cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15930
Views
30
Helpful
23
Replies

802.1x Domain = unknown - status = Unauth - Method = N/A

BigK
Level 1
Level 1

I enable Dot1x - Plugged in the PC to Ipphone - My phone is registered with CM and my PC got an Ip address. The issue that I am having is Domain = unknown - status = Unauth - Method = N/A ---

 

Any help is appreciated. 

 

SW-lab#sho authentication sessions interface g1/0/2
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 0016.46a8.a523 N/A UNKNOWN Unauth 0A16640A00000032A0A896C4
Gi1/0/2 d4be.d95c.a825 N/A UNKNOWN Unauth 0A16640A00000033A0A8B9C7

 

 

SW-lab#sho run int g1/0/2

interface GigabitEthernet1/0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 150
device-tracking
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

 

Thanks

 

23 Replies 23

Arne Bier
VIP
VIP

What does ISE Live Log and the detail of the failed Authentication/Authorization look like?

@Arne Bier 

 

There is nothing in ISE live logs. 

@Mike.Cifelli 

I already have that configured. I have a radius server already configured and belongs to the radius group.

 

aaa authentication login default enable local
aaa authentication dot1x default group LAB-RADIUS
aaa authorization network default group LAB-RADIUS
aaa accounting identity default start-stop group LAB-RADIUS

Are you pushing your vlan from ISE or relying on fallback of the switch access vlan on your interface command? Is vlan 120 in your vlan db?

 

There is nothing in ISE live logs. 

 

Are you reaching ISE?  Are ports 1812/1813 (radius default for authentication/accounting) blocked anywhere along the path?  Are you sourcing radius traffic from the correct management interface?  Any of these could present a problem.

Mike.Cifelli
VIP Alumni
VIP Alumni

Please ensure that you have your AAA statements properly setup.  Depending on your configuration it should look something along these lines:

 

aaa authentication dot1x default group radius
aaa authorization network default group radius

 

Also, add the command authentication port-control auto.  Then force a re-auth.  Hope this helps.

also to add make sure you have these commands

 

radius server attributes vsa sent authen

radius server attributes vsa sent account

please do not forget to rate.

@Sheraz.Salim

 

I entered these commands, but they don't show under running config. I am running IOS Version 16.6.5 - SW 3850


SW-lab(config)#radius-server vsa send authentication
SW-lab(config)#radius-server vsa send accounting

 

 

SW-lab# sho run
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

 

 

 

 

they dont show up unless you do show run all.

!

could you also make sure you  have emp logging and dot1x logging ver are also configured.

!

than shut the interface down and no shut.

!

and also share the logs what you see.

please do not forget to rate.

@Sheraz.Salim

 

 

I configured emp logging and dot1x logging ver and shut no shut, no changes. Also I am not seeing any logs. 

 

Thanks!

can you display the ISE logs what you see there?

please do not forget to rate.

@Sheraz.Salim


SW-lab#sho mab interface g1/0/2 details
MAB details for GigabitEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass = Enabled

MAB Client List Is Empty

 

SW-lab#sho mab interface g1/0/3 details
MAB details for GigabitEthernet1/0/3
-------------------------------------
Mac-Auth-Bypass = Enabled

MAB Client List Is Empty

 

 The logs are from yesterday. Nothing for today 

This make sense. as you hitting the default authorization rule which is deny. have you configure any authorization rule for this

please do not forget to rate.

@Sheraz.Salim

the default Authorization shows permit. Please see attachment.

 

Thanks!

The hit counters on those rules are 0. This could just be a display issue, but it is worth asking if you you have more than one policy set configured?

The default authorization rule in the screenshot you attached is Deny as Sheraz pulled from the live logs earlier. What are the configured conditions in the "Network_access_authentication_passed" library.

@Damien Miller 

 

I hope I am answering your question. Please find attachment

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: