02-11-2019 03:57 PM
Can someone help pointing why the PC DATA authorization failed.
show session auth, interface config and debug dox1x included.
SWITCH#sho authentication sessions
Interface MACAddress Method Domain Status Session ID
Gi1/0/2 c4b9.cdb5.325e mab VOICE Authz Success 0A16640A0000001A002704FF
Gi1/0/3 d4be.d95c.a825 N/A DATA Authz Failed 0A16640A00000014001E9424
SWITCH#sh run int g1/0/3
Building configuration...
Current configuration : 408 bytes
!
interface GigabitEthernet1/0/3
switchport access vlan 120
switchport mode access
switchport voice vlan 150
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
SWITCH(config-if)#no shut
SWITCH#
dot1x-ev(Gi1/0/3): Interface state changed to UP
dot1x_auth Gi1/0/3: initial state auth_initialize has enter
dot1x-sm(Gi1/0/3): 0x3A000022:auth_initialize_enter called
dot1x_auth Gi1/0/3: during state auth_initialize, got event 0(cfg_auto)
@@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_disconnected
dot1x-sm(Gi1/0/3): 0x3A000022:auth_disconnected_enter called
dot1x_auth Gi1/0/3: idle during state auth_disconnected
@@@ dot1x_auth Gi1/0/3: auth_disconnected -> auth_restart
dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_enter called
dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x3A000022 (0000.0000.0000)
dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_initialize_enter called
dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle
dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_enter called
dot1x-ev(Gi1/0/3): Created a client entry (0x3A000022)
dot1x-ev(Gi1/0/3): Dot1x authentication started for 0x3A000022 (0000.0000.0000)
dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3
dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart)
@@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting
dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_enter called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_connecting_action called
dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
@@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating
dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_enter called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_authenticating_action called
dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x3A000022
dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_enter called
dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-registry:registry:dot1x_ether_macaddr called
dot1x-ev(Gi1/0/3): Sending out EAPOL packet
EAPOL pak dump Tx
EAPOL Version: 0x3 type: 0x0 length: 0x0005
EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x3A000022 (0000.0000.0000)
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_request_action called
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
dot1x-ev(Gi1/0/3): New client notification from AuthMgr for 0x3A000022 - d4be.d95c.a825
%AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
dot1x-packet(Gi1/0/3): Received an EAPOL frame
dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_authenticating, got event 4(eapolStart)
@@@ dot1x_auth Gi1/0/3: auth_authenticating -> auth_aborting
dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_exit called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_aborting_enter called
dot1x-sm(Gi1/0/3): Posting RESTART on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_aborting, got event 13(restart)
@@@ dot1x_auth Gi1/0/3: auth_aborting -> auth_restart
dot1x-sm(Gi1/0/3): 0x3A000022:auth_aborting_exit called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_enter called
dot1x-ev(Gi1/0/3): Resetting the client 0x3A000022 (d4be.d95c.a825)
dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x3A000022 (d4be.d95c.a825)
dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart)
@@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting
dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_enter called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_connecting_action called
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-packet(Gi1/0/3): Queuing an EAPOL pkt on Authenticator Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
dot1x-sm(Gi1/0/3): Posting AUTH_ABORT for 0x3A000022
dot1x_auth_bend Gi1/0/3: during state auth_bend_request, got event 1(authAbort)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_request -> auth_bend_initialize
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_initialize_enter called
dot1x_auth_bend Gi1/0/3: idle during state auth_bend_initialize
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_enter called
%SYS-5-CONFIG_I: Configured from console by console
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x0 length: 0x000C
dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 2,TYPE= 1,LEN= 12
dot1x-packet(Gi1/0/3): Received an EAPOL frame
dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000c
dot1x-packet(Gi1/0/3): Received an EAP packet
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x0 length: 0x000C
dot1x-packet(Gi1/0/3): Received an EAP packet from d4be.d95c.a825
dot1x-packet(Gi1/0/3): Received an unexpected EAP packet from d4be.d95c.a825
dot1x-sm(Gi1/0/3): Posting !AUTH_ABORT on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_connecting, got event 20(no_eapolLogoff_no_authAbort) (ignored)
dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
@@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating
dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_enter called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_authenticating_action called
dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x3A000022
dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_enter called
dot1x-ev(Gi1/0/3): Sending EAPOL packet to d4be.d95c.a825
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-registry:registry:dot1x_ether_macaddr called
dot1x-ev(Gi1/0/3): Sending out EAPOL packet
EAPOL pak dump Tx
EAPOL Version: 0x3 type: 0x0 length: 0x0005
EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x3A000022 (d4be.d95c.a825)
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_request_action called
dot1x-ev(Gi1/0/3): Role determination notrequired
dot1x-packet(Gi1/0/3): Queuing an EAPOL pkt on Authenticator Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x0 length: 0x000C
dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 2,TYPE= 1,LEN= 12
dot1x-packet(Gi1/0/3): Received an EAPOL frame
dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000c
dot1x-packet(Gi1/0/3): Received an EAP packet
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x0 length: 0x000C
dot1x-packet(Gi1/0/3): Received an EAP packet from d4be.d95c.a825
dot1x-sm(Gi1/0/3): Posting EAPOL_EAP for 0x3A000022
dot1x_auth_bend Gi1/0/3: during state auth_bend_request, got event 6(eapolEap)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_request -> auth_bend_response
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_enter called
dot1x-ev(Gi1/0/3): dot1x_sendRespToServer: Response sent to the server from 0x3A000022 (d4be.d95c.a825)
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_response_action called
dot1x-ev(Gi1/0/3): Received an EAP Fail
dot1x-sm(Gi1/0/3): Posting EAP_FAIL for 0x3A000022
dot1x_auth_bend Gi1/0/3: during state auth_bend_response, got event 10(eapFail)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_response -> auth_bend_fail
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_exit called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_fail_enter called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_fail_action called
dot1x_auth_bend Gi1/0/3: idle during state auth_bend_fail
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_fail -> auth_bend_idle
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_enter called
dot1x-sm(Gi1/0/3): Posting AUTH_FAIL on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_authenticating, got event 15(authFail)
@@@ dot1x_auth Gi1/0/3: auth_authenticating -> auth_authc_result
dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_exit called
dot1x-sm(Gi1/0/3): 0x3A000022:auth_authc_result_enter called
%DOT1X-5-FAIL: Authentication failed for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
dot1x-ev(Gi1/0/3): Sending event (2) to Auth Mgr for d4be.d95c.a825
%AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
dot1x-redundancy: State for client d4be.d95c.a825 successfully retrieved
dot1x-ev(Gi1/0/3): Received Authz fail for the client 0x3A000022 (d4be.d95c.a825)
dot1x-sm(Gi1/0/3): Posting_AUTHZ_FAIL on Client0x3A000022
dot1x_auth Gi1/0/3: during state auth_authc_result, got event 22(authzFail)
@@@ dot1x_auth Gi1/0/3: auth_authc_result -> auth_held
dot1x-sm(Gi1/0/3): 0x3A000022:auth_held_enter called
dot1x-ev(Gi1/0/3): Sending EAPOL packet to d4be.d95c.a825
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-registry:registry:dot1x_ether_macaddr called
dot1x-ev(Gi1/0/3): Sending out EAPOL packet
EAPOL pak dump Tx
EAPOL Version: 0x3 type: 0x0 length: 0x0004
EAP code: 0x4 id: 0x1 length: 0x0004
dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x3A000022 (d4be.d95c.a825)
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
dot1x-packet(Gi1/0/3): Received an EAPOL frame
dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_held, got event 4(eapolStart) (ignored)
%LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
dot1x-packet(Gi1/0/3): Received an EAPOL frame
dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_held, got event 4(eapolStart) (ignored)
dot1x-ev(Gi1/0/3): Role determination not required
dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
dot1x-ev:Enqueued the eapol packet to the global authenticator queue
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
dot1x-packet(Gi1/0/3): Received an EAPOL frame
dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x1 length: 0x0000
dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
dot1x_auth Gi1/0/3: during state auth_he
SWITCH#ld, got event 4(eapolStart) (ignored)
Solved! Go to Solution.
02-12-2019 10:00 AM
Sometimes small details in the config can taking away from the actual problem. I redid the config on my switch and found out that I was missing one command. Radius-server dead-criteria time 10 tries 3 :-)
Thanks to all who tries to help.
Bigk
02-11-2019 04:54 PM
02-11-2019 07:27 PM
Please see attached live log
02-11-2019 07:30 PM
For testing please remove below setting and check again.
02-11-2019 07:36 PM
I changed the interface to be 1/0/2 still same issue
Interface: GigabitEthernet1/0/2
MAC Address: d4be.d95c.a825
IP Address: Unknown
User-Name: NWADMIN
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A16640A000000A90108A454
Acct Session ID: 0x000000B2
Handle: 0xED0000AA
Runnable methods list:
Method State
dot1x Authc Failed
mab Not run
02-11-2019 07:38 PM
Did you change the setting on ISE?
02-11-2019 07:41 PM
I just did -- and then I cleared authentication session. waiting to see what happened
02-11-2019 07:43 PM
sho authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/2 c4b9.cdb5.325e mab VOICE Authz Success 0A16640A000000B0010E3758
Gi1/0/2 d4be.d95c.a825 dot1x DATA Running 0A16640A000000AE010DDE9C
02-11-2019 07:43 PM
sho authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/2 c4b9.cdb5.325e mab VOICE Authz Success 0A16640A000000B0010E3758
Gi1/0/2 d4be.d95c.a825 N/A DATA Authz Failed 0A16640A000000AE010DDE9C
02-11-2019 09:38 PM
ok so now what error do you see?
02-11-2019 06:57 PM
Some failure is received.
dot1x-packet(Gi1/0/3): Received an EAP packet from d4be.d95c.a825
dot1x-sm(Gi1/0/3): Posting EAPOL_EAP for 0x3A000022
dot1x_auth_bend Gi1/0/3: during state auth_bend_request, got event 6(eapolEap)
@@@ dot1x_auth_bend Gi1/0/3: auth_bend_request -> auth_bend_response
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_enter called
dot1x-ev(Gi1/0/3): dot1x_sendRespToServer: Response sent to the server from 0x3A000022 (d4be.d95c.a825)
dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_response_action called
dot1x-ev(Gi1/0/3): Received an EAP Fail
Is the MAC address hitting correct rule? What is the reason for failure show on radius server?
share the output of "show authen sess int <> detail"
02-11-2019 07:52 PM
Here is the issue
Event 5400 Authentication failed
Failure Reason 15039 Rejected per authorization profile
Resolution Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause Selected Authorization Profile contains ACCESS_REJECT attribute
02-11-2019 10:35 PM
Ok, Now you need to see why the required authorization rule is not hitting.
What rule are you expecting to hit on ISE? Could you share?
02-12-2019 10:00 AM
Sometimes small details in the config can taking away from the actual problem. I redid the config on my switch and found out that I was missing one command. Radius-server dead-criteria time 10 tries 3 :-)
Thanks to all who tries to help.
Bigk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide