12-11-2015 05:19 AM - edited 03-10-2019 11:19 PM
Hello All,
i am trying to configure 802.1x on Cisco 3750 switch, my radius server is on windows server 2012 R2. wireless clients are authenticating through that radius server. after configure 3750 and tried to connect a wired client (win 7 machine) on the specified port of the switch i am getting authentication failed error.
below is my configuration on switch:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
ip radius source-interface Vlan1
radius-server host 192.168.x.xx auth-port 1812 acct-port 1813 key secret
port settings
switchport mode access
authentication port-control auto
dot1x pae authenticator
i dont understand what i am doing wrong.
thanks.
12-14-2015 12:25 PM
Hi,
A couple of questions about your setup:
1-Do you see the access request on the radius server logs?
2-Take a "show authentication session interface <interface>" output after recreating the issue
Regards,
12-14-2015 10:24 PM
thanks for the response ivangonz,
below are the logs and output:
NPS:
A LDAP connection with domain controller <domain> for domain <domain> is established.
output of the command on switch:
Switch#show authentication sessions interface gigabitEthernet 1/0/5
Interface: GigabitEthernet1/0/5
MAC Address: 0005.8251.xxxx
IP Address: Unknown
User-Name: user@<domain>
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8036900000020034308B3
Acct Session ID: 0x00000027
Handle: 0x67000020
Runnable methods list:
Method State
dot1x Authc Failed
Thanks.
12-15-2015 10:01 AM
Hello,
I see authentication an authorization is failing from the output you have provided.
On the NPS server, I mean on the event logs, you should be able to see an access-request reaching the server.
At that point it will be necessary to enable the following debugs to see if the issue is with EAP of radius authentication, and check if you are getting access-accept or reject from the NPS server:
debug dot1x all
debug radius
debug authentication all
12-16-2015 06:39 AM
Hello,
i dont see any logs on NPS in event viewer, except for :A LDAP connection with domain controller <domain> for domain <domain> is established"
below are the logs of switch:
*Mar 1 00:40:55.404: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnect
ed
*Mar 1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_disconnected_enter call
ed
*Mar 1 00:40:55.404: dot1x_auth Gi1/0/5: idle during state auth_disconnecte
d
*Mar 1 00:40:55.404: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart
*Mar 1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_enter called
*Mar 1 00:40:55.404: dot1x-ev(Gi1/0/5): Sending create new context event to EAP
for 0xD2000012 (0000.0000.0000)
*Mar 1 00:40:55.404: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initi
alize has enter
*Mar 1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_initialize_enter c
alled
*Mar 1 00:40:55.404: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initi
alize has idle
*Mar 1 00:40:55.404: dot1x_auth_bend Gi1/0/5: during state auth_bend_initia
lize, got event 16383(idle)
*Mar 1 00:40:55.404: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_
bend_idle
*Mar 1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_enter called
*Mar 1 00:40:55.404: dot1x-ev(Gi1/0/5): Created a client entry (0xD2000012)
*Mar 1 00:40:55.404: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0xD200
0012 (0000.0000.0000)
*Mar 1 00:40:55.404: AUTH-EVENT (Gi1/0/5) Received handle 0xD2000012 from metho
d
*Mar 1 00:40:55.404: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changi
ng state from 'Idle' to 'Running'
*Mar 1 00:40:55.404: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x c
hanging state from 'Not run' to 'Running'
*Mar 1 00:40:55.404: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/
0/5
*Mar 1 00:40:55.404: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0xD20000
12
*Mar 1 00:40:55.412: dot1x_auth Gi1/0/5: during state auth_restart, got eve
nt 6(no_eapRestart)
*Mar 1 00:40:55.412: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_enter called
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_connecting_acti
on called
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0xD2000012
*Mar 1 00:40:55.412: dot1x_auth Gi1/0/5: during state auth_connecting, got
event 10(eapReq_no_reAuthMax)
*Mar 1 00:40:55.412: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authentica
ting
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_authenticating_enter ca
lled
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_authenticati
ng_action called
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0xD2000012
*Mar 1 00:40:55.412: dot1x_auth_bend Gi1/0/5: during state auth_bend_idle,
got event 4(eapReq_authStart)
*Mar 1 00:40:55.412: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_r
equest
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_enter call
ed
*Mar 1 00:40:55.412: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE addre
ss
*Mar 1 00:40:55.412: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 00:40:55.412: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 00:40:55.412: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 00:40:55.412: EAPOL pak dump Tx
*Mar 1 00:40:55.412: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 00:40:55.412: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 00:40:55.412: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xD2000
012 (0000.0000.0000)
*Mar 1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_request_actio
n called
*Mar 1 00:40:55.622: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 00:40:55.622: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q
*Mar 1 00:40:55.622: dot1x-ev:Enqueued the eapol packet to the global authentic
ator queue
*Mar 1 00:40:55.622: EAPOL pak dump rx
*Mar 1 00:40:55.622: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 1 00:40:55.622: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0
*Mar 1 00:40:55.622: dot1x-packet(Gi1/0/5): Received an EAPOL frame
*Mar 1 00:40:55.622: dot1x-ev(Gi1/0/5): Received pkt saddr =f0de.f199.3e92 , da
ddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
*Mar 1 00:40:55.622: dot1x-ev(Gi1/0/5): Couldn't find the supplicant in the lis
t
*Mar 1 00:40:55.622: dot1x-ev(Gi1/0/5): New client detected, notifying AuthMgr
*Mar 1 00:40:55.630: dot1x-ev(Gi1/0/5): Sending event (0) to Auth Mgr for f0de.
f199.3e92
*Mar 1 00:40:55.630: dot1x-packet(Gi1/0/5): Received an EAPOL-Start packet
*Mar 1 00:40:55.630: EAPOL pak dump rx
*Mar 1 00:40:55.630: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting EAPOL_START on Client 0xD200001
2
*Mar 1 00:40:55.630: dot1x_auth Gi1/0/5: during state auth_authenticating,
got event 4(eapolStart)
*Mar 1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_aborti
ng
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_authenticating_exit cal
led
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_aborting_enter called
*Mar 1 00:40:55.630: AUTH-EVENT (Gi1/0/5) Received NEW_MAC from dot1x (handle 0
xA900000D)
*Mar 1 00:40:55.630: AUTH-EVENT (Gi1/0/5) New Method MAC: f0de.f199.3e92 62BF3C
0
*Mar 1 00:40:55.630: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac
f0de.f199.3e92
*Mar 1 00:40:55.630: AUTH-EVENT (Gi1/0/5) Sending NEW_MAC to dot1x (handle 0xA9
00000D)
*Mar 1 00:40:55.630: dot1x-ev(Gi1/0/5): 802.1x method gets the go ahead from Au
th Mgr for 0xD2000012 (f0de.f199.3e92)
*Mar 1 00:40:55.630: %AUTHMGR-5-START: Starting 'dot1x' for client (f0de.f199.3
e92) on Interface Gi1/0/5 AuditSessionID C0A803690000000D0025776C
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting AUTH_ABORT for 0xD2000012
*Mar 1 00:40:55.630: dot1x_auth_bend Gi1/0/5: during state auth_bend_reques
t, got event 1(authAbort)
*Mar 1 00:40:55.630: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_ben
d_initialize
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_initialize_enter c
alled
*Mar 1 00:40:55.630: dot1x_auth_bend Gi1/0/5: idle during state auth_bend_i
nitialize
*Mar 1 00:40:55.630: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_
bend_idle
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_enter called
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting !AUTH_ABORT on Client 0xD200001
2
*Mar 1 00:40:55.630: dot1x_auth Gi1/0/5: during state auth_aborting, got ev
ent 20(no_eapolLogoff_no_authAbort)
*Mar 1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_aborting -> auth_restart
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_aborting_exit called
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_enter called
*Mar 1 00:40:55.630: dot1x-ev(Gi1/0/5): Resetting the client 0xD2000012 (f0de.f
199.3e92)
*Mar 1 00:40:55.630: dot1x-ev(Gi1/0/5): Sending create new context event to EAP
for 0xD2000012 (f0de.f199.3e92)
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_aborting_restart_action
called
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0xD20000
12
*Mar 1 00:40:55.630: dot1x_auth Gi1/0/5: during state auth_restart, got eve
nt 6(no_eapRestart)
*Mar 1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_enter called
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_connecting_acti
on called
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0xD2000012
*Mar 1 00:40:55.630: dot1x_auth Gi1/0/5: during state auth_connecting, got
event 10(eapReq_no_reAuthMax)
*Mar 1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authentica
ting
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_authenticating_enter ca
lled
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_authenticati
ng_action called
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0xD2000012
*Mar 1 00:40:55.630: dot1x_auth_bend Gi1/0/5: during state auth_bend_idle,
got event 4(eapReq_authStart)
*Mar 1 00:40:55.630: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_r
equest
*Mar 1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_enter call
ed
*Mar 1 00:40:55.630: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE addre
ss
*Mar 1 00:40:55.630: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 00:40:55.639: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 00:40:55.639: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 00:40:55.639: EAPOL pak dump Tx
*Mar 1 00:40:55.639: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 00:40:55.639: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 00:40:55.639: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xD2000
012 (f0de.f199.3e92)
*Mar 1 00:40:55.639: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_request_actio
n called
*Mar 1 00:40:57.400: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed st
ate to up
*Mar 1 00:41:22.608: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 00:41:22.608: dot1x-packet(Gi1/0/5): Queuing an EAPOL pkt on Authenticat
or Q
*Mar 1 00:41:22.608: dot1x-ev:Enqueued the eapol packet to the global authentic
ator queue
*Mar 1 00:41:22.608: EAPOL pak dump rx
*Mar 1 00:41:22.608: EAPOL Version: 0x1 type: 0x0 length: 0x0015
*Mar 1 00:41:22.608: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 2,TYPE= 1,LEN= 21
*Mar 1 00:41:22.608: dot1x-packet(Gi1/0/5): Received an EAPOL frame
*Mar 1 00:41:22.608: dot1x-ev(Gi1/0/5): Received pkt saddr =f0de.f199.3e92 , da
ddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0015
*Mar 1 00:41:22.608: dot1x-packet(Gi1/0/5): Received an EAP packet
*Mar 1 00:41:22.608: EAPOL pak dump rx
*Mar 1 00:41:22.608: EAPOL Version: 0x1 type: 0x0 length: 0x0015
*Mar 1 00:41:22.608: dot1x-packet(Gi1/0/5): Received an EAP packet from f0de.f1
99.3e92
*Mar 1 00:41:22.616: dot1x-sm(Gi1/0/5): Posting EAPOL_EAP for 0xD2000012
*Mar 1 00:41:22.616: dot1x_auth_bend Gi1/0/5: during state auth_bend_reques
t, got event 6(eapolEap)
*Mar 1 00:41:22.616: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_ben
d_response
*Mar 1 00:41:22.616: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_enter cal
led
*Mar 1 00:41:22.616: dot1x-ev(Gi1/0/5): dot1x_sendRespToServer: Response sent t
o the server from 0xD2000012 (f0de.f199.3e92)
*Mar 1 00:41:22.616: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_response_a
ction called
*Mar 1 00:41:22.616: AUTH-EVENT (Gi1/0/5) Clear state attribute for AAA ID: 0x0
0000010
*Mar 1 00:41:22.616: RADIUS/ENCODE(00000010):Orig. component type = DOT1X
*Mar 1 00:41:22.616: RADIUS: AAA Unsupported Attr: audit-session-id [607] 24
*Mar 1 00:41:22.616: RADIUS: 43 30 41 38 30 33 36 39 30 30 30 30 30 30 30 44
[C0A803690000000D]
*Mar 1 00:41:22.616: RADIUS: 30 30 32 35 37 37 [ 002577]
*Mar 1 00:41:22.616: RADIUS: AAA Unsupported Attr: interface [171] 20
*Mar 1 00:41:22.616: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 31
[GigabitEthernet1]
*Mar 1 00:41:22.616: RADIUS: 2F 30 [ /0]
*Mar 1 00:41:22.616: RADIUS(00000010): Config NAS IP: 0.0.0.0
*Mar 1 00:41:22.616: RADIUS/ENCODE(00000010): acct_session_id: 15
*Mar 1 00:41:22.616: RADIUS(00000010): sending
*Mar 1 00:41:22.616: RADIUS/ENCODE: Best Local IP-Address 192.168.3.105 for Rad
ius-Server 192.168.3.45
*Mar 1 00:41:22.616: RADIUS(00000010): Send Access-Request to 192.168.3.45:1645
id 1645/11, len 171
*Mar 1 00:41:22.616: RADIUS: authenticator 02 73 8C C3 37 B1 FA 4D - DB 91 78
C4 E7 AA 43 8D
*Mar 1 00:41:22.616: RADIUS: User-Name [1] 18 "radi@rddom.local"
*Mar 1 00:41:22.616: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 1 00:41:22.616: RADIUS: Framed-MTU [12] 6 2100
*Mar 1 00:41:22.616: RADIUS: Called-Station-Id [30] 19 "00-13-1A-19-A4-05"
*Mar 1 00:41:22.616: RADIUS: Calling-Station-Id [31] 19 "F0-DE-F1-99-3E-92"
*Mar 1 00:41:22.616: RADIUS: EAP-Message [79] 23
*Mar 1 00:41:22.616: RADIUS: 02 01 00 15 01 72 61 64 69 40 72 64 64 6F 6D 2E
6C 6F 63 61 6C [ radi@rddom.local]
*Mar 1 00:41:22.616: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:41:22.616: RADIUS: 9C C6 F9 32 58 E2 19 DA D7 40 B1 72 E0 64 B4 E0
[ 2X@rd]
*Mar 1 00:41:22.616: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 00:41:22.616: RADIUS: NAS-Port-Type [61] 6 Ethernet
[15]
*Mar 1 00:41:22.616: RADIUS: NAS-Port [5] 6 50105
*Mar 1 00:41:22.616: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0
/5"
*Mar 1 00:41:22.625: RADIUS: NAS-IP-Address [4] 6 192.168.3.105
*Mar 1 00:41:22.625: RADIUS(00000010): Started 5 sec timeout
*Mar 1 00:41:22.625: RADIUS: Received from id 1645/11 192.168.3.45:1645, Access
-Challenge, len 90
*Mar 1 00:41:22.625: RADIUS: authenticator E1 97 65 6E 8C B0 EC D7 - AD 3B 8A
C0 70 A4 97 59
*Mar 1 00:41:22.625: RADIUS: Session-Timeout [27] 6 30
*Mar 1 00:41:22.625: RADIUS: EAP-Message [79] 8
*Mar 1 00:41:22.625: RADIUS: 01 02 00 06 19 20 [ ]
*Mar 1 00:41:22.625: RADIUS: State [24] 38
*Mar 1 00:41:22.633: RADIUS: 31 04 03 FC 00 00 01 37 00 01 02 00 C0 A8 03 2D
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 E6 81 89 [ 17-$]
*Mar 1 00:41:22.633: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:41:22.633: RADIUS: E7 C8 85 34 1A A3 1B 87 81 F3 45 43 34 44 C9 FC
[ 4EC4D]
*Mar 1 00:41:22.633: RADIUS(00000010): Received from id 1645/11
*Mar 1 00:41:22.633: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 1 00:41:22.633: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0xD2000012
*Mar 1 00:41:22.633: dot1x_auth_bend Gi1/0/5: during state auth_bend_respon
se, got event 7(eapReq)
*Mar 1 00:41:22.633: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_response -> auth_be
nd_request
*Mar 1 00:41:22.633: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_exit call
ed
*Mar 1 00:41:22.633: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_enter call
ed
*Mar 1 00:41:22.633: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE addre
ss
*Mar 1 00:41:22.633: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 00:41:22.633: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 00:41:22.633: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 00:41:22.633: EAPOL pak dump Tx
*Mar 1 00:41:22.633: EAPOL Version: 0x3 type: 0x0 length: 0x0006
*Mar 1 00:41:22.633: EAP code: 0x1 id: 0x2 length: 0x0006 type: 0x19
*Mar 1 00:41:22.633: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xD2000
012 (f0de.f199.3e92)
*Mar 1 00:41:22.633: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_request_a
ction called
*Mar 1 00:41:22.642: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 00:41:22.642: dot1x-packet(Gi1/0/5): Queuing an EAPOL pkt on Authenticat
or Q
*Mar 1 00:41:22.642: dot1x-ev:Enqueued the eapol packet to the global authentic
ator queue
*Mar 1 00:41:22.642: EAPOL pak dump rx
*Mar 1 00:41:22.642: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 1 00:41:22.642: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/5 CODE= 2,TYPE= 25,LEN= 105
*Mar 1 00:41:22.642: dot1x-packet(Gi1/0/5): Received an EAPOL frame
*Mar 1 00:41:22.642: dot1x-ev(Gi1/0/5): Received pkt saddr =f0de.f199.3e92 , da
ddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0069
*Mar 1 00:41:22.642: dot1x-packet(Gi1/0/5): Received an EAP packet
*Mar 1 00:41:22.642: EAPOL pak dump rx
*Mar 1 00:41:22.642: EAPOL Version: 0x1 type: 0x0 length: 0x0069
*Mar 1 00:41:22.642: dot1x-packet(Gi1/0/5): Received an EAP packet from f0de.f1
99.3e92
*Mar 1 00:41:22.642: dot1x-sm(Gi1/0/5): Posting EAPOL_EAP for 0xD2000012
*Mar 1 00:41:22.642: dot1x_auth_bend Gi1/0/5: during state auth_bend_reques
t, got event 6(eapolEap)
*Mar 1 00:41:22.642: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_ben
d_response
*Mar 1 00:41:22.642: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_enter cal
led
*Mar 1 00:41:22.642: dot1x-ev(Gi1/0/5): dot1x_sendRespToServer: Response sent t
o the server from 0xD2000012 (f0de.f199.3e92)
*Mar 1 00:41:22.642: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_response_a
ction called
*Mar 1 00:41:22.642: RADIUS/ENCODE(00000010):Orig. component type = DOT1X
*Mar 1 00:41:22.642: RADIUS: AAA Unsupported Attr: audit-session-id [607] 24
*Mar 1 00:41:22.642: RADIUS: 43 30 41 38 30 33 36 39 30 30 30 30 30 30 30 44
[C0A803690000000D]
*Mar 1 00:41:22.642: RADIUS: 30 30 32 35 37 37 [ 002577]
*Mar 1 00:41:22.642: RADIUS: AAA Unsupported Attr: interface [171] 20
*Mar 1 00:41:22.642: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 31
[GigabitEthernet1]
*Mar 1 00:41:22.642: RADIUS: 2F 30 [ /0]
*Mar 1 00:41:22.642: RADIUS(00000010): Config NAS IP: 0.0.0.0
*Mar 1 00:41:22.642: RADIUS/ENCODE(00000010): acct_session_id: 15
*Mar 1 00:41:22.642: RADIUS(00000010): sending
*Mar 1 00:41:22.642: RADIUS/ENCODE: Best Local IP-Address 192.168.3.105 for Rad
ius-Server 192.168.3.45
*Mar 1 00:41:22.642: RADIUS(00000010): Send Access-Request to 192.168.3.45:1645
id 1645/12, len 293
*Mar 1 00:41:22.642: RADIUS: authenticator 33 1B 66 30 3D 78 EA 20 - FF 66 CC
09 64 FC 32 2D
*Mar 1 00:41:22.642: RADIUS: User-Name [1] 18 "radi@rddom.local"
*Mar 1 00:41:22.642: RADIUS: Service-Type [6] 6 Framed
[2]
*Mar 1 00:41:22.642: RADIUS: Framed-MTU [12] 6 2100
*Mar 1 00:41:22.642: RADIUS: Called-Station-Id [30] 19 "00-13-1A-19-A4-05"
*Mar 1 00:41:22.642: RADIUS: Calling-Station-Id [31] 19 "F0-DE-F1-99-3E-92"
*Mar 1 00:41:22.642: RADIUS: EAP-Message [79] 107
*Mar 1 00:41:22.650: RADIUS: 02 02 00 69 19 80 00 00 00 5F 16 03 01 00 5A 01
00 00 56 03 01 56 71 73 25 E2 9D 97 EF 15 C6 5F DF 47 ED A4 48 59 EA DC 27 C1 E9
98 2E 56 67 [i_ZVVqs?_GHY'.Vg]
*Mar 1 00:41:22.650: RADIUS: 28 75 46 D9 E5 3F 00 00 18 00 2F 00 35 00 05 00
0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00
0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 [ (uF?/528]
*Mar 1 00:41:22.650: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:41:22.650: RADIUS: 38 7D 6F 47 77 F7 57 CE B9 56 FA 56 42 95 5A D7
[ 8}oGwWVVBZ]
*Mar 1 00:41:22.650: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 00:41:22.650: RADIUS: NAS-Port-Type [61] 6 Ethernet
[15]
*Mar 1 00:41:22.650: RADIUS: NAS-Port [5] 6 50105
*Mar 1 00:41:22.650: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0
/5"
*Mar 1 00:41:22.650: RADIUS: State [24] 38
*Mar 1 00:41:22.650: RADIUS: 31 04 03 FC 00 00 01 37 00 01 02 00 C0 A8 03 2D
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 E6 81 89 [ 17-$]
*Mar 1 00:41:22.650: RADIUS: NAS-IP-Address [4] 6 192.168.3.105
*Mar 1 00:41:22.650: RADIUS(00000010): Started 5 sec timeout
*Mar 1 00:41:22.650: RADIUS: Received from id 1645/12 192.168.3.45:1645, Access
-Challenge, len 2144
*Mar 1 00:41:22.650: RADIUS: authenticator 98 45 1D 3A 58 A2 B5 18 - 89 C7 34
A4 4F 7C A9 58
*Mar 1 00:41:22.650: RADIUS: Session-Timeout [27] 6 30
*Mar 1 00:41:22.650: RADIUS: EAP-Message [79] 255
*Mar 1 00:41:22.658: RADIUS: 01 03 07 FC 19 C0 00 00 08 B7 16 03 01 08 B2 02
00 00 46 03 01 56 71 73 1E E2 1E 14 09 AB 6C 9E 4F 2C 94 4F A0 87 26 46 0A 8C 9A
70 65 2D 1B 96 20 7C A5 33 [FVqslO,O&Fpe- |3]
*Mar 1 00:41:22.658: RADIUS: A4 20 6D 1D 00 00 B3 0E 00 0E 26 D5 0F 4B C4 64
B5 E8 90 A3 45 5E 10 F0 21 CA 9C 03 65 62 7B F5 F4 30 00 2F 00 0B 00 05 E6 00 05
E3 00 05 E0 30 82 05 DC 30 82 04 C4 A0 03 02 01 02 02 0A 61 [ m&KdE^!eb{0/00a]
*Mar 1 00:41:22.658: RADIUS: 69 D7 2E 00 00 00 00 00 02 30 0D 06 09 2A 86 48
86 F7 0D 01 01 05 05 00 30 48 31 15 30 13 06 0A 09 92 26 89 93 F2 2C 64 01 19 16
05 6C 6F 63 61 [i.0*H0H10&,dloca]
*Mar 1 00:41:22.658: RADIUS: 6C 31 15 30 13 06 0A 09 92 26 89 93 F2 2C 64 01
19 16 05 72 64 64 6F 6D 31 18 30 16 06 03 55 04 03 13 0F 72 64 [l10&,drddom10Ur
d]
*Mar 1 00:41:22.658: RADIUS: 64 6F 6D 2D 57 49 4E 53 52 56 2D 43 41 30 1E 17
0D 31 35 [dom-WINSRV-CA015]
*Mar 1 00:41:22.658: RADIUS: 31 32 31 35 30 36 35 37 32 34 5A 17 0D 31 36 31
32 31 [1215065724Z16121]
*Mar 1 00:41:22.658: RADIUS: 34 30 36 35 37 32 34 5A 30 1D 31 1B 30 19 06 03
[ 4065724Z010]
*Mar 1 00:41:22.658: RADIUS: EAP-Message [79] 255
*Mar 1 00:41:22.658: RADIUS: 55 04 03 13 12 57 49 4E 53 52 56 2E 72 64 64 6F
6D 2E 6C 6F [UWINSRV.rddom.lo]
*Mar 1 00:41:22.658: RADIUS: 63 61 6C 30 82 01 22 30 0D 06 09 2A 86 48 86 F7
0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 D5 F7 12 AC F1 2D 8A
6A CD C8 6B 94 17 6D 50 91 9C A3 24 FB BC 50 [cal0"0*H0-jkmP$P]
*Mar 1 00:41:22.658: RADIUS: 4A B9 96 0C CF 4B C9 4B AF EA BB 5B C9 CF 3A D3
7C 87 C1 CA 4D 53 AE 5F 83 23 0F 4C EF 21 0E 01 A2 74 8F 57 78 B5 9D B4 34 [JKK
[:|MS_#L!tWx4]
*Mar 1 00:41:22.658: RADIUS: 1A 8B 30 56 AA EF ED 85 FA B3 41 EA 5B 86 36 EF
30 3F C4 53 9E 75 5E 02 07 DE F6 19 4E 22 8A A4 C3 74 66 3F E3 0E 47 [0VA[60?Su
^N"tf?G]
*Mar 1 00:41:22.658: RADIUS: 10 3F B5 F6 F9 03 87 F1 56 AA 02 2D C3 BD 2D 60
66 E6 54 A2 72 B2 48 E2 9F 54 29 AD AF E4 2D EF 1D CE D1 7E 4D 35 25 [?V--`fTrH
T)-~M5?]
*Mar 1 00:41:22.667: RADIUS: 0B F0 5A 20 9B AB 6D 2A A7 FD B6 43 49 C1 3E 88
61 59 D8 73 61 DC 09 77 BA AC 48 A3 B6 E0 8A EB E0 55 42 B7 6C [Z m*CI>aYsawHUB
l]
*Mar 1 00:41:22.667: RADIUS: 8D 3B 2D 9A 9F 00 C2 2C 03 69 DE CF 13 0B 7E 07
7C 37 20 [ ;-,i~|7 ]
*Mar 1 00:41:22.667: RADIUS: EAP-Message [79] 255
*Mar 1 00:41:22.667: RADIUS: 95 C3 4C EA AF D9 33 B0 15 A1 29 D6 A6 A7 37 D4
B4 05 78 29 EF 01 39 FB 7C B7 0F 45 16 36 70 18 0B 8B B5 35 A8 75 01 65 D1 6A C8
86 89 D5 92 2F [L3)7x)9|E6p5uej/]
*Mar 1 00:41:22.667: RADIUS: 70 E8 15 5D F4 FB 97 80 12 4F 3F 02 03 01 00 01
A3 82 02 F1 30 82 02 ED 30 2F 06 09 2B 06 01 04 01 82 37 14 02 04 22 1E 20 00 44
00 6F 00 6D 00 61 00 69 [p]O?00/+7" Domai]
*Mar 1 00:41:22.667: RADIUS: 00 6E 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C
00 6C 00 65 00 72 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B [nController0U?0+]
*Mar 1 00:41:22.667: RADIUS: 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03
01 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 30 78 06 09 2A 86 48 86 F7 0D
01 09 0F 04 6B 30 69 30 0E 06 08 2A 86 48 86 F7 0D 03 02 02 02 00 80 30 0E 06 0
8 2A 86 48 [+0U0x*Hk0i0*H0*H]
*Mar 1 00:41:22.667: RADIUS: 86 F7 0D 03 04 02 02 00 80 30 0B 06 09 60 86 48
01 65 03 04 01 2A 30 0B 06 09 60 86 48 01 65 03 04 01 2D 30 0B 06 09 60 86 48 01
65 03 [ 0`He*0`He-0`He]
*Mar 1 00:41:22.667: RADIUS: EAP-Message [79] 255
*Mar 1 00:41:22.667: RADIUS: 04 01 02 30 0B 06 09 60 86 48 01 65 03 04 01 05
30 07 06 05 2B 0E 03 02 07 30 0A 06 08 2A 86 48 86 F7 0D 03 07 30 1D 06 03 55 1D
0E 04 16 04 14 7B 13 05 77 EE 88 33 FE EF 5A 5A [0`He0+0*H0U{w3ZZ]
*Mar 1 00:41:22.667: RADIUS: CF AF 9B C3 53 64 87 35 7B 30 1F 06 03 55 1D 23
04 18 30 16 80 14 66 71 E8 82 66 90 B7 CD A8 11 EF E8 9C 05 95 0D 1C 42 84 4D 30
81 CC 06 03 55 1D 1F 04 81 C4 30 [Sd5{0U#0fqfBM0U0]
*Mar 1 00:41:22.675: RADIUS: 81 C1 30 81 BE A0 81 BB A0 81 B8 86 81 B5 6C 64
61 70 3A 2F 2F 2F 43 4E 3D 72 64 64 6F [0ldap:///CN=rddo]
*Mar 1 00:41:22.675: RADIUS: 6D 2D 57 49 4E 53 52 56 2D 43 41 2C 43 4E 3D 57
[m-WINSRV-CA,CN=W]
*Mar 1 00:41:22.675: RADIUS: 49 4E 53 52 56 2C 43 4E 3D 43 44 50 2C 43 4E 3D
[INSRV,CN=CDP,CN=]
*Mar 1 00:41:22.675: RADIUS: 50 75 62 6C 69 63 25 32 30 4B 65 79 25 32 30 53
[Public?20Key?20S]
*Mar 1 00:41:22.675: RADIUS: 65 72 76 69 63 65 73 2C 43 4E 3D 53 65 72 76 69
[ervices,CN=Servi]
*Mar 1 00:41:22.675: RADIUS: 63 65 73 2C 43 4E 3D 43 6F 6E 66 69 67 75 72 61
[ces,CN=Configura]
*Mar 1 00:41:22.675: RADIUS: 74 69 6F 6E 2C 44 43 3D 72 64 64 6F 6D 2C 44 43
[tion,DC=rddom,DC]
*Mar 1 00:41:22.675: RADIUS: 3D 6C 6F 63 61 6C 3F 63 65 72 74 69 66 69 63 [
=local?certific]
*Mar 1 00:41:22.675: RADIUS: EAP-Message [79] 255
*Mar 1 00:41:22.675: RADIUS: 61 74 65 52 65 76 6F 63 61 74 69 6F 6E 4C 69 73
[ateRevocationLis]
*Mar 1 00:41:22.675: RADIUS: 74 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C 61
[t?base?objectCla]
*Mar 1 00:41:22.675: RADIUS: 73 73 3D 63 52 4C 44 69 73 74 72 69 62 75 74 69
[ss=cRLDistributi]
*Mar 1 00:41:22.675: RADIUS: 6F 6E 50 6F 69 6E 74 30 81 C1 06 08 2B 06 01 05
05 07 01 01 04 81 B4 30 81 B1 30 81 AE 06 08 2B 06 01 05 05 07 30 02 86 81 A1 6C
64 61 [onPoint0+00+0lda]
*Mar 1 00:41:22.675: RADIUS: 70 3A 2F 2F 2F 43 4E 3D 72 64 64 6F 6D 2D 57 49
[p:///CN=rddom-WI]
*Mar 1 00:41:22.675: RADIUS: 4E 53 52 56 2D 43 41 2C 43 4E 3D 41 49 41 2C 43
[NSRV-CA,CN=AIA,C]
*Mar 1 00:41:22.675: RADIUS: 4E 3D 50 75 62 6C 69 63 25 32 30 4B 65 79 25 32
[N=Public?20Key?2]
*Mar 1 00:41:22.675: RADIUS: 30 53 65 72 76 69 63 65 73 2C 43 4E 3D 53 65 72
[0Services,CN=Ser]
*Mar 1 00:41:22.675: RADIUS: 76 69 63 65 73 2C 43 4E 3D 43 6F 6E 66 69 67 75
[vices,CN=Configu]
*Mar 1 00:41:22.675: RADIUS: 72 61 74 69 6F 6E 2C 44 43 3D 72 64 64 6F 6D 2C
[ration,DC=rddom,]
*Mar 1 00:41:22.675: RADIUS: 44 43 3D 6C 6F 63 61 6C 3F 63 41 43 65 72 74 69
[DC=local?cACerti]
*Mar 1 00:41:22.675: RADIUS: 66 69 63 61 74 65 3F 62 61 73 65 3F 6F 62 6A 65
[ficate?base?obje]
*Mar 1 00:41:22.675: RADIUS: 63 74 43 6C 61 73 73 3D 63 65 72 74 69 66 69 63
[ctClass=certific]
*Mar 1
12-16-2015 07:15 AM
Hi,
It is strange NPS does not show any logs since from the debugs collected, we can see it is responding with "Access-challenge" after "Access-requests" are being sent.
The debug output attach does not contain full authentication thread, you might need to log the session on ".txt" file to see how it ends up.
Regards,
12-31-2015 11:35 AM
Hello,
sorry i was busy in some other tasks that's why i couldn't test this scenario but it has suddenly become on top priority and i have to configure this as soon as possible.
i am getting the below logs now on NPS server:
Network Policy Server denied access to a user.
Reason Code: 49
Reason: The RADIUS request did not match any configured connection request policy (CRP).
OR
Reason Code: 48
Reason: The connection request did not match any configured network policy.
i have done so many different settings/configuration but this thing is not working i don't understand whats happening.
Thanks.
12-31-2015 12:17 PM
Hi,
It is giving you a good sing that issue is on NPS server configuration, looks like on policies configured on it.
At this point, I think you might need to engage some Microsoft support to see what is wrong with the policies.
01-25-2016 02:47 AM
Hello,
finally, i am able to authenticate windows 7 clients with server 2008 R2 NPS.
thanks for all the support.
below is the URL that helped me in the scenario, for people who are stuck this link is very useful:
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
if you still face authentication issues, please add framed-mtu =1434 value
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide