cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5688
Views
0
Helpful
8
Replies

802.1x authentication using 2012 R2 NPS & cisco 3750

saqiibiqbal
Level 1
Level 1

Hello All,

                i am trying to configure 802.1x on Cisco 3750 switch, my radius server is on windows server 2012 R2. wireless clients are authenticating through that radius server. after configure 3750 and tried to connect a wired client (win 7 machine) on the specified port of the switch i am getting authentication failed error. 

below is my configuration on switch:

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

ip radius source-interface Vlan1

radius-server host 192.168.x.xx auth-port 1812 acct-port 1813 key secret

port settings

switchport mode access
authentication port-control auto
dot1x pae authenticator

i dont understand what i am doing wrong.

thanks.

8 Replies 8

Ivan Gonzalez
Cisco Employee
Cisco Employee

Hi,

A couple of questions about your setup:

1-Do you see the access request on the radius server logs?

2-Take a "show authentication session interface <interface>" output after recreating the issue

Regards,

thanks for the response ivangonz,

below are the logs and output:

NPS:

A LDAP connection with domain controller <domain> for domain <domain> is established.

output of the command on switch:

Switch#show authentication sessions interface gigabitEthernet 1/0/5
Interface: GigabitEthernet1/0/5
MAC Address: 0005.8251.xxxx
IP Address: Unknown
User-Name: user@<domain>
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8036900000020034308B3
Acct Session ID: 0x00000027
Handle: 0x67000020

Runnable methods list:
Method State
dot1x Authc Failed

Thanks.

Hello,

I see authentication an authorization is failing from the output you have provided.

On the NPS server, I mean on the event logs, you should be able to see an access-request reaching the server.

At that point it will be necessary to enable the following debugs to see if the issue is with EAP of radius authentication, and check if you are getting access-accept or reject from the NPS server:

debug dot1x all

debug radius

debug authentication all

Hello,

   i dont see any logs on NPS in event viewer, except for :A LDAP connection with domain controller <domain> for domain <domain> is established"

below are the logs of switch:

*Mar  1 00:40:55.404: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnect

ed

*Mar  1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_disconnected_enter call

ed

*Mar  1 00:40:55.404:     dot1x_auth Gi1/0/5: idle during state auth_disconnecte

d

*Mar  1 00:40:55.404: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart

*Mar  1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_enter called

*Mar  1 00:40:55.404: dot1x-ev(Gi1/0/5): Sending create new context event to EAP

 for 0xD2000012 (0000.0000.0000)

*Mar  1 00:40:55.404:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initi

alize has enter

*Mar  1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_initialize_enter c

alled

*Mar  1 00:40:55.404:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initi

alize has idle

*Mar  1 00:40:55.404:     dot1x_auth_bend Gi1/0/5: during state auth_bend_initia

lize, got event 16383(idle)

*Mar  1 00:40:55.404: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_

bend_idle

*Mar  1 00:40:55.404: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_enter called

*Mar  1 00:40:55.404: dot1x-ev(Gi1/0/5): Created a client entry (0xD2000012)

*Mar  1 00:40:55.404: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0xD200

0012 (0000.0000.0000)

*Mar  1 00:40:55.404: AUTH-EVENT (Gi1/0/5) Received handle 0xD2000012 from metho

d

*Mar  1 00:40:55.404: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changi

ng state from 'Idle' to 'Running'

*Mar  1 00:40:55.404: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x c

hanging state from 'Not run' to 'Running'

*Mar  1 00:40:55.404: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/

0/5

*Mar  1 00:40:55.404: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0xD20000

12

*Mar  1 00:40:55.412:     dot1x_auth Gi1/0/5: during state auth_restart, got eve

nt 6(no_eapRestart)

*Mar  1 00:40:55.412: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_enter called

 

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_connecting_acti

on called

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0xD2000012

*Mar  1 00:40:55.412:     dot1x_auth Gi1/0/5: during state auth_connecting, got

event 10(eapReq_no_reAuthMax)

*Mar  1 00:40:55.412: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authentica

ting

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_authenticating_enter ca

lled

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_authenticati

ng_action called

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0xD2000012

*Mar  1 00:40:55.412:     dot1x_auth_bend Gi1/0/5: during state auth_bend_idle,

got event 4(eapReq_authStart)

*Mar  1 00:40:55.412: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_r

equest

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_enter call

ed

*Mar  1 00:40:55.412: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE addre

ss

*Mar  1 00:40:55.412: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 00:40:55.412: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 00:40:55.412: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

*Mar  1 00:40:55.412: EAPOL pak dump Tx

*Mar  1 00:40:55.412: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 00:40:55.412: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 00:40:55.412: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xD2000

012 (0000.0000.0000)

*Mar  1 00:40:55.412: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_request_actio

n called

*Mar  1 00:40:55.622: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 00:40:55.622: dot1x-packet(Gi1/0/5): queuing an EAPOL pkt on Auth Q

*Mar  1 00:40:55.622: dot1x-ev:Enqueued the eapol packet to the global authentic

ator queue

*Mar  1 00:40:55.622: EAPOL pak dump rx

*Mar  1 00:40:55.622: EAPOL Version: 0x1  type: 0x1  length: 0x0000

*Mar  1 00:40:55.622: dot1x-ev:

dot1x_auth_queue_event: Int Gi1/0/5 CODE= 0,TYPE= 0,LEN= 0

 

*Mar  1 00:40:55.622: dot1x-packet(Gi1/0/5): Received an EAPOL frame

*Mar  1 00:40:55.622: dot1x-ev(Gi1/0/5): Received pkt saddr =f0de.f199.3e92 , da

ddr = 0180.c200.0003,

                    pae-ether-type = 888e.0101.0000

*Mar  1 00:40:55.622: dot1x-ev(Gi1/0/5): Couldn't find the supplicant in the lis

t

*Mar  1 00:40:55.622: dot1x-ev(Gi1/0/5): New client detected, notifying AuthMgr

*Mar  1 00:40:55.630: dot1x-ev(Gi1/0/5): Sending event (0) to Auth Mgr for f0de.

f199.3e92

*Mar  1 00:40:55.630: dot1x-packet(Gi1/0/5): Received an EAPOL-Start packet

*Mar  1 00:40:55.630: EAPOL pak dump rx

*Mar  1 00:40:55.630: EAPOL Version: 0x1  type: 0x1  length: 0x0000

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting EAPOL_START on Client 0xD200001

2

*Mar  1 00:40:55.630:     dot1x_auth Gi1/0/5: during state auth_authenticating,

got event 4(eapolStart)

*Mar  1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_aborti

ng

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_authenticating_exit cal

led

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_aborting_enter called

*Mar  1 00:40:55.630: AUTH-EVENT (Gi1/0/5) Received NEW_MAC from dot1x (handle 0

xA900000D)

*Mar  1 00:40:55.630: AUTH-EVENT (Gi1/0/5) New Method MAC: f0de.f199.3e92 62BF3C

0

*Mar  1 00:40:55.630: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac

f0de.f199.3e92

*Mar  1 00:40:55.630: AUTH-EVENT (Gi1/0/5) Sending NEW_MAC to dot1x (handle 0xA9

00000D)

*Mar  1 00:40:55.630: dot1x-ev(Gi1/0/5): 802.1x method gets the go ahead from Au

th Mgr for 0xD2000012 (f0de.f199.3e92)

*Mar  1 00:40:55.630: %AUTHMGR-5-START: Starting 'dot1x' for client (f0de.f199.3

e92) on Interface Gi1/0/5 AuditSessionID C0A803690000000D0025776C

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting AUTH_ABORT for 0xD2000012

*Mar  1 00:40:55.630:     dot1x_auth_bend Gi1/0/5: during state auth_bend_reques

t, got event 1(authAbort)

*Mar  1 00:40:55.630: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_ben

d_initialize

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_initialize_enter c

alled

*Mar  1 00:40:55.630:     dot1x_auth_bend Gi1/0/5: idle during state auth_bend_i

nitialize

*Mar  1 00:40:55.630: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_

bend_idle

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_enter called

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting !AUTH_ABORT on Client 0xD200001

2

*Mar  1 00:40:55.630:     dot1x_auth Gi1/0/5: during state auth_aborting, got ev

ent 20(no_eapolLogoff_no_authAbort)

*Mar  1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_aborting -> auth_restart

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_aborting_exit called

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_enter called

*Mar  1 00:40:55.630: dot1x-ev(Gi1/0/5): Resetting the client 0xD2000012 (f0de.f

199.3e92)

*Mar  1 00:40:55.630: dot1x-ev(Gi1/0/5): Sending create new context event to EAP

 for 0xD2000012 (f0de.f199.3e92)

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_aborting_restart_action

 called

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0xD20000

12

*Mar  1 00:40:55.630:     dot1x_auth Gi1/0/5: during state auth_restart, got eve

nt 6(no_eapRestart)

*Mar  1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_enter called

 

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_restart_connecting_acti

on called

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0xD2000012

*Mar  1 00:40:55.630:     dot1x_auth Gi1/0/5: during state auth_connecting, got

event 10(eapReq_no_reAuthMax)

*Mar  1 00:40:55.630: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authentica

ting

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_authenticating_enter ca

lled

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_connecting_authenticati

ng_action called

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0xD2000012

*Mar  1 00:40:55.630:     dot1x_auth_bend Gi1/0/5: during state auth_bend_idle,

got event 4(eapReq_authStart)

*Mar  1 00:40:55.630: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_r

equest

*Mar  1 00:40:55.630: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_enter call

ed

*Mar  1 00:40:55.630: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE addre

ss

*Mar  1 00:40:55.630: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 00:40:55.639: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 00:40:55.639: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

*Mar  1 00:40:55.639: EAPOL pak dump Tx

*Mar  1 00:40:55.639: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 00:40:55.639: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 00:40:55.639: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xD2000

012 (f0de.f199.3e92)

*Mar  1 00:40:55.639: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_idle_request_actio

n called

*Mar  1 00:40:57.400: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed st

ate to up

*Mar  1 00:41:22.608: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 00:41:22.608: dot1x-packet(Gi1/0/5): Queuing an EAPOL pkt on Authenticat

or Q

*Mar  1 00:41:22.608: dot1x-ev:Enqueued the eapol packet to the global authentic

ator queue

*Mar  1 00:41:22.608: EAPOL pak dump rx

*Mar  1 00:41:22.608: EAPOL Version: 0x1  type: 0x0  length: 0x0015

*Mar  1 00:41:22.608: dot1x-ev:

dot1x_auth_queue_event: Int Gi1/0/5 CODE= 2,TYPE= 1,LEN= 21

 

*Mar  1 00:41:22.608: dot1x-packet(Gi1/0/5): Received an EAPOL frame

*Mar  1 00:41:22.608: dot1x-ev(Gi1/0/5): Received pkt saddr =f0de.f199.3e92 , da

ddr = 0180.c200.0003,

                    pae-ether-type = 888e.0100.0015

*Mar  1 00:41:22.608: dot1x-packet(Gi1/0/5): Received an EAP packet

*Mar  1 00:41:22.608: EAPOL pak dump rx

*Mar  1 00:41:22.608: EAPOL Version: 0x1  type: 0x0  length: 0x0015

*Mar  1 00:41:22.608: dot1x-packet(Gi1/0/5): Received an EAP packet from f0de.f1

99.3e92

*Mar  1 00:41:22.616: dot1x-sm(Gi1/0/5): Posting EAPOL_EAP for 0xD2000012

*Mar  1 00:41:22.616:     dot1x_auth_bend Gi1/0/5: during state auth_bend_reques

t, got event 6(eapolEap)

*Mar  1 00:41:22.616: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_ben

d_response

*Mar  1 00:41:22.616: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_enter cal

led

*Mar  1 00:41:22.616: dot1x-ev(Gi1/0/5): dot1x_sendRespToServer: Response sent t

o the server from 0xD2000012 (f0de.f199.3e92)

*Mar  1 00:41:22.616: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_response_a

ction called

*Mar  1 00:41:22.616: AUTH-EVENT (Gi1/0/5) Clear state attribute for AAA ID: 0x0

0000010

*Mar  1 00:41:22.616: RADIUS/ENCODE(00000010):Orig. component type = DOT1X

*Mar  1 00:41:22.616: RADIUS:  AAA Unsupported Attr: audit-session-id  [607] 24

 

*Mar  1 00:41:22.616: RADIUS:   43 30 41 38 30 33 36 39 30 30 30 30 30 30 30 44

 [C0A803690000000D]

*Mar  1 00:41:22.616: RADIUS:   30 30 32 35 37 37            [ 002577]

*Mar  1 00:41:22.616: RADIUS:  AAA Unsupported Attr: interface         [171] 20

 

*Mar  1 00:41:22.616: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 31

 [GigabitEthernet1]

*Mar  1 00:41:22.616: RADIUS:   2F 30                [ /0]

*Mar  1 00:41:22.616: RADIUS(00000010): Config NAS IP: 0.0.0.0

*Mar  1 00:41:22.616: RADIUS/ENCODE(00000010): acct_session_id: 15

*Mar  1 00:41:22.616: RADIUS(00000010): sending

*Mar  1 00:41:22.616: RADIUS/ENCODE: Best Local IP-Address 192.168.3.105 for Rad

ius-Server 192.168.3.45

*Mar  1 00:41:22.616: RADIUS(00000010): Send Access-Request to 192.168.3.45:1645

 id 1645/11, len 171

*Mar  1 00:41:22.616: RADIUS:  authenticator 02 73 8C C3 37 B1 FA 4D - DB 91 78

C4 E7 AA 43 8D

*Mar  1 00:41:22.616: RADIUS:  User-Name           [1]   18  "radi@rddom.local"

*Mar  1 00:41:22.616: RADIUS:  Service-Type        [6]   6   Framed

       [2]

*Mar  1 00:41:22.616: RADIUS:  Framed-MTU          [12]  6   2100

 

*Mar  1 00:41:22.616: RADIUS:  Called-Station-Id   [30]  19  "00-13-1A-19-A4-05"

 

*Mar  1 00:41:22.616: RADIUS:  Calling-Station-Id  [31]  19  "F0-DE-F1-99-3E-92"

 

*Mar  1 00:41:22.616: RADIUS:  EAP-Message         [79]  23

*Mar  1 00:41:22.616: RADIUS:   02 01 00 15 01 72 61 64 69 40 72 64 64 6F 6D 2E

6C 6F 63 61 6C  [ radi@rddom.local]

*Mar  1 00:41:22.616: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:41:22.616: RADIUS:   9C C6 F9 32 58 E2 19 DA D7 40 B1 72 E0 64 B4 E0

            [ 2X@rd]

*Mar  1 00:41:22.616: RADIUS:  EAP-Key-Name        [102] 2   *

*Mar  1 00:41:22.616: RADIUS:  NAS-Port-Type       [61]  6   Ethernet

       [15]

*Mar  1 00:41:22.616: RADIUS:  NAS-Port            [5]   6   50105

 

*Mar  1 00:41:22.616: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0

/5"

*Mar  1 00:41:22.625: RADIUS:  NAS-IP-Address      [4]   6   192.168.3.105

 

*Mar  1 00:41:22.625: RADIUS(00000010): Started 5 sec timeout

*Mar  1 00:41:22.625: RADIUS: Received from id 1645/11 192.168.3.45:1645, Access

-Challenge, len 90

*Mar  1 00:41:22.625: RADIUS:  authenticator E1 97 65 6E 8C B0 EC D7 - AD 3B 8A

C0 70 A4 97 59

*Mar  1 00:41:22.625: RADIUS:  Session-Timeout     [27]  6   30

 

*Mar  1 00:41:22.625: RADIUS:  EAP-Message         [79]  8

*Mar  1 00:41:22.625: RADIUS:   01 02 00 06 19 20                 [  ]

*Mar  1 00:41:22.625: RADIUS:  State               [24]  38

*Mar  1 00:41:22.633: RADIUS:   31 04 03 FC 00 00 01 37 00 01 02 00 C0 A8 03 2D

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 E6 81 89              [ 17-$]

 

*Mar  1 00:41:22.633: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:41:22.633: RADIUS:   E7 C8 85 34 1A A3 1B 87 81 F3 45 43 34 44 C9 FC

            [ 4EC4D]

*Mar  1 00:41:22.633: RADIUS(00000010): Received from id 1645/11

*Mar  1 00:41:22.633: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes

*Mar  1 00:41:22.633: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0xD2000012

*Mar  1 00:41:22.633:     dot1x_auth_bend Gi1/0/5: during state auth_bend_respon

se, got event 7(eapReq)

*Mar  1 00:41:22.633: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_response -> auth_be

nd_request

*Mar  1 00:41:22.633: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_exit call

ed

*Mar  1 00:41:22.633: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_enter call

ed

*Mar  1 00:41:22.633: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE addre

ss

*Mar  1 00:41:22.633: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 00:41:22.633: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 00:41:22.633: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

*Mar  1 00:41:22.633: EAPOL pak dump Tx

*Mar  1 00:41:22.633: EAPOL Version: 0x3  type: 0x0  length: 0x0006

*Mar  1 00:41:22.633: EAP code: 0x1  id: 0x2  length: 0x0006 type: 0x19

*Mar  1 00:41:22.633: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xD2000

012 (f0de.f199.3e92)

*Mar  1 00:41:22.633: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_request_a

ction called

*Mar  1 00:41:22.642: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 00:41:22.642: dot1x-packet(Gi1/0/5): Queuing an EAPOL pkt on Authenticat

or Q

*Mar  1 00:41:22.642: dot1x-ev:Enqueued the eapol packet to the global authentic

ator queue

*Mar  1 00:41:22.642: EAPOL pak dump rx

*Mar  1 00:41:22.642: EAPOL Version: 0x1  type: 0x0  length: 0x0069

*Mar  1 00:41:22.642: dot1x-ev:

dot1x_auth_queue_event: Int Gi1/0/5 CODE= 2,TYPE= 25,LEN= 105

 

*Mar  1 00:41:22.642: dot1x-packet(Gi1/0/5): Received an EAPOL frame

*Mar  1 00:41:22.642: dot1x-ev(Gi1/0/5): Received pkt saddr =f0de.f199.3e92 , da

ddr = 0180.c200.0003,

                    pae-ether-type = 888e.0100.0069

*Mar  1 00:41:22.642: dot1x-packet(Gi1/0/5): Received an EAP packet

*Mar  1 00:41:22.642: EAPOL pak dump rx

*Mar  1 00:41:22.642: EAPOL Version: 0x1  type: 0x0  length: 0x0069

*Mar  1 00:41:22.642: dot1x-packet(Gi1/0/5): Received an EAP packet from f0de.f1

99.3e92

*Mar  1 00:41:22.642: dot1x-sm(Gi1/0/5): Posting EAPOL_EAP for 0xD2000012

*Mar  1 00:41:22.642:     dot1x_auth_bend Gi1/0/5: during state auth_bend_reques

t, got event 6(eapolEap)

*Mar  1 00:41:22.642: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_ben

d_response

*Mar  1 00:41:22.642: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_response_enter cal

led

*Mar  1 00:41:22.642: dot1x-ev(Gi1/0/5): dot1x_sendRespToServer: Response sent t

o the server from 0xD2000012 (f0de.f199.3e92)

*Mar  1 00:41:22.642: dot1x-sm(Gi1/0/5): 0xD2000012:auth_bend_request_response_a

ction called

*Mar  1 00:41:22.642: RADIUS/ENCODE(00000010):Orig. component type = DOT1X

*Mar  1 00:41:22.642: RADIUS:  AAA Unsupported Attr: audit-session-id  [607] 24

 

*Mar  1 00:41:22.642: RADIUS:   43 30 41 38 30 33 36 39 30 30 30 30 30 30 30 44

 [C0A803690000000D]

*Mar  1 00:41:22.642: RADIUS:   30 30 32 35 37 37            [ 002577]

*Mar  1 00:41:22.642: RADIUS:  AAA Unsupported Attr: interface         [171] 20

 

*Mar  1 00:41:22.642: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 31

 [GigabitEthernet1]

*Mar  1 00:41:22.642: RADIUS:   2F 30                [ /0]

*Mar  1 00:41:22.642: RADIUS(00000010): Config NAS IP: 0.0.0.0

*Mar  1 00:41:22.642: RADIUS/ENCODE(00000010): acct_session_id: 15

*Mar  1 00:41:22.642: RADIUS(00000010): sending

*Mar  1 00:41:22.642: RADIUS/ENCODE: Best Local IP-Address 192.168.3.105 for Rad

ius-Server 192.168.3.45

*Mar  1 00:41:22.642: RADIUS(00000010): Send Access-Request to 192.168.3.45:1645

 id 1645/12, len 293

*Mar  1 00:41:22.642: RADIUS:  authenticator 33 1B 66 30 3D 78 EA 20 - FF 66 CC

09 64 FC 32 2D

*Mar  1 00:41:22.642: RADIUS:  User-Name           [1]   18  "radi@rddom.local"

*Mar  1 00:41:22.642: RADIUS:  Service-Type        [6]   6   Framed

       [2]

*Mar  1 00:41:22.642: RADIUS:  Framed-MTU          [12]  6   2100

 

*Mar  1 00:41:22.642: RADIUS:  Called-Station-Id   [30]  19  "00-13-1A-19-A4-05"

 

*Mar  1 00:41:22.642: RADIUS:  Calling-Station-Id  [31]  19  "F0-DE-F1-99-3E-92"

 

*Mar  1 00:41:22.642: RADIUS:  EAP-Message         [79]  107

*Mar  1 00:41:22.650: RADIUS:   02 02 00 69 19 80 00 00 00 5F 16 03 01 00 5A 01

00 00 56 03 01 56 71 73 25 E2 9D 97 EF 15 C6 5F DF 47 ED A4 48 59 EA DC 27 C1 E9

 98 2E 56 67  [i_ZVVqs?_GHY'.Vg]

*Mar  1 00:41:22.650: RADIUS:   28 75 46 D9 E5 3F 00 00 18 00 2F 00 35 00 05 00

0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00

 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00          [ (uF?/528]

*Mar  1 00:41:22.650: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:41:22.650: RADIUS:   38 7D 6F 47 77 F7 57 CE B9 56 FA 56 42 95 5A D7

       [ 8}oGwWVVBZ]

*Mar  1 00:41:22.650: RADIUS:  EAP-Key-Name        [102] 2   *

*Mar  1 00:41:22.650: RADIUS:  NAS-Port-Type       [61]  6   Ethernet

       [15]

*Mar  1 00:41:22.650: RADIUS:  NAS-Port            [5]   6   50105

 

*Mar  1 00:41:22.650: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0

/5"

*Mar  1 00:41:22.650: RADIUS:  State               [24]  38

*Mar  1 00:41:22.650: RADIUS:   31 04 03 FC 00 00 01 37 00 01 02 00 C0 A8 03 2D

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 E6 81 89              [ 17-$]

 

*Mar  1 00:41:22.650: RADIUS:  NAS-IP-Address      [4]   6   192.168.3.105

 

*Mar  1 00:41:22.650: RADIUS(00000010): Started 5 sec timeout

*Mar  1 00:41:22.650: RADIUS: Received from id 1645/12 192.168.3.45:1645, Access

-Challenge, len 2144

*Mar  1 00:41:22.650: RADIUS:  authenticator 98 45 1D 3A 58 A2 B5 18 - 89 C7 34

A4 4F 7C A9 58

*Mar  1 00:41:22.650: RADIUS:  Session-Timeout     [27]  6   30

 

*Mar  1 00:41:22.650: RADIUS:  EAP-Message         [79]  255

*Mar  1 00:41:22.658: RADIUS:   01 03 07 FC 19 C0 00 00 08 B7 16 03 01 08 B2 02

00 00 46 03 01 56 71 73 1E E2 1E 14 09 AB 6C 9E 4F 2C 94 4F A0 87 26 46 0A 8C 9A

 70 65 2D 1B 96 20 7C A5 33  [FVqslO,O&Fpe- |3]

*Mar  1 00:41:22.658: RADIUS:   A4 20 6D 1D 00 00 B3 0E 00 0E 26 D5 0F 4B C4 64

B5 E8 90 A3 45 5E 10 F0 21 CA 9C 03 65 62 7B F5 F4 30 00 2F 00 0B 00 05 E6 00 05

 E3 00 05 E0 30 82 05 DC 30 82 04 C4 A0 03 02 01 02 02 0A 61  [ m&KdE^!eb{0/00a]

 

*Mar  1 00:41:22.658: RADIUS:   69 D7 2E 00 00 00 00 00 02 30 0D 06 09 2A 86 48

86 F7 0D 01 01 05 05 00 30 48 31 15 30 13 06 0A 09 92 26 89 93 F2 2C 64 01 19 16

 05 6C 6F 63 61  [i.0*H0H10&,dloca]

*Mar  1 00:41:22.658: RADIUS:   6C 31 15 30 13 06 0A 09 92 26 89 93 F2 2C 64 01

19 16 05 72 64 64 6F 6D 31 18 30 16 06 03 55 04 03 13 0F 72 64  [l10&,drddom10Ur

d]

*Mar  1 00:41:22.658: RADIUS:   64 6F 6D 2D 57 49 4E 53 52 56 2D 43 41 30 1E 17

0D 31 35  [dom-WINSRV-CA015]

*Mar  1 00:41:22.658: RADIUS:   31 32 31 35 30 36 35 37 32 34 5A 17 0D 31 36 31

32 31  [1215065724Z16121]

*Mar  1 00:41:22.658: RADIUS:   34 30 36 35 37 32 34 5A 30 1D 31 1B 30 19 06 03

      [ 4065724Z010]

*Mar  1 00:41:22.658: RADIUS:  EAP-Message         [79]  255

*Mar  1 00:41:22.658: RADIUS:   55 04 03 13 12 57 49 4E 53 52 56 2E 72 64 64 6F

6D 2E 6C 6F  [UWINSRV.rddom.lo]

*Mar  1 00:41:22.658: RADIUS:   63 61 6C 30 82 01 22 30 0D 06 09 2A 86 48 86 F7

0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 D5 F7 12 AC F1 2D 8A

 6A CD C8 6B 94 17 6D 50 91 9C A3 24 FB BC 50  [cal0"0*H0-jkmP$P]

*Mar  1 00:41:22.658: RADIUS:   4A B9 96 0C CF 4B C9 4B AF EA BB 5B C9 CF 3A D3

7C 87 C1 CA 4D 53 AE 5F 83 23 0F 4C EF 21 0E 01 A2 74 8F 57 78 B5 9D B4 34  [JKK

[:|MS_#L!tWx4]

*Mar  1 00:41:22.658: RADIUS:   1A 8B 30 56 AA EF ED 85 FA B3 41 EA 5B 86 36 EF

30 3F C4 53 9E 75 5E 02 07 DE F6 19 4E 22 8A A4 C3 74 66 3F E3 0E 47  [0VA[60?Su

^N"tf?G]

*Mar  1 00:41:22.658: RADIUS:   10 3F B5 F6 F9 03 87 F1 56 AA 02 2D C3 BD 2D 60

66 E6 54 A2 72 B2 48 E2 9F 54 29 AD AF E4 2D EF 1D CE D1 7E 4D 35 25  [?V--`fTrH

T)-~M5?]

*Mar  1 00:41:22.667: RADIUS:   0B F0 5A 20 9B AB 6D 2A A7 FD B6 43 49 C1 3E 88

61 59 D8 73 61 DC 09 77 BA AC 48 A3 B6 E0 8A EB E0 55 42 B7 6C  [Z m*CI>aYsawHUB

l]

*Mar  1 00:41:22.667: RADIUS:   8D 3B 2D 9A 9F 00 C2 2C 03 69 DE CF 13 0B 7E 07

7C 37 20          [ ;-,i~|7 ]

*Mar  1 00:41:22.667: RADIUS:  EAP-Message         [79]  255

*Mar  1 00:41:22.667: RADIUS:   95 C3 4C EA AF D9 33 B0 15 A1 29 D6 A6 A7 37 D4

B4 05 78 29 EF 01 39 FB 7C B7 0F 45 16 36 70 18 0B 8B B5 35 A8 75 01 65 D1 6A C8

 86 89 D5 92 2F  [L3)7x)9|E6p5uej/]

*Mar  1 00:41:22.667: RADIUS:   70 E8 15 5D F4 FB 97 80 12 4F 3F 02 03 01 00 01

A3 82 02 F1 30 82 02 ED 30 2F 06 09 2B 06 01 04 01 82 37 14 02 04 22 1E 20 00 44

 00 6F 00 6D 00 61 00 69  [p]O?00/+7" Domai]

*Mar  1 00:41:22.667: RADIUS:   00 6E 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C

00 6C 00 65 00 72 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B  [nController0U?0+]

*Mar  1 00:41:22.667: RADIUS:   06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03

01 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 30 78 06 09 2A 86 48 86 F7 0D

 01 09 0F 04 6B 30 69 30 0E 06 08 2A 86 48 86 F7 0D 03 02 02 02 00 80 30 0E 06 0

8 2A 86 48  [+0U0x*Hk0i0*H0*H]

*Mar  1 00:41:22.667: RADIUS:   86 F7 0D 03 04 02 02 00 80 30 0B 06 09 60 86 48

01 65 03 04 01 2A 30 0B 06 09 60 86 48 01 65 03 04 01 2D 30 0B 06 09 60 86 48 01

 65 03    [ 0`He*0`He-0`He]

*Mar  1 00:41:22.667: RADIUS:  EAP-Message         [79]  255

*Mar  1 00:41:22.667: RADIUS:   04 01 02 30 0B 06 09 60 86 48 01 65 03 04 01 05

30 07 06 05 2B 0E 03 02 07 30 0A 06 08 2A 86 48 86 F7 0D 03 07 30 1D 06 03 55 1D

 0E 04 16 04 14 7B 13 05 77 EE 88 33 FE EF 5A 5A  [0`He0+0*H0U{w3ZZ]

*Mar  1 00:41:22.667: RADIUS:   CF AF 9B C3 53 64 87 35 7B 30 1F 06 03 55 1D 23

04 18 30 16 80 14 66 71 E8 82 66 90 B7 CD A8 11 EF E8 9C 05 95 0D 1C 42 84 4D 30

 81 CC 06 03 55 1D 1F 04 81 C4 30  [Sd5{0U#0fqfBM0U0]

*Mar  1 00:41:22.675: RADIUS:   81 C1 30 81 BE A0 81 BB A0 81 B8 86 81 B5 6C 64

61 70 3A 2F 2F 2F 43 4E 3D 72 64 64 6F  [0ldap:///CN=rddo]

*Mar  1 00:41:22.675: RADIUS:   6D 2D 57 49 4E 53 52 56 2D 43 41 2C 43 4E 3D 57

 [m-WINSRV-CA,CN=W]

*Mar  1 00:41:22.675: RADIUS:   49 4E 53 52 56 2C 43 4E 3D 43 44 50 2C 43 4E 3D

 [INSRV,CN=CDP,CN=]

*Mar  1 00:41:22.675: RADIUS:   50 75 62 6C 69 63 25 32 30 4B 65 79 25 32 30 53

 [Public?20Key?20S]

*Mar  1 00:41:22.675: RADIUS:   65 72 76 69 63 65 73 2C 43 4E 3D 53 65 72 76 69

 [ervices,CN=Servi]

*Mar  1 00:41:22.675: RADIUS:   63 65 73 2C 43 4E 3D 43 6F 6E 66 69 67 75 72 61

 [ces,CN=Configura]

*Mar  1 00:41:22.675: RADIUS:   74 69 6F 6E 2C 44 43 3D 72 64 64 6F 6D 2C 44 43

 [tion,DC=rddom,DC]

*Mar  1 00:41:22.675: RADIUS:   3D 6C 6F 63 61 6C 3F 63 65 72 74 69 66 69 63   [

 =local?certific]

*Mar  1 00:41:22.675: RADIUS:  EAP-Message         [79]  255

*Mar  1 00:41:22.675: RADIUS:   61 74 65 52 65 76 6F 63 61 74 69 6F 6E 4C 69 73

 [ateRevocationLis]

*Mar  1 00:41:22.675: RADIUS:   74 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C 61

 [t?base?objectCla]

*Mar  1 00:41:22.675: RADIUS:   73 73 3D 63 52 4C 44 69 73 74 72 69 62 75 74 69

 [ss=cRLDistributi]

*Mar  1 00:41:22.675: RADIUS:   6F 6E 50 6F 69 6E 74 30 81 C1 06 08 2B 06 01 05

05 07 01 01 04 81 B4 30 81 B1 30 81 AE 06 08 2B 06 01 05 05 07 30 02 86 81 A1 6C

 64 61  [onPoint0+00+0lda]

*Mar  1 00:41:22.675: RADIUS:   70 3A 2F 2F 2F 43 4E 3D 72 64 64 6F 6D 2D 57 49

 [p:///CN=rddom-WI]

*Mar  1 00:41:22.675: RADIUS:   4E 53 52 56 2D 43 41 2C 43 4E 3D 41 49 41 2C 43

 [NSRV-CA,CN=AIA,C]

*Mar  1 00:41:22.675: RADIUS:   4E 3D 50 75 62 6C 69 63 25 32 30 4B 65 79 25 32

 [N=Public?20Key?2]

*Mar  1 00:41:22.675: RADIUS:   30 53 65 72 76 69 63 65 73 2C 43 4E 3D 53 65 72

 [0Services,CN=Ser]

*Mar  1 00:41:22.675: RADIUS:   76 69 63 65 73 2C 43 4E 3D 43 6F 6E 66 69 67 75

 [vices,CN=Configu]

*Mar  1 00:41:22.675: RADIUS:   72 61 74 69 6F 6E 2C 44 43 3D 72 64 64 6F 6D 2C

 [ration,DC=rddom,]

*Mar  1 00:41:22.675: RADIUS:   44 43 3D 6C 6F 63 61 6C 3F 63 41 43 65 72 74 69

 [DC=local?cACerti]

*Mar  1 00:41:22.675: RADIUS:   66 69 63 61 74 65 3F 62 61 73 65 3F 6F 62 6A 65

 [ficate?base?obje]

*Mar  1 00:41:22.675: RADIUS:   63 74 43 6C 61 73 73 3D 63 65 72 74 69 66 69 63

 [ctClass=certific]

*Mar  1

Hi,

It is strange NPS does not show any logs since from the debugs collected, we can see it is responding with "Access-challenge" after "Access-requests" are being sent.

The debug output attach does not contain full authentication thread, you might need to log the session on ".txt" file to see how it ends up.

Regards,

Hello,

   sorry i was busy in some other tasks that's why i couldn't test this scenario but it has suddenly become on top priority and i have to configure this as soon as possible.

i am getting the below logs now on NPS server:

Network Policy Server denied access to a user.

Reason Code: 49
Reason: The RADIUS request did not match any configured connection request policy (CRP).

OR

Reason Code: 48
Reason: The connection request did not match any configured network policy.

i have done so many different settings/configuration but this thing is not working i don't understand whats happening.

Thanks.

Hi,

It is giving you a good sing that issue is on NPS server configuration, looks like on policies configured on it.

At this point, I think you might need to engage some Microsoft support to see what is wrong with the policies.

Hello,

finally, i am able to authenticate windows 7 clients with server 2008 R2 NPS. 

thanks for all the support.

below is the URL that helped me in the scenario, for people who are stuck this link is very useful:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

if you still face authentication issues, please add framed-mtu =1434 value

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: