Acheter ou Renouveler
Acheter ou Renouveler
annuler
Activer les suggestions
La fonction de suggestion automatique permet d'affiner rapidement votre recherche en suggérant des correspondances possibles au fur et à mesure de la frappe.
Affichage des résultats de 
Rechercher plutôt 
Vouliez-vous dire : 
cancel
Nouveau sujet
565
Visites
2
Compliment
0
Réponses

802.1X Problem C2960X - 15.2(2)E7

julien.hache
Level 1
Level 1

le ‎18-11-2021 03:13 AM

Hello,

 

I need to setup 802.1x on a wired lan, on C2960X.

I keep having the same issue : 

When i set everything up, the pc won't be authorized, but the phone is. The PC comes with this error message :

Nov 17 13:30:54.910: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5081.40b8.103e) on Interface Gi1/0/3 AuditSessionID 0A0A1F3A0000002E00B33FAD

But when is disable "aaa authorization network ...", the pc is going is the good vlan and is authenticated, but not the phone.

For the moment, they are both on two different interfaces, but I can't seem to find the problem.

The NPS is a Win Server with nothing else but NPS.

 

Here is the log output :

Nov 17 13:30:54.896: dot1x-packet:[5081.40b8.103e, Gi1/0/3] Received an EAP Success
Nov 17 13:30:54.899: dot1x-sm:[5081.40b8.103e, Gi1/0/3] Posting EAP_SUCCESS for 0xCC000034
Nov 17 13:30:54.899: dot1x_auth_bend Gi1/0/3: during state auth_bend_response, got event 11(eapSuccess)
Nov 17 13:30:54.899: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_response -> auth_bend_success
Nov 17 13:30:54.899: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034:exiting response state
Nov 17 13:30:54.899: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034:entering success state
Nov 17 13:30:54.899: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034:response success action
Nov 17 13:30:54.899: dot1x_auth_bend Gi1/0/3: idle during state auth_bend_success
Nov 17 13:30:54.903: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_success -> auth_bend_idle
Nov 17 13:30:54.903: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034:entering idle state
Nov 17 13:30:54.903: dot1x-sm:[5081.40b8.103e, Gi1/0/3] Posting AUTH_SUCCESS on Client 0xCC000034
Nov 17 13:30:54.903: dot1x_auth Gi1/0/3: during state auth_authenticating, got event 12(authSuccess_portValid)
Nov 17 13:30:54.903: @@@ dot1x_auth Gi1/0/3: auth_authenticating -> auth_authc_result
Nov 17 13:30:54.903: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034:exiting authenticating state
Nov 17 13:30:54.903: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034:entering authc result state
Nov 17 13:30:54.903: %DOT1X-5-SUCCESS: Authentication successful for client (5081.40b8.103e) on Interface Gi1/0/3 AuditSessionID 0A0A1F3A0000002E00B33FAD
Nov 17 13:30:54.903: dot1x-packet:[5081.40b8.103e, Gi1/0/3] EAP Key data detected adding to attribute list
Nov 17 13:30:54.910: dot1x-ev:[5081.40b8.103e, Gi1/0/3] Received Authz fail (result: 3) for the client 0xCC000034 (5081.40b8.103e)
Nov 17 13:30:54.910: dot1x-sm:[5081.40b8.103e, Gi1/0/3] Posting_AUTHZ_FAIL on Client 0xCC000034
Nov 17 13:30:54.910: dot1x_auth Gi1/0/3: during state auth_authc_result, got event 22(authzFail)
Nov 17 13:30:54.910: @@@ dot1x_auth Gi1/0/3: auth_authc_result -> auth_held
Nov 17 13:30:54.910: dot1x-sm:[5081.40b8.103e, Gi1/0/3] 0xCC000034: held
Nov 17 13:30:54.910: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5081.40b8.103e) on Interface Gi1/0/3 AuditSessionID 0A0A1F3A0000002E00B33FAD
Nov 17 13:30:54.910: dot1x-ev:[Gi1/0/3] Sending EAPOL packet to group PAE address
Nov 17 13:30:54.910: dot1x-registry:registry:dot1x_ether_macaddr called
Nov 17 13:30:54.910: dot1x-ev:[Gi1/0/3] Sending out EAPOL packet
Nov 17 13:30:54.910: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Nov 17 13:30:54.910: dot1x-packet: length: 0x0004
Nov 17 13:30:54.910: dot1x-packet:EAP code: 0x4 id: 0xB length: 0x0004
Nov 17 13:30:54.910: dot1x-packet:[5081.40b8.103e, Gi1/0/3] EAPOL canned status packet sent to client 0xCC000034
Nov 17 13:30:56.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up

 

Here is my SW Config :

#do sh run
Building configuration...
!
Current configuration : 11605 bytes
aaa new-model
!
aaa group server radius FranklinGroup
server name FranklinNPS
!
aaa authentication login default local enable
aaa authentication enable default enable
aaa authentication dot1x default group FranklinGroup
aaa authentication dot1x network group FranklinGroup
aaa authorization console
aaa authorization exec default local
aaa authorization network default group FranklinGroup
aaa accounting dot1x default start-stop group FranklinGroup
!
aaa session-id common
authentication mac-move permit
dot1x system-auth-control
!
vlan internal allocation policy ascending
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
interface GigabitEthernet1/0/1
description This should work ... PC INTERFACE
switchport mode access
switchport voice vlan 20
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
auto qos voip cisco-phone
storm-control broadcast level 5.00
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

interface GigabitEthernet1/0/2
description This should work ... PHONE INTERFACE
switchport mode access
switchport voice vlan 20
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
auto qos voip cisco-phone
storm-control broadcast level 5.00
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

interface GigabitEthernet1/0/49
description * trunk *
switchport trunk allowed vlan 1,5,11,20,31,33,34,50,55,60,666,667
switchport mode trunk
!
interface GigabitEthernet1/0/52
description * trunk *
switchport trunk allowed vlan 1,5,11,20,31,33,34,50,55,60,666,667
switchport mode trunk
!
interface Vlan1
description * VLAN1 DATA *
no ip address
!
interface Vlan20
description * VLAN20 TELEPHONIE *
no ip address
!
interface Vlan31
description * VLAN31 MANAGEMENT *
ip address XXXXXXX XXXXXXX
!
ip default-gateway XXXXXXXX
!
ip access-list extended AUTOQOS-ACL-DEFAULT
permit ip any any
!
radius server FranklinNPS
address ipv4 10.10.31.37 auth-port 1812 acct-port 1813
key 7 XXXXXXXXXXXXXXXXXXXXX

 

I'm totally lost on this one, if anyone can help me with that, it would be great !

Étiquettes :
0 RÉPONSES 0

Liens rapides

Parcourez les liens directs de la Communauté et profitez de contenus personnalisés en français

Partager un document Rédiger un blog Vidéos R&S
Customers Also Viewed These Support Documents