cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1516
Views
2
Helpful
11
Replies

802.1x lab not working / edge switch won't send authentication request

jsblach
Level 1
Level 1

I have set up this very basic lab with gns3 in which there's an ioul2 switch as edge device, an ioul2 switch as router and an ise vm

the running conf of the edge is attached. if i use the test aaa command the connection to ise seems to work, but when i bring up a port the switch doesn't even seem to bother so send authentication requests to ise. debug radius auth and debug aaa auth don't produce and output.

am i missing something?

thank you people

1 Accepted Solution

Accepted Solutions

@jsblach you are correct it would work using "radius", as it would attempt to use any configured RADIUS server. Where as if you defined a AAA group and referenced that in the method list, it would only use the RADIUS servers specified in the defined group.

Is 802.1X actually supported on that IOU L2 image?

With an endpoint connected run "show dot1x interface Ethernet 0/0 det" - what is the output?

 

View solution in original post

11 Replies 11

dot1x system-auth-control 

This need.

thank you for your answer, but this command is present in the config

aaa authentication dot1x default group dynamic-author
aaa authorization network default group dynamic-author
aaa accounting dot1x default start-stop group dynamic-author
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.108.159 server-key pensi

Yes I see previous command it was there'

Now I make double check you need to specify the radius server group name with aaa command.

Check and share results 

That command "aaa server radius dynamic-author" defines the CoA (Change of Authorisation) server, not the server(s) to be used for AAA. The example @Dustin Anderson provided is correct for the AAA server group.

As MHM stated, you are declaring to use a group named radius, but you don't create or add a server into it.

 

aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.108.159 server-key pensi

Here is an example of our default config for switches and how we declare the groups for reference.

 

radius server ISE1
address ipv4 10.10.130.1 auth-port 1812 acct-port 1813
key 0 <<VARIABLE> - 64 alpha numeric radius on ISE>
timeout 4
retransmit 2
exit

radius server ISE2
address ipv4 10.10.135.1 auth-port 1812 acct-port 1813
key 0 <<VARIABLE> - 64 alpha numeric radius on ISE>
timeout 4
retransmit 2
exit

aaa group server radius ISERadius
server name ISE1
server name ISE2
exit

 

aaa authentication dot1x default group ISERadius
aaa accounting dot1x default start-stop group ISERadius

jsblach
Level 1
Level 1

hi, thank you for your replies!

as far as i understand is the group "radius" the internal group for all configured radius hosts. am i wrong?

jsblach_0-1682615275804.png

i will try to configure a different group. but as i stated, the test aaa command is successfull.

 

jsblach
Level 1
Level 1

i tried configuring a separate group, but with the same result

Sorry I see your new attachment config NOW

It correct' so what issue with dot1x 

Can I see 

Show interface authentication 

@jsblach you are correct it would work using "radius", as it would attempt to use any configured RADIUS server. Where as if you defined a AAA group and referenced that in the method list, it would only use the RADIUS servers specified in the defined group.

Is 802.1X actually supported on that IOU L2 image?

With an endpoint connected run "show dot1x interface Ethernet 0/0 det" - what is the output?

 

yeah this seems to be the problem. i looked it up and specifically mab is broken on ioul2. dot1x works. i first tried mab and didn't look further.

jsblach
Level 1
Level 1

there is some kind of workaround

you can make an access list

ip access-list extended DHCP_ONLY
permit udp any any eq 67
permit udp any any eq 68
deny ip any any

 and configure the interface like this

ip access-group DHCP_ONLY in
authentication open

better than nothing