jan 2025 12:29:40 GMT

Someone found the solution to this issue?