cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23211
Views
11
Helpful
3
Replies

Authentication result 'no-response' from 'dot1x'

guy.zwerdling
Level 1
Level 1

Hi guys,

I this error messages on my win7 machine:

SW1_c3750#

00:23:47: %LINK-5-CHANGED: Interface FastEthernet2/0/7, changed state to adminis

tratively down

00:23:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/7, cha

nged state to down

00:23:56: %LINK-3-UPDOWN: Interface FastEthernet2/0/7, changed state to up

00:23:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/7, cha

nged state to up

00:23:56: %AUTHMGR-5-START: Starting 'dot1x' for client (000c.2986.1153) on Inte

rface Fa2/0/7

00:23:57: %AUTHMGR-5-START: Starting 'dot1x' for client (c83a.35d2.398f) on Inte

rface Fa2/0/7

00:24:26: %DOT1X-5-FAIL: Authentication failed for client (000c.2986.1153) on In

terface Fa2/0/7

00:24:26: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' fo

r client (000c.2986.1153) on Interface Fa2/0/7

00:24:26: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (000c.2986.1

153) on Interface Fa2/0/7

00:24:26: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for cli

ent (000c.2986.1153) on Interface Fa2/0/7

00:24:26: %AUTHMGR-5-FAIL: Authorization failed for client (000c.2986.1153) on I

nterface Fa2/0/7

00:24:27: %DOT1X-5-FAIL: Authentication failed for client (c83a.35d2.398f) on In

terface Fa2/0/7

00:24:27: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' fo

r client (c83a.35d2.398f) on Interface Fa2/0/7

00:24:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (c83a.35d2.3

98f) on Interface Fa2/0/7

00:24:27: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for cli

ent (c83a.35d2.398f) on Interface Fa2/0/7

00:24:27: %AUTHMGR-5-FAIL: Authorization failed for client (c83a.35d2.398f) on I

nterface Fa2/0/7

I have c3750 with ios 12.2(50)SE2

My win7 connect to port 2/0/7 on this switch, and I have the configuration as follows:

interface FastEthernet2/0/7

switchport mode access

authentication host-mode multi-auth

authentication open

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end


On my win7 machine I start the Wired Autoconfig service and setup the authentication to PEAP with method of PEA-MSCHAPv2,

This PC are in lab enviroent so I disable the "Authomatic use my windows login name" and setup credential instead (Local Area Connection Status>Properties>Authentication>Additional Settings...>Replace credential)

at the debug radius auth I get

SW1_c3750#

SW1_c3750#

00:37:48: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X

00:37:48: RADIUS(0000001D): Config NAS IP: 0.0.0.0

00:37:48: RADIUS/ENCODE(0000001D): acct_session_id: 29

00:37:48: RADIUS(0000001D): sending

00:37:48: RADIUS/ENCODE: Best Local IP-Address 192.168.1.121 for Radius-Server 1

92.168.1.117

00:37:48: RADIUS(0000001D): Send Access-Request to 192.168.1.117:1812 id 1645/22

, len 201

00:37:48: RADIUS:  authenticator D8 C5 63 73 E1 31 92 63 - F7 1B 78 4A 87 06 9D

3E

00:37:48: RADIUS:  User-Name           [1]   8   "bob-it"

00:37:48: RADIUS:  Service-Type        [6]   6   Framed                    [2]

00:37:48: RADIUS:  Framed-IP-Address   [8]   6   192.168.1.10

00:37:48: RADIUS:  Framed-MTU          [12]  6   1500

00:37:48: RADIUS:  Called-Station-Id   [30]  19  "00-22-90-A6-BC-09"

00:37:48: RADIUS:  Calling-Station-Id  [31]  19  "00-0C-29-86-11-53"

00:37:48: RADIUS:  EAP-Message         [79]  13

00:37:48: RADIUS:   02 01 00 0B 01 62 6F 62 2D 69 74            [ bob-it]

00:37:48: RADIUS:  Message-Authenticato[80]  18

00:37:48: RADIUS:   4E 52 DB C5 66 E9 8A D8 2A D0 D5 BE DE B1 63 E3

[ NRf*c]

00:37:48: RADIUS:  Vendor, Cisco       [26]  49

00:37:48: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8017900000

01A00227E41"

00:37:48: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

00:37:48: RADIUS:  NAS-Port            [5]   6   50207

00:37:48: RADIUS:  NAS-Port-Id         [87]  19  "FastEthernet2/0/7"

00:37:48: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.121

00:37:48: RADIUS: Received from id 1645/22 192.168.1.117:1812, Access-Reject, le

n 38

00:37:48: RADIUS:  authenticator 0B B5 21 76 89 64 A4 57 - B3 AD 56 23 A3 52 55

BE

00:37:48: RADIUS:  Message-Authenticato[80]  18

00:37:48: RADIUS:   93 F7 C1 6F 80 0A 03 DA 18 34 8F 18 66 DE 81 DE

  [ o4f]

00:37:48: RADIUS(0000001D): Received from id 1645/22

00:37:48: %DOT1X-5-FAIL: Authentication failed for client (000c.2986.1153) on In

terface Fa2/0/7

00:37:48: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for clien

t (000c.2986.1153) on Interface Fa2/0/7

00:37:48: %AUTHMGR-5-FAIL: Authorization failed for client (000c.2986.1153) on I

nterface Fa2/0/7

00:38:49: %AUTHMGR-5-START: Starting 'dot1x' for client (000c.2986.1153) on Inte

rface Fa2/0/7

Please help

1 Accepted Solution

Accepted Solutions

Hi Hariprasad,

At the same day or more lately I restart the PC and after that it works for me,

I don't know why... but it work

Thanks for the reply.. really appreciate it

Thanks

View solution in original post

3 Replies 3

hariholla
Cisco Employee
Cisco Employee

I see nothing wrong with the interface configuration on the 3750.

In the first half, since you haven’t enabled 802.1X (Wired AutoConfig service) on the Windows client, the dot1x on the switch port is timing out throwing a ‘no-response’ message:

00:24:26: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (000c.2986.1153) on Interface Fa2/0/7

In the second half, I see that the client is doing 802.1X, the authentication request going to the server, but the response is an ‘Access-Reject’:

00:37:48: RADIUS: Received from id 1645/22 192.168.1.117:1812, Access-Reject, len 38

Could you share your ISE RADIUS live log and details relating to this session to understand why the server is rejecting the authentication request?

Hi Hariprasad,

At the same day or more lately I restart the PC and after that it works for me,

I don't know why... but it work

Thanks for the reply.. really appreciate it

Thanks

You maybe hitting the Rejection period in ISE. By default, ISE will silently reject authentication after some number of failed attempts by a certain MAC address. The default reject period is 60 minutes which would explain why you eventually got on later that day.

You can find this setting under Admin|Settings|Protocols|RADIUS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: