Solved: 802.1x on nexus 9000

netspazz · ‎12-16-2020

I am currently configuring a simple 802.1x POC on a nexus 9K switch. The supplicant is a windows 10 and the Authentication Server is a Win Server 2016 running AD and NPS. I have everything working with another cisco L2/L3 switch but cannot get this working with the 9K. Not sure if there is something that needs to be tweaked. I enabled aaa login to the radius server to make sure the radius portion is working, and it does authenticate. Below is my config and some show commands to verify everything is setup.

I think it has something do do with my radius setup. when I turn dot1x debug on I see a lot of traffic between the windows 10 client and the switch, EAP and EAPoL messages. turning on RADIUS debug I dont see any traffic going to the authentication server, just the below messages. (192.168.0.225 is my NPS (Radius) box)

Any ideas would be great, it looks like this should be a simple couple lines to enable.

#### Debug radius ####

2020 Dec 16 17:20:20.818174 radius: Calling radius_request_id_cleanup. Ticks elapsed = 51
2020 Dec 16 17:20:36.825943 radius: refreshing res_list
2020 Dec 16 17:20:36.826132 radius: Entering : refresh_dns_cache : Line : 616
2020 Dec 16 17:20:36.826165 radius: SKIPPING 192.168.0.225:1812:1 Timeout: 299 Cache timeout: 300
2020 Dec 16 17:20:36.826201 radius: Exiting: refresh_dns_cache , Line : 667
2020 Dec 16 17:21:11.884155 radius: Calling radius_request_id_cleanup. Ticks elapsed = 51

....... (later in the debug is does find the radius server)

2020 Dec 16 17:25:35.389818 radius: Marking Server : 192.168.0.225:1812:1
2020 Dec 16 17:25:35.389838 radius: Server Found : 192.168.0.225:1812:1

#### Config ####
feature dot1x
dot1x system-auth-control
radius-server host 192.168.0.225 key 7 "fewhg" authentication accounting
aaa group server radius RAD
server 192.168.0.225
aaa authentication dot1x default group RAD

interface Ethernet1/4
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host

#### Verify commands #####
switch# sh dot1x
Sysauthcontrol Enabled
Dot1x Protocol Version 2
Mac-Move Permit

switch# sh dot1x interface e1/4 details

Dot1x Info for Ethernet1/4
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
HostMode = SINGLE HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
InactivityPeriod = 0
Mac-Auth-Bypass = Disabled

Dot1x Authenticator Client List Empty

Port Status = UNAUTHORIZED

switch# sh radius-server
timeout value:5
retransmission count:1
deadtime value:0
source interface:any available
total number of servers:1

following RADIUS servers are configured:
192.168.0.225:
available for authentication on port: 1812
available for accounting on port: 1813
Radius shared secret:********
timeout:5
retries:1

switch# sh radius-server groups RAD
group RAD:
server: 192.168.0.225 on auth-port 1812, acct-port 1813
deadtime is 0
vrf is default

Greg Gibbs · ‎12-16-2020

Just to add a comment here... I'm not sure if it is worth the effort testing 802.1x on a Nexus switch. The Nexus platform is purpose built for the Data Centre where 802.1x is very rarely used (and most often discouraged). The DC should have strict physical access security so using 802.1x does not provide the same value as when used in an Enterprise environment. The Nexus platforms should also not be considered as a viable alternative to an Enterprise access switch.

While it may support some limited level of 802.1x, it would not provide the same level of feature support or be tested as aggressively as an Enterprise access switch (like the Catalyst 9000 series). Cisco does not even test or validate the compatibility of the Nexus family of switches against ISE, our own RADIUS server offering.

View solution in original post

balaji.bandi · ‎12-16-2020

i was wondering why below config show VRF DEFAULT ? - is the switch can reach radius server ping ?

do you see any Logs from nexus on radius ?

switch# sh radius-server groups RAD
group RAD:
server: 192.168.0.225 on auth-port 1812, acct-port 1813
deadtime is 0
vrf is default

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

netspazz · ‎12-16-2020

Yes I can ping the radius server. the 9K has a default VRF, which is the main switch. You have to have at least one VRF, which is the default. I am using everything in the native vlan 1 for testing, I think this should work.

balaji.bandi · ‎12-16-2020

Ok just want to clarify, you have any other VRF, do you see any Logs on Windows NPS ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

netspazz · ‎12-16-2020

I only have the default VRF. I do not see any logs hitting the NPS.

Here is my debug dot1x for errors and events

2020 Dec 16 18:54:53.796224 dot1x: auth_mgr_ctx_set_method_state(504): Client 00:00:00:00:00:00, Initialising Method dot1x state to 'Not run'
2020 Dec 16 18:54:53.796256 dot1x: auth_mgr_ctx_update_runnable_methods(584): Adding method dot1x to runnable list for Auth Mgr context 0x1116FC84
2020 Dec 16 18:54:53.796286 dot1x: auth_mgr_method_tx_event(111): Sending START to dot1x (handle 0x1116FC84)
2020 Dec 16 18:54:53.796374 dot1x: dot1x_create_port_authenticator(1079): CFS: Clear the rmac_flag
2020 Dec 16 18:54:53.796417 dot1x: dot1x_auth_eap_new_client(209): Sending create new context event to EAP for 0x1116E3AC (00:00:00:00:00:00)
2020 Dec 16 18:54:53.796501 dot1x: dot1x_create_port_authenticator(1165): Created a client entry (0x1116E3AC)
2020 Dec 16 18:54:53.796531 dot1x: dot1x_auth_authmgr_callback(134): Dot1x authentication started for 0x1116E3AC (00:00:00:00:00:00)
2020 Dec 16 18:54:53.796558 dot1x: auth_mgr_ctx_send_meth_event_with_state(663): Received handle 0x1116E3AC from method
2020 Dec 16 18:54:53.796586 dot1x: auth_mgr_ctx_set_state(463): Client 00:00:00:00:00:00, Context changing state from 'Authz Failed' to 'Running'
2020 Dec 16 18:54:53.796614 dot1x: auth_mgr_ctx_set_method_state(513): Client 00:00:00:00:00:00, Method dot1x changing state from 'Not run' to 'Running'
2020 Dec 16 18:54:54.797706 dot1x: dot1x_txReq(268): dot1x_txReq: EAPOL pkt should be sent as multicast
2020 Dec 16 18:54:54.797839 dot1x: dot1x_mgr_send_eapol(1037): Ethernet1/4:Sending EAPOL packet to group PAE address
2020 Dec 16 18:54:54.797943 dot1x: dot1x_mgr_pre_process_eapol_pak(1387): Role determination not required
2020 Dec 16 18:54:54.798017 dot1x: dot1x_mgr_send_eapol(1086): dot1x_mgr_send_eapol: Sending out EAPOL packet on Ethernet1/4
2020 Dec 16 18:54:54.798459 dot1x: dot1x_find_auth_client(198): Couldn't find the supplicant in the list

netspazz · ‎12-16-2020

I also need to make a note about my configuration, which could be the problem. I am testing in GNS3 with the 9K appliance using 9.3.3.bin. I know there could be issues with GNS3, so not sure if this has been proven to work in a simulated environment. It does work with another image, CiscoIOSvL2 (vios_l2-adventerprisek9-m.03.2017).

could this be the issue? anyone use the 9K in GNS3? So far what I have found is that everything works just as in the physical hardware.

balaji.bandi · ‎12-16-2020

here is the features supported: With note :

The Cisco Nexus 9000v features in this table have been verified to operate only with the Cisco devices mentioned in this document.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html#concept_1C4584D8C8844076BF07A147D3F080AB

In the Lab you can use the latest Iron IOL or vIOS to test dot1.x - for your testing.

Features supported all platforms of Cisco devices.(virtual for labing)

https://learningnetworkstore.cisco.com/virlfaq/features

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎12-16-2020

Just to add a comment here... I'm not sure if it is worth the effort testing 802.1x on a Nexus switch. The Nexus platform is purpose built for the Data Centre where 802.1x is very rarely used (and most often discouraged). The DC should have strict physical access security so using 802.1x does not provide the same value as when used in an Enterprise environment. The Nexus platforms should also not be considered as a viable alternative to an Enterprise access switch.

While it may support some limited level of 802.1x, it would not provide the same level of feature support or be tested as aggressively as an Enterprise access switch (like the Catalyst 9000 series). Cisco does not even test or validate the compatibility of the Nexus family of switches against ISE, our own RADIUS server offering.