802.1X IAS Switch 3750

matthewlogan46 · ‎10-11-2012

Hi,

I am configuring authentication 802.1X in my Access Switchs. The switchs are WS-C3750G-24PS running C3750-IPBASEK9-M, Version 15.0(1)SE2, RELEASE SOFTWARE (fc3). The Radius server is a IAS server, in the IAS there is a Remote Policy with the Windows Group of the users and the atributtes Service Type (Frame), Tunnel-Medium-Type (802), Tunnel-Pvt-Group-ID (100) and Tunnel-Type (Vlan) were configured.

The configuration in a switch is as follow:

aaa new-model

aaa session-id common

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host 192.168.11.28 key 7 093204802934802934123132132123

interface GigabitEthernet1/0/23
switchport mode access
authentication event fail retry 5 action authorize vlan 5
authentication event no-response action authorize vlan 5
authentication port-control auto
authentication periodic
authentication violation protect
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout server-timeout 30
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-reauth-req 10
dot1x timeout held-period 300
spanning-tree portfast
end

I have these logs, when I connect a workstation with 802.1x configured:

016569: *Mar 2 04:07:37: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to up
016570: *Mar 2 04:07:41: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016571: *Mar 2 04:07:41: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016572: *Mar 2 04:07:41: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016573: *Mar 2 04:08:09: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016574: *Mar 2 04:08:09: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907

Other show commands:

Switch#show dot1x interface gigabitEthernet 1/0/23 detail

Dot1x Info for GigabitEthernet1/0/23
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
QuietPeriod               = 5
ServerTimeout             = 10
SuppTimeout               = 2
ReAuthMax                 = 10
MaxReq                    = 2
TxPeriod                  = 2

Dot1x Authenticator Client List
-------------------------------
EAP Method = (0)
Supplicant = 2965.0a1d.3431

Session ID                = C0A813FD000000CF060CE68E
    Auth SM State         = HELD
    Auth BEND SM State    = IDLE

Any idea?

Any suggest?

Karthik Chandran · ‎10-24-2012

Hi Matthew,

Please let me know what is the EAP method you are using ? (For eg; PEAP with EAP-MS-CHAPv2 .).

The backend RADIUS server logs should have hint on why the 802.1x failed.

If you are using PEAP with EAP-MSCHAPv2,

1) make sure whether the certificate on the RADIUS server is fine.

2) check the config in the RADIUS server (reg what EAP methods are allowed ) and check the settings in the supplicant.

3) Make sure that the CA certificate of the RADIUS server is trusted in the supplicant.

4) Check the RADIUS server logs and the logs should give a hint regarding the issue.

If needed, create a case with the respective RADIUS server vendor's TAC.

Regards,

Karthik Chandran

Riyasat Ali · ‎10-31-2012

what you see on Radius Server , under reports and activity > failed attempt :- is it EAP-TLS or PEAP authentication failed due to CA or EAP_PEAP Type not configured ?