Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2582
Views
15
Helpful
3
Replies

CSCvg07470 - Dot1x and MAB not working

hpsteam2009
Level 1
Level 1

‎04-11-2018 05:46 AM - edited ‎03-20-2019 10:03 PM

Hi,

 

I also have this message on WS-C3650-48PS with Fuji 16.8.1a but the phone and the laptop authenticate correctly.

SW#sh authentication sessions
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/7                  ec8e.b555.7dc3 dot1x   DATA    Auth        0A0E640D000000BBB4B06ED7
Gi1/0/7                  f8a5.c5a0.373d mab     VOICE   Auth        0A0E640D000000BAB4B06B77

 

Log from Switch:

 

%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (f8a5.c5a0.373d) with reason (No Response from Client) on Interface Gi1/0/7 AuditSessionID 0A0E640D000000BAB4B06B77

 

Regards,

13 people had this problem
Labels:
0 Helpful
3 Replies 3

shelzmike
Level 1
Level 1

‎12-04-2019 08:33 AM

I know this thread is old, but no one ever seemed to respond to you. Did you ever get this issue sorted out? I am having the same issue on some new 9200L switches. Same config we have always used for our 3750s and 3650s and never had this issue until we installed the 9200l. 

hpsteam2009
Level 1
Level 1
In response to shelzmike

‎12-05-2019 01:35 AM

Hi,

Add this to your switch :

# dot1x logging verbose

Then you should see only this syslog (using version 16.6.5), so no start dot1X, no vlan assignement and no authorization successful syslogs :

%DOT1X-5-SUCCESS: Switch 1 R0/0: smd: Authentication successful for client (AAAA.BBBB.CCCC) on Interface Gi1/0/29 AuditSessionID 0000AAAA333313145511

Here is an explanation of why you'll never see same logs as old switches :

Old switches logs (version 15.2(4)E7):

%AUTHMGR-5-START: Starting 'dot1x' for client (AAAA.BBBB.CCCC) on Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0

%DOT1X-5-SUCCESS: Authentication successful for client (AAAA.BBBB.CCCC) on Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0

%AUTHMGR-5-VLANASSIGN: VLAN 141 assigned to Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0

%AUTHMGR-5-SUCCESS: Authorization succeeded for client (AAAA.BBBB.CCCC) on Interface Gi1/0/11 AuditSessionID 0A0E640B0038DA6804F798D0

Explanation :

The outputs (Dot1x authentication started for X (AAAA.BBBB.CCCC)) that you want to have on the syslog server are only viewed when you change the trace levels to debug and do the respective show commands. Hence these outputs are not seen on the show logging output, which will confirm why those are not sent to the syslog server. It is an expected behavior. The logging mechanism for AAA has been modified in the Denali codes. Due to changes in software architecture starting from IOS-XE version 16.3.2 all AAA components have been moved to separate Linux daemon Session Manager Daemon (SMD) and hence there are separate commands for the enabling as well as the viewing of the logs. On these newer codes you will not be able to view such session details sent to the logging buffer and as a consequence not able to be sent to the syslog servers.

 

set platform software trace smd switch active R0 dot1x-all debug

set platform software trace smd switch active R0 radius debug

set platform software trace smd switch active R0 auth-mgr-all debug

 

Then to view the debug messages use the following command.

 

sh platform software trace message smd switch active R0

 

Hope this will help.

shelzmike
Level 1
Level 1
In response to hpsteam2009

‎12-05-2019 08:06 AM

Thanks for this information. One thing that I realized yesterday that I was totally overlooking is that the devices having issues are actually daisy-chained phone and laptop. 

What seems to happen is that initially both will auth just fine (PC uses dot1x and phone uses mab auth) but then after a few hours, the connected PC will lose it's auth and the user will no longer have connectivity. 

The error that I see here sort of makes sense. That MAC is for the phone, not the PC. Therefore, it should be failing dot1x auth, on purpose. So perhaps I have another issue and was getting distracted by all these messages in the log that I hadn't seen before on our other switches. I hadn't seen them before because of the reasons you mentioned, but that doesn't mean they are related. 

This one has been a tricky one to try to diagnose. 

Customers Also Viewed These Support Documents