Solved: 802.1x authentication problem on C2960S-48TS-L with Linux clients

maksim.sidorchuk · ‎03-26-2015

Hi,

Due to implementing wired 802.1x in my company I fased with problem of authentication of some Linux computers (Ubuntu 13.10+) via mab at the one of my Access switches(C2960S-48TS-L). The problem exist on IOS 12.55 and 15.0(2)SE6.

It seems that Authenticator can't detect MAC address of supplicant. In debug the MAC address is (Unknown MAC) or (0000.0000.0000).

Before authentication I could see registered MAC address on the switchport interface(without 802.1x settings on the port):

sh mac address-table interface g1/0/2 "before 802.1x authentication"
Vlan Mac Address Type Ports
---- ----------- -------- -----
2 0015.990f.60d9 STATIC Gi1/0/2

The host should get to Vlan 2 after failed authentication(according to port settings). But actually after trying to authenticate the host on this port

loses connection with network and doesn't get in 2 Vlan

sh mac address-table interface g1/0/2 "after 802.1x authentication"
Vlan Mac Address Type Ports
---- ----------- -------- -----

sh authentication sessions

Interface MAC Address Method Domain Status Session ID
Gi1/0/24 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000000023E32
Gi1/0/25 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000200024193
Gi1/0/2 (unknown) mab UNKNOWN Running 6A7D1FAF000000280011BA1A

sh dot1x interface g1/0/2 details

Dot1x Info for GigabitEthernet1/0/2
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 3

sh run int g1/0/2

interface GigabitEthernet1/0/2
description ## User Port ##
switchport access vlan 2
switchport mode access
switchport voice vlan 5
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
ip arp inspection limit rate 120
authentication event fail retry 0 action authorize vlan 2
authentication event server dead action authorize vlan 2
authentication event no-response action authorize vlan 2
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 3900
authentication timer inactivity 300
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 3
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

I have tried to change authentication host-mode to multi-domain but the problem remains.

"debug dot1x all" in the attached file.

Please help me to resolve this issue

jan.nielsen · ‎03-26-2015

You should remove any port-security settings before enabling dot1x on a port, these two functions will not work well together.

Jan.

View solution in original post

maksim.sidorchuk · ‎03-26-2015

Also in this case switch doesn't send any authentication information to NPS server(Windows Server 2008 R2)

maksim.sidorchuk · ‎03-26-2015

I have removed port security but still have failed authentication on the port

002262: Mar 26 16:23:26.516: dot1x-ev(Gi1/0/2): Deleting client 0x9A000053 (0000.0000.0000)
002263: Mar 26 16:23:26.516: dot1x-ev:Delete auth client (0x9A000053) message
002264: Mar 26 16:23:26.516: dot1x-ev:Auth client ctx destroyed
002265: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: initial state auth_initialize has enter
002266: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_initialize_enter called
002267: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_initialize, got event 0(cfg_auto)
002268: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_initialize -> auth_disconnected
002269: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_disconnected_enter called
002270: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: idle during state auth_disconnected
002271: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_disconnected -> auth_restart
002272: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_enter called
002273: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Sending create new context event to EAP for 0x6D000054 (0000.0000.0000)
002274: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has enter
002275: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_initialize_enter called
002276: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has idle
002277: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: during state auth_bend_initialize, got event 16383(idle)
002278: Mar 26 16:23:26.715: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_initialize -> auth_bend_idle
002279: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002280: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Created a client entry (0x6D000054)
002281: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Dot1x authentication started for 0x6D000054 (0000.0000.0000)
002282: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): Posting !EAP_RESTART on Client 0x6D000054
002283: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_restart, got event 6(no_eapRestart)
002284: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_restart -> auth_connecting
002285: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_enter called
002286: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_connecting_action called
002287: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting RX_REQ on Client 0x6D000054
002288: Mar 26 16:23:26.721: dot1x_auth Gi1/0/2: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
002289: Mar 26 16:23:26.721: @@@ dot1x_auth Gi1/0/2: auth_connecting -> auth_authenticating
002290: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_enter called
002291: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_authenticating_action called
002292: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting AUTH_START for 0x6D000054
002293: Mar 26 16:23:26.721: dot1x_auth_bend Gi1/0/2: during state auth_bend_idle, got event 4(eapReq_authStart)
002294: Mar 26 16:23:26.721: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_idle -> auth_bend_request
002295: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002296: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002297: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Role determination not required
002298: Mar 26 16:23:26.721: dot1x-registry:registry:dot1x_ether_macaddr called
002299: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002300: Mar 26 16:23:26.721: EAPOL pak dump Tx
002301: Mar 26 16:23:26.721: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002302: Mar 26 16:23:26.721: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002303: Mar 26 16:23:26.721: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002304: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_request_action called
002305: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002306: Mar 26 16:23:29.814: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002307: Mar 26 16:23:29.814: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002308: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002309: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002310: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002311: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Role determination not required
002312: Mar 26 16:23:29.814: dot1x-registry:registry:dot1x_ether_macaddr called
002313: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002314: Mar 26 16:23:29.814: EAPOL pak dump Tx
002315: Mar 26 16:23:29.814: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002316: Mar 26 16:23:29.814: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002317: Mar 26 16:23:29.814: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002318: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002319: Mar 26 16:23:32.907: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002320: Mar 26 16:23:32.907: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002321: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002322: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002323: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002324: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Role determination not required
002325: Mar 26 16:23:32.913: dot1x-registry:registry:dot1x_ether_macaddr called
002326: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002327: Mar 26 16:23:32.913: EAPOL pak dump Tx
002328: Mar 26 16:23:32.913: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002329: Mar 26 16:23:32.913: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002330: Mar 26 16:23:32.913: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002331: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received an EAP Timeout
002332: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting EAP_TIMEOUT for 0x6D000054
002333: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 12(eapTimeout)
002334: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_timeout
002335: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_timeout_enter called
002336: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_timeout_action called
002337: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: idle during state auth_bend_timeout
002338: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_timeout -> auth_bend_idle
002339: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002340: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting AUTH_TIMEOUT on Client 0x6D000054
002341: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authenticating, got event 14(authTimeout)
002342: Mar 26 16:23:36.001: @@@ dot1x_auth Gi1/0/2: auth_authenticating -> auth_authc_result
002343: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_exit called
002344: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authc_result_enter called
002345: Mar 26 16:23:36.001: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002346: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Sending event (2) to Auth Mgr for 0000.0000.0000
002347: Mar 26 16:23:36.001: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002348: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received Authz fail for the client 0x6D000054 (0000.0000.0000)
002349: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Deleting client 0x6D000054 (0000.0000.0000)
002350: Mar 26 16:23:36.001: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002351: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting_AUTHZ_FAIL on Client 0x6D000054
002352: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authc_result, got event 22(authzFail)
002353: Mar 26 16:23:36.006: @@@ dot1x_auth Gi1/0/2: auth_authc_result -> auth_held
002354: Mar 26 16:23:36.006: dot1x-ev:Delete auth client (0x6D000054) message
002355: Mar 26 16:23:36.006: dot1x-ev:Auth client ctx destroyed
002356: Mar 26 16:23:36.006: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

jan.nielsen · ‎03-26-2015

I see that, however that is a very old software and the document also, i have had plenty of problems with running port-security and dot1x/mab on the same port, some of them very similar to yours. Multiple Cisco people have told me that you should not run port sec and dot1x on the port at the same time. Also try to reboot the switch after you enable dot1x on the ports, i have seen the "unknown" status many times, which only got solved by rebooting the switch after enabling dot1x.

jan.nielsen · ‎03-26-2015

I just noticed, you are missing the following commands on your interface .

authentication order dot1x mab

authentication priority dot1x mab

maksim.sidorchuk · ‎03-26-2015

The problem remains with this 2 commands.

It seems that 802.1x on switch cannot detect MAC address of the client. And tryes 0000.0000.0000. And finally block port:

dot1x-ev:Auth client ctx destroyed
dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

jan.nielsen · ‎03-26-2015

Have you tried rebooting the switch ?

maksim.sidorchuk · ‎03-26-2015

Yes, I tried. I have even updated IOS from 12.55 to 15.0(2)SE6

maksim.sidorchuk · ‎03-26-2015

sh authentication sessions interface g1/0/2 (there is no option 'det' in this command)
Interface: GigabitEthernet1/0/2
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Oper host mode: multi-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 6A7D1FAF00000064019FAD1E
Acct Session ID: 0x0000006C
Handle: 0xE4000065

Runnable methods list:
Method State
dot1x Failed over
mab Running

jan.nielsen · ‎03-26-2015

Looks like your switch is not even trying mab. What do you get if you do "show auth sess int g1/0/2 det"

jan.nielsen · ‎03-26-2015

You should remove any port-security settings before enabling dot1x on a port, these two functions will not work well together.

Jan.

maksim.sidorchuk · ‎03-26-2015

Port security normally works with 802.1x. link

maksim.sidorchuk · ‎03-27-2015

Afer deep investigation I found that the problem doesn't depends on switch. It problem with host. I configured span and ran Wireshark. I found that after starting "authentication port-control auto" on port the host after failed 802.1x authentication doesn't sent any packages that is why switch cannot detect source mac address for mab. I found this device. It is Samsung Printer ML-551x 651x series. Soon I will try to configure 802.1x authentication on this printer via web interface.

Rps-Cheers · ‎09-13-2018

Hello, Whether your issue have resovled? I have occured the same problem,PC-IP Phone-SW2960L-Auth server the MAC can pass,but when enter 802.1X process,the auth status will go to stoped. for example: #show authentication sessions interface g0/1 details Method status list: Method State dot1x Stopped mab Stopped Other config info: interface GigabitEthernet0/1 switchport access vlan 100 switchport mode access switchport voice vlan 59 authentication event fail action authorize vlan 266 authentication event no-response action authorize vlan 266 authentication host-mode multi-domain authentication port-control auto authentication violation protect mab dot1x pae authenticator dot1x timeout quiet-period 5 dot1x timeout tx-period 3 dot1x timeout supp-timeout 5 dot1x max-req 1 dot1x max-reauth-req 1 spanning-tree portfast edge !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !