07-13-2022 08:12 AM
Hello everybody
I am trying to implement dot1x on eve-ng and everytime I try I receive weird results!
My current problem is that my switch doesn't seem to send username to ISE server and I am only able to use MAB. Here is my configuration:
SW1#sh run
Building configuration...
Current configuration : 3231 bytes
!
! Last configuration change at 11:53:46 EET Sat Jul 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius DOT1X_AUTHENTICATION
server name ISE-A
server name ISE-B
!
aaa authentication dot1x default group DOT1X_AUTHENTICATION
aaa authorization network default group DOT1X_AUTHENTICATION
aaa accounting update newinfo
aaa accounting dot1x default start-stop group DOT1X_AUTHENTICATION
!
!
!
!
!
aaa server radius dynamic-author
client 10.10.100.101 server-key Cisco123
client 10.10.100.102 server-key Cisco123
!
aaa session-id common
clock timezone EET 2 0
!
!
!
!
!
!
ip dhcp-relay source-interface Ethernet0/0
!
!
ip device tracking probe delay 15
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
authentication mac-move permit
mab request format attribute 32 vlan access-vlan
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
!
interface Ethernet0/1
description Connected to Win10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
!
vlan 10
!
interface Vlan1
ip address 10.10.100.251 255.255.255.0
no shut
!
interface Vlan10
ip address 10.10.10.254 255.255.255.0
no shut
!
ip default-gateway 10.10.100.2
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended PRE_AUTHENTICATED_DEVICES
permit udp any eq bootpc any eq bootpc
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
deny ip any any
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server key Cisco123
!
radius server ISE-A
address ipv4 10.10.100.101 auth-port 1812 acct-port 1813
key Cisco123
!
radius server ISE-B
address ipv4 10.10.100.102 auth-port 1812 acct-port 1813
key Cisco123
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
!
end
Now, when I configure windows supplicant with user authentication, I do not receive a pop up for credentials and when I save credentials, I am not sure whether switch doesn't receive it or doesn't send it to ISE.
I appreciate your help.
Solved! Go to Solution.
07-15-2022 07:48 AM
Verify 802.1x authentication has been enabled globally on the network device similar to the following example:
SW1(config)#dot1x system-auth-control
07-15-2022 07:48 AM
Verify 802.1x authentication has been enabled globally on the network device similar to the following example:
SW1(config)#dot1x system-auth-control
07-16-2022 12:28 AM - edited 07-16-2022 01:23 AM
How could I have missed that!!!
I lost 3 days just for this simple command!
Many Thanks Ashish!
07-16-2022 07:01 PM
thanks for your acknowledgement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide