Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1738
Views
0
Helpful
6
Replies

IE-3200 and 802.1x not working.

Go to solution
j.leinonen
Level 1
Level 1

‎01-07-2022 04:19 AM

Hi,

I have a problem with IE-3200 and 802.1x where I try to authenticate PC with certificate via Windows NPS in server side. IOS XE version is 17.6.2, I had originally version 16.12.4, but I did upgrade as it was not working there, but no help.

Same config & setup and Certificate authentication works ok with IE-4000 switch with Lan Base image, but not with IE-3200.

 

I have this kind of config in place (I have more aaa config for switch authentication via radius but removed those)!
aaa authorization network default group test-1x-radius
aaa accounting dot1x default start-stop group test-1x-radius
!
radius server test-radius-1
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key <key omitted>
!
radius server test-radius-2
address ipv4 y.y.y.y auth-port 1812 acct-port 1813
key <key omitted>
!
radius-server dead-criteria time 10 tries 3
no radius-server vsa send authentication
!
!
aaa group server radius test-1x-radius
server name test-radius-1
server name test-radius-2
ip radius source-interface Vlanxxx
!
aaa new-model
aaa session-id common
!
dot1x system-auth-control
!
!
interface GigabitEthernet1/4
description Client-to_be_authenticated
switchport access vlan xxx
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
ip route 0.0.0.0 0.0.0.0 w.x.y.z name default_via_router_towards_Radius

 

I have all these debukking on:

#sh debugging
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on

Conditional Debug Global State: Stop

Packet Infra debugs:

Ip Address Port
------------------------------------------------------|----------

Radius protocol debugging is on
Radius packet protocol debugging is on
Radius table debugging is on
Auth Manager:
Auth Manager errors debugging is on
Auth Manager events debugging is on
Auth Manager detailed debugs debugging is on
Auth Manager sync debugging is on
dot1x:
Dot1x registry info debugging is on
Dot1x redundancy info debugging is on
Dot1x packet info debugging is on
Dot1x events debugging is on
Dot1x State machine transitions and actions debugging is on
Dot1x Errors debugging is on
Dot1x Supplicant EAP-FAST debugging is on
Dot1x Manager debugging is on
Dot1x Supplicant State Machine debugging is on

 

BUT this in only thing what comes to log (with IE400 debugginh shows much more):

*Nov 16 13:36:12.345: %DOT1X-5-FAIL: R0/0: sessmgrd: Authentication failed for client (xxxx.xxxx.xxxx) with reason (Timeout) on Interface Gi1/4 AuditSessionID 000000000000000B28E08706
*Nov 16 13:36:12.346: %SESSION_MGR-5-FAIL: R0/0: sessmgrd: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface GigabitEthernet1/4 AuditSessionID 000000000000000B28E08706. Failure reason: Authc fail. Authc failure reason: Timeout.

 

#sh dot1x all det
Sysauthcontrol Enabled
Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet1/4
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Dot1x Authenticator Client List
-------------------------------

EAP Method = (0)
Supplicant = xxxx.xxxx.xxxx
Session ID = 050114AC0000001028F80CBE
Auth SM State = AUTHENTICATING
Auth BEND SM State = REQUEST

 

Am I missing some additional config at IE-3200?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
j.leinonen
Level 1
Level 1
In response to j.leinonen

‎01-12-2022 11:26 PM

Hi all,

 

Just to followup my own topic as there where no additional comments.

We got this working.

At NPS side we adjusted at Network Policy Framed-MTU  to 1344 and it started to work via IE-3200 too.

Interesting is that why it worked via IE-4000 before but not with IE-3200, even id the switches placement is similar in netowrok, so MTU in path SHOULD be the same.

Maybe IE-3200 itself sends and handles EAP payload packets with different MTU size than IE-4000, maybe too big and somehow it cannot be fragmented.

 

We will do further tests to see why that Fragmented-MTU setting worked.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
j.leinonen
Level 1
Level 1

‎01-07-2022 05:34 AM

Forgot to mention, IE-3200 does not need any "additional" licenses to get 802.1x working, right?

0 Helpful

Go to solution
Albert Mitchell
Cisco Employee
Cisco Employee
In response to j.leinonen

‎01-07-2022 09:49 AM

you do not need a different license on IE3200 for dot1x.  the Network Essential license will work.

 

i found this article in C9300 support community which show'd a similar issue.

the fix was to add "authentication order mab dot1x" on the interface. 

 

link to article:  https://community.cisco.com/t5/cisco-software-discussions/cisco-9300-authorization-failure-failure-reason-authc-fail-authc/td-p/3943204

 

0 Helpful

Go to solution
j.leinonen
Level 1
Level 1
In response to Albert Mitchell

‎01-09-2022 01:11 AM

Thanks for the comments.

I read that article earlier too and I doubt that it is about that mab as I try ti get it working with out mab as the Client PC supports 802.1x.

And as said my config works ok at IE-4000, but not at IE-3200.

 

But will test that command too...

0 Helpful

Go to solution
j.leinonen
Level 1
Level 1
In response to j.leinonen

‎01-12-2022 11:26 PM

Hi all,

 

Just to followup my own topic as there where no additional comments.

We got this working.

At NPS side we adjusted at Network Policy Framed-MTU  to 1344 and it started to work via IE-3200 too.

Interesting is that why it worked via IE-4000 before but not with IE-3200, even id the switches placement is similar in netowrok, so MTU in path SHOULD be the same.

Maybe IE-3200 itself sends and handles EAP payload packets with different MTU size than IE-4000, maybe too big and somehow it cannot be fragmented.

 

We will do further tests to see why that Fragmented-MTU setting worked.

0 Helpful

Go to solution
Albert Mitchell
Cisco Employee
Cisco Employee
In response to j.leinonen

‎01-13-2022 02:54 PM

interesting solution.  would not have guessed that was the issue.

thanks for sharing solution.  makes it better for everyone. 

0 Helpful

Go to solution
Krishna S D
Cisco Employee
Cisco Employee
In response to j.leinonen

‎01-15-2022 05:40 AM

You can try enabling "authentication logging verbose and dot1x logging verbose" in config mode and "debug radius" to get more information during the authentication process. Also are u trying to push down a lot of ACLs as part of the authorization ?

0 Helpful
Customers Also Viewed These Support Documents