Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1301
Views
0
Helpful
3
Replies

802.1x with ACS 4.2 (RADIUS) problem

Alexander Chelovekov
Level 1
Level 1

‎03-26-2013 07:51 AM - edited ‎03-10-2019 08:14 PM

HI all!

I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).

When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!

My running config:

Building configuration...

Current configuration : 1736 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

aaa session-id common

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

ip device tracking

!

dot1x system-auth-control

!

interface FastEthernet0/0

ip address 10.10.0.253 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

dot1x port-control auto

!

interface FastEthernet1/1

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface Vlan100

ip address 192.168.100.1 255.255.255.0

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

!

mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1

!

!

!

radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco

radius-server vsa send accounting

radius-server vsa send authentication

My Radius debug information:

*Mar  1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0

*Mar  1 00:21:31.491: RADIUS: ustruct sharecount=2

*Mar  1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1

*Mar  1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"

*Mar  1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message

*Mar  1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request

*Mar  1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2

*Mar  1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127

*Mar  1 00:21:31.511: RADIUS:  authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC

*Mar  1 00:21:31.511: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253

*Mar  1 00:21:31.511: RADIUS:  NAS-Port            [5]   6   0

*Mar  1 00:21:31.511: RADIUS:  Vendor, Cisco       [26]  23

*Mar  1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"

*Mar  1 00:21:31.515: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]

*Mar  1 00:21:31.515: RADIUS:  User-Name           [1]   6   "user"

*Mar  1 00:21:31.515: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"

*Mar  1 00:21:31.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]

*Mar  1 00:21:31.515: RADIUS:  Framed-MTU          [12]  6   1500

*Mar  1 00:21:31.515: RADIUS:  EAP-Message         [79]  11

*Mar  1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]

*Mar  1 00:21:31.515: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12  [???L?m??N??=S?A?]

*Mar  1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93

*Mar  1 00:21:31.555: RADIUS:  authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A

*Mar  1 00:21:31.555: RADIUS:  EAP-Message         [79]  28

*Mar  1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC  [??????????&?R?C?]

*Mar  1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]

*Mar  1 00:21:31.555: RADIUS:  State               [24]  27

*Mar  1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]

*Mar  1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]

*Mar  1 00:21:31.559: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E  ["???D????,?B????]

*Mar  1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)

*Mar  1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply

*Mar  1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0

*Mar  1 00:21:31.587: RADIUS: ustruct sharecount=1

*Mar  1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1

*Mar  1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"

*Mar  1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message

*Mar  1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request

*Mar  1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2

*Mar  1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171

*Mar  1 00:21:31.591: RADIUS:  authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2

*Mar  1 00:21:31.595: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253

*Mar  1 00:21:31.595: RADIUS:  NAS-Port            [5]   6   0

*Mar  1 00:21:31.595: RADIUS:  Vendor, Cisco       [26]  23

*Mar  1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"

*Mar  1 00:21:31.595: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]

*Mar  1 00:21:31.595: RADIUS:  User-Name           [1]   6   "user"

*Mar  1 00:21:31.595: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"

*Mar  1 00:21:31.595: RADIUS:  Service-Type        [6]   6   Framed                    [2]

*Mar  1 00:21:31.595: RADIUS:  Framed-MTU          [12]  6   1500

*Mar  1 00:21:31.595: RADIUS:  State               [24]  27

*Mar  1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]

*Mar  1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]

*Mar  1 00:21:31.595: RADIUS:  EAP-Message         [79]  28

*Mar  1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC  [?????????9?)????]

*Mar  1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]

*Mar  1 00:21:31.595: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13  [3W??\$??g?????t?]

*Mar  1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90

*Mar  1 00:21:31.731: RADIUS:  authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89

*Mar  1 00:21:31.735: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255

*Mar  1 00:21:31.735: RADIUS:  EAP-Message         [79]  6

*Mar  1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]

*Mar  1 00:21:31.735: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]

*Mar  1 00:21:31.739: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]

*Mar  1 00:21:31.739: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"

*Mar  1 00:21:31.739: RADIUS:  Class               [25]  22

*Mar  1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30  [CACS:0/5b1/a0a00]

*Mar  1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]

*Mar  1 00:21:31.739: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26  [u?????l?M\?P???&]

*Mar  1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)

*Mar  1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply

As a result the vlan-switch data based does not change.

Any help will be appreciated!

Thanks a lot,

Chelovekov Alexander

Labels:
0 Helpful
3 Replies 3

Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-26-2013 10:31 PM

Hi Alex,

Try this command:

aaa authorization exec radius if-authenticated

Also, I can see

Tunnel-Medium-Type  [65]  6   01:ALL_802

why you assigns the value ALL_802?? The value must be "802" (without quotes) only.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎03-26-2013 11:03 PM

In addition to what Amjad suggested, all you need the below listed commands for dot1x and vlan assignment. he is correct you need to use only 802 in Tunnel-medium-Type attribute.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Alexander Chelovekov
Level 1
Level 1

‎03-27-2013 06:36 AM

I've tried multiple ways to cope with this problem but nothing was helpfull...

Tunnel-Medium-Type  [65]  6   01:ALL_802

I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).

Screenshot n attachment.

The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair)  - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.

What am i missing?

0 Helpful
Customers Also Viewed These Support Documents