04-11-2018 05:46 AM - edited 03-20-2019 10:03 PM
Hi,
I also have this message on WS-C3650-48PS with Fuji 16.8.1a but the phone and the laptop authenticate correctly.
SW#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/7 ec8e.b555.7dc3 dot1x DATA Auth 0A0E640D000000BBB4B06ED7
Gi1/0/7 f8a5.c5a0.373d mab VOICE Auth 0A0E640D000000BAB4B06B77
Log from Switch:
%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (f8a5.c5a0.373d) with reason (No Response from Client) on Interface Gi1/0/7 AuditSessionID 0A0E640D000000BAB4B06B77
Regards,
12-04-2019 08:33 AM
I know this thread is old, but no one ever seemed to respond to you. Did you ever get this issue sorted out? I am having the same issue on some new 9200L switches. Same config we have always used for our 3750s and 3650s and never had this issue until we installed the 9200l.
12-05-2019 01:35 AM
Hi,
Add this to your switch :
# dot1x logging verbose
Then you should see only this syslog (using version 16.6.5), so no start dot1X, no vlan assignement and no authorization successful syslogs :
%DOT1X-5-SUCCESS: Switch 1 R0/0: smd: Authentication successful for client (AAAA.BBBB.CCCC) on Interface Gi1/0/29 AuditSessionID 0000AAAA333313145511
Here is an explanation of why you'll never see same logs as old switches :
Old switches logs (version 15.2(4)E7):
%AUTHMGR-5-START: Starting 'dot1x' for client (AAAA.BBBB.CCCC) on Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0
%DOT1X-5-SUCCESS: Authentication successful for client (AAAA.BBBB.CCCC) on Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0
%AUTHMGR-5-VLANASSIGN: VLAN 141 assigned to Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (AAAA.BBBB.CCCC) on Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0
Explanation :
The outputs (Dot1x authentication started for X (AAAA.BBBB.CCCC)) that you want to have on the syslog server are only viewed when you change the trace levels to debug and do the respective show commands. Hence these outputs are not seen on the show logging output, which will confirm why those are not sent to the syslog server. It is an expected behavior. The logging mechanism for AAA has been modified in the Denali codes. Due to changes in software architecture starting from IOS-XE version 16.3.2 all AAA components have been moved to separate Linux daemon Session Manager Daemon (SMD) and hence there are separate commands for the enabling as well as the viewing of the logs. On these newer codes you will not be able to view such session details sent to the logging buffer and as a consequence not able to be sent to the syslog servers.
set platform software trace smd switch active R0 dot1x-all debug
set platform software trace smd switch active R0 radius debug
set platform software trace smd switch active R0 auth-mgr-all debug
Then to view the debug messages use the following command.
sh platform software trace message smd switch active R0
Hope this will help.
12-05-2019 08:06 AM
Thanks for this information. One thing that I realized yesterday that I was totally overlooking is that the devices having issues are actually daisy-chained phone and laptop.
What seems to happen is that initially both will auth just fine (PC uses dot1x and phone uses mab auth) but then after a few hours, the connected PC will lose it's auth and the user will no longer have connectivity.
The error that I see here sort of makes sense. That MAC is for the phone, not the PC. Therefore, it should be failing dot1x auth, on purpose. So perhaps I have another issue and was getting distracted by all these messages in the log that I hadn't seen before on our other switches. I hadn't seen them before because of the reasons you mentioned, but that doesn't mean they are related.
This one has been a tricky one to try to diagnose.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide