Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1517
Views
2
Helpful
11
Replies

802.1x lab not working / edge switch won't send authentication request

Go to solution
jsblach
Level 1
Level 1

‎04-27-2023 04:09 AM

I have set up this very basic lab with gns3 in which there's an ioul2 switch as edge device, an ioul2 switch as router and an ise vm

the running conf of the edge is attached. if i use the test aaa command the connection to ise seems to work, but when i bring up a port the switch doesn't even seem to bother so send authentication requests to ise. debug radius auth and debug aaa auth don't produce and output.

am i missing something?

thank you people

Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jsblach

‎04-27-2023 10:38 AM

@jsblach you are correct it would work using "radius", as it would attempt to use any configured RADIUS server. Where as if you defined a AAA group and referenced that in the method list, it would only use the RADIUS servers specified in the defined group.

Is 802.1X actually supported on that IOU L2 image?

With an endpoint connected run "show dot1x interface Ethernet 0/0 det" - what is the output?

 

View solution in original post

11 Replies 11

Go to solution
MHM Cisco World
VIP
VIP

‎04-27-2023 05:08 AM

dot1x system-auth-control 

This need.

0 Helpful

Go to solution
jsblach
Level 1
Level 1
In response to MHM Cisco World

‎04-27-2023 07:40 AM

thank you for your answer, but this command is present in the config

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-27-2023 09:18 AM 

aaa authentication dot1x default group dynamic-author
aaa authorization network default group dynamic-author
aaa accounting dot1x default start-stop group dynamic-author
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.108.159 server-key pensi

Yes I see previous command it was there'

Now I make double check you need to specify the radius server group name with aaa command.

Check and share results 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎04-27-2023 10:37 AM - edited ‎04-27-2023 10:38 AM

That command "aaa server radius dynamic-author" defines the CoA (Change of Authorisation) server, not the server(s) to be used for AAA. The example @Dustin Anderson provided is correct for the AAA server group.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎04-27-2023 09:40 AM - edited ‎04-27-2023 09:41 AM

As MHM stated, you are declaring to use a group named radius, but you don't create or add a server into it.

 

aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.108.159 server-key pensi

Here is an example of our default config for switches and how we declare the groups for reference.

 

radius server ISE1
address ipv4 10.10.130.1 auth-port 1812 acct-port 1813
key 0 <<VARIABLE> - 64 alpha numeric radius on ISE>
timeout 4
retransmit 2
exit

radius server ISE2
address ipv4 10.10.135.1 auth-port 1812 acct-port 1813
key 0 <<VARIABLE> - 64 alpha numeric radius on ISE>
timeout 4
retransmit 2
exit

aaa group server radius ISERadius
server name ISE1
server name ISE2
exit

 

aaa authentication dot1x default group ISERadius
aaa accounting dot1x default start-stop group ISERadius

Go to solution
jsblach
Level 1
Level 1

‎04-27-2023 10:08 AM

hi, thank you for your replies!

as far as i understand is the group "radius" the internal group for all configured radius hosts. am i wrong?

jsblach_0-1682615275804.png

i will try to configure a different group. but as i stated, the test aaa command is successfull.

 

0 Helpful

Go to solution
jsblach
Level 1
Level 1

‎04-27-2023 10:19 AM

i tried configuring a separate group, but with the same result

Preview file
3 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jsblach

‎04-27-2023 10:32 AM - edited ‎04-27-2023 01:58 PM

Sorry I see your new attachment config NOW

It correct' so what issue with dot1x 

Can I see 

Show interface authentication 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsblach

‎04-27-2023 10:38 AM

@jsblach you are correct it would work using "radius", as it would attempt to use any configured RADIUS server. Where as if you defined a AAA group and referenced that in the method list, it would only use the RADIUS servers specified in the defined group.

Is 802.1X actually supported on that IOU L2 image?

With an endpoint connected run "show dot1x interface Ethernet 0/0 det" - what is the output?

 

Go to solution
jsblach
Level 1
Level 1
In response to Rob Ingram

‎04-27-2023 01:41 PM

yeah this seems to be the problem. i looked it up and specifically mab is broken on ioul2. dot1x works. i first tried mab and didn't look further.

0 Helpful

Go to solution
jsblach
Level 1
Level 1

‎04-28-2023 03:10 AM

there is some kind of workaround

you can make an access list

ip access-list extended DHCP_ONLY
permit udp any any eq 67
permit udp any any eq 68
deny ip any any

 and configure the interface like this

ip access-group DHCP_ONLY in
authentication open

better than nothing 

0 Helpful
Customers Also Viewed These Support Documents