Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1622
Views
5
Helpful
3
Replies

Problem with implementing dot1x in eve-ng

Go to solution
TheAnalyst
Level 1
Level 1

‎07-13-2022 08:12 AM

Hello everybody

I am trying to implement dot1x on eve-ng and everytime I try I receive weird results!

My current problem is that my switch doesn't seem to send username to ISE server and I am only able to use MAB. Here is my configuration:

 

 

 

SW1#sh run
Building configuration...

Current configuration : 3231 bytes
!
! Last configuration change at 11:53:46 EET Sat Jul 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius DOT1X_AUTHENTICATION
 server name ISE-A
 server name ISE-B
!
aaa authentication dot1x default group DOT1X_AUTHENTICATION
aaa authorization network default group DOT1X_AUTHENTICATION 
aaa accounting update newinfo
aaa accounting dot1x default start-stop group DOT1X_AUTHENTICATION
!
!
!
!
!
aaa server radius dynamic-author
 client 10.10.100.101 server-key Cisco123
 client 10.10.100.102 server-key Cisco123
!
aaa session-id common
clock timezone EET 2 0
!
!
!
!
!
!
ip dhcp-relay source-interface Ethernet0/0
!
!
ip device tracking probe delay 15
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
authentication mac-move permit
mab request format attribute 32 vlan access-vlan
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
! 
!
!
!
!
!
!
!         
!
!
!
!
!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
!

!
interface Ethernet0/1
 description Connected to Win10
 switchport mode access
 authentication event fail action next-method
 authentication event server dead action authorize vlan 1
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 3
!
 vlan 10
!
interface Vlan1
 ip address 10.10.100.251 255.255.255.0
 no shut 
!
interface Vlan10
 ip address 10.10.10.254 255.255.255.0
 no shut 
!
ip default-gateway 10.10.100.2
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended PRE_AUTHENTICATED_DEVICES
 permit udp any eq bootpc any eq bootpc
 permit udp any any eq domain
 permit icmp any any
 permit udp any any eq tftp
 deny   ip any any
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server key Cisco123
!
radius server ISE-A
 address ipv4 10.10.100.101 auth-port 1812 acct-port 1813
 key Cisco123
!
radius server ISE-B
 address ipv4 10.10.100.102 auth-port 1812 acct-port 1813
 key Cisco123
!
!         
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
!
end

 

 

 

Now, when I configure windows supplicant with user authentication, I do not receive a pop up for credentials and when I save credentials, I am not sure whether switch doesn't receive it or doesn't send it to ISE.

I appreciate your help. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ashish.kushwaha
Level 1
Level 1

‎07-15-2022 07:48 AM

Verify 802.1x authentication has been enabled globally on the network device similar to the following example:

SW1(config)#dot1x system-auth-control

,,
Ashish K
***Please Rate Helpful Responses***

View solution in original post

3 Replies 3

Go to solution
ashish.kushwaha
Level 1
Level 1

‎07-15-2022 07:48 AM

Verify 802.1x authentication has been enabled globally on the network device similar to the following example:

SW1(config)#dot1x system-auth-control

,,
Ashish K
***Please Rate Helpful Responses***

Go to solution
TheAnalyst
Level 1
Level 1
In response to ashish.kushwaha

‎07-16-2022 12:28 AM - edited ‎07-16-2022 01:23 AM

How could I have missed that!!!

I lost 3 days just for this simple command!

Many Thanks Ashish!

0 Helpful

Go to solution
ashish.kushwaha
Level 1
Level 1
In response to TheAnalyst

‎07-16-2022 07:01 PM

thanks for your acknowledgement.

,,
Ashish K
***Please Rate Helpful Responses***
0 Helpful
Customers Also Viewed These Support Documents