Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2769
Views
35
Helpful
8
Replies

802.1x Authentication

AbelBurgos5029
Level 1
Level 1

‎06-23-2020 07:50 AM

Hello,

I configured a 802.1x deployment using a Cisco 9300 Switch Stack IOS 16.8.1a, Cisco ISE IOS 2.6.156 and Windows 10 workstations using windows supplicant software. The whole thing works... The supplicant is able to authenticate the user credentials, which is authenticated by the ISE against the Policy sets I created, downloading the Dacl to the switch port and granting access to the network. So the things I want to happen is happening.... 

 

Here is the problem:

In order for all this to happen, I have to bring the switch port down and up (shut, no shut)... If I dont reset the switchport, the supplicant would keep trying to authenticate until it times out. It is not until I manually reset the port that it finally authenticates.

 

Any ideas on what the problem might be?

 

Thanks in advance.

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎06-23-2020 07:57 AM

Can you post the switch port configuraiton where you making shut and no shut ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

AbelBurgos5029
Level 1
Level 1
In response to balaji.bandi

‎06-23-2020 09:58 AM

Hi,

 

I have the following config in the port:

#authentication open

#auth order dot1x

#auth priority dot1x

#dot1x pae authenticator

#Access-list PRE-AUTH in (allowing ICMP, DNS, etc)

#dot1x port-auth control auto

Rob Ingram
VIP
VIP
In response to AbelBurgos5029

‎06-23-2020 10:43 AM

Do you have aaa accounting configured?

Provide your full configuration

AbelBurgos5029
Level 1
Level 1
In response to Rob Ingram

‎06-23-2020 11:30 AM

Here is my full aaa configuration:

 

aaa group server tacacs+ ISE

    server name ______

aaa group server radius RADIUS-GROUP

    server name ______

aaa authentication login default group tacacs+ local

aaa authentication login VTY group ISE local

aaa authentication login console local

aaa authentication dot1x default group RADIUS-GROUP

aaa authorization exec default group tacacs+ local

aaa authorizartion network default group RADIUS-GROUP

aaa accounting dot1x default start-stop group RADIUS-GROUP

aaa accounting exec default start-stop group tacacs+

aaa accounting command 1 default start-stop group tacacs+

aaa accounting command 15 default start-stop group tacacs+

aaa login success-track-conf-time-24

aaa session-id common

ip http authentication aaa

 

Please let me know if you see something wrong... Thanks

Rob Ingram
VIP
VIP
In response to AbelBurgos5029

‎06-23-2020 11:44 AM

Add the following:-

aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group RADIUS-GROUP
aaa accounting dot1x default start-stop group RADIUS-GROUP

Check the output of the interface AFTER you have logged off the computer and ensure there is no session

show authentication session interface X

 

AbelBurgos5029
Level 1
Level 1
In response to Rob Ingram

‎06-23-2020 01:19 PM

No luck with that. Any other ideas?

 

Thanks

Rob Ingram
VIP
VIP
In response to AbelBurgos5029

‎06-23-2020 01:38 PM

Post the output of the show command I provided of the interface when a computer has authenticated and after it has logged off.

Provide the full configuration of the interface

Turn on radius debug, logoff the computer and provide the output

balaji.bandi
Hall of Fame
Hall of Fame
In response to AbelBurgos5029

‎06-23-2020 02:06 PM

I would prefer to see full interface config

 

show run interface gi x/x

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents