05-31-2016 07:18 AM - edited 03-10-2019 11:49 PM
Hi,
I am running a POC to enable DOT1X on our switches. We are using certificates on the laptops and a Cisco ACS server running 5.8.1.
We get to the point where the ACS server sends an Access-Accept to the switch for the DOT1X request but then the port goes into error disable with an error it found a new mac-address on the port and yet it is the mac-address of the device it just authenticated.
Here are the relevant portions of the debugs:
*****************************************************************************************************
May 31 09:53:04.619: RADIUS: Received from id 1645/133 10.5.20.230:1645, Access-Accept, len 205
*****************************************************************************************************
May 31 09:53:04.619: RADIUS: authenticator 1A C2 2A F6 62 34 59 20 - 3D EA 68 E1 B8 67 53 FB
May 31 09:53:04.619: RADIUS: User-Name [1] 11 "UB-HY-002"
May 31 09:53:04.619: RADIUS: Class [25] 34
May 31 09:53:04.619: RADIUS: 43 41 43 53 3A 53 57 2D 41 43 53 2D 31 31 32 31 [CACS:SW-ACS-1121]
May 31 09:53:04.619: RADIUS: 2F 32 35 33 38 39 37 39 34 32 2F 35 39 32 35 37 [/253897942/59257]
May 31 09:53:04.619: RADIUS: EAP-Message [79] 6
May 31 09:53:04.619: RADIUS: 03 F2 00 04 [????]
May 31 09:53:04.619: RADIUS: Message-Authenticato[80] 18
May 31 09:53:04.628: RADIUS: E9 1B CB 87 77 1A A2 CE E0 30 61 C1 0D 2A E1 F0 [????w????0a??*??]
May 31 09:53:04.628: RADIUS: Vendor, Microsoft [26] 58
May 31 09:53:04.628: RADIUS: MS-MPPE-Send-Key [16] 52 *
May 31 09:53:04.628: RADIUS: Vendor, Microsoft [26] 58
May 31 09:53:04.628: RADIUS: MS-MPPE-Recv-Key [17] 52 *
May 31 09:53:04.628: RADIUS(00000002): Received from id 1645/133
May 31 09:53:04.628: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*************************************************************************************************************************
May 31 09:53:04.628: dot1x-packet:Received an EAP Success on the FastEthernet0/24 for mac 5882.a895.510b
May 31 09:53:04.628: dot1x-sm:Posting EAP_SUCCESS on Client=1A3DFE8
May 31 09:53:04.628: dot1x_auth_bend Fa0: during state auth_bend_response, got event 11(eapSuccess)
May 31 09:53:04.628: @@@ dot1x_auth_bend Fa0: auth_bend_response -> auth_bend_success
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_response_exit called
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_success_enter called
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_response_success_action called
May 31 09:53:04.628: dot1x_auth_bend Fa0: idle during state auth_bend_success
May 31 09:53:04.628: @@@ dot1x_auth_bend Fa0: auth_bend_success -> auth_bend_idle
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_bend_idle_enter called
May 31 09:53:04.628: dot1x-sm:Posting AUTH_SUCCESS on Client=1A3DFE8
May 31 09:53:04.628: dot1x_auth Fa0: during state auth_authenticating, got event 12(authSuccess_portValid)
May 31 09:53:04.628: @@@ dot1x_auth Fa0: auth_authenticating -> auth_authc_result
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_authenticating_exit called
May 31 09:53:04.628: dot1x-sm:Fa0/24:5882.a895.510b:auth_authc_result_enter called
**************************************************************************************************************************
May 31 09:53:04.628: %DOT1X-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/24, new MAC address 5882.a895.510b is seen.
May 31 09:53:04.628: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/24, putting Fa0/24 in err-disable state
This is the dot1x configuration from the switch and the port we are testing are as follows:
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
interface FastEthernet0/24
switchport access vlan 420
switchport mode access
switchport voice vlan 321
snmp trap mac-notification added
snmp trap mac-notification removed
snmp trap link-status permit duplicates
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout tx-period 3
spanning-tree portfast
Any help would be appreciated. Thanks in advance.
Jim
Solved! Go to Solution.
06-02-2016 12:16 PM
Oh yeah, the (55) train is the way to go if you are not on 15.x. Thank you for taking the time to provide the solution to the problem! (+5 from me)
Now, since your issue is resolved, you should mark the thread as "answered" :)
06-02-2016 11:08 AM
Hi Jim, how many devices are being connected on that switch port? Also, are you perhaps using a docking station with the laptop?
You can try running multi-auth instead of multi-domain and see if that fixes the problem
authentication host-mode multi-auth
Thank you for rating helpful posts!
06-02-2016 11:28 AM
Hi Neno,
Turns out we needed to do a code upgrade to address some bug issues. Once we did it started to work. I appreciate the help.
Thanks,
Jim
06-02-2016 11:35 AM
Ah good to hear! Any chance you can post:
1. Bug that you were facing (if known)
2. Version of code that was affected
3. Version of code that you upgraded to
Thank you for rating helpful posts!
06-02-2016 11:45 AM
Sure,
the bug was unknown and we went from code:
c2960-lanbasek9-mz.122-35.SE to 12.2(55)SE10
06-02-2016 12:16 PM
Oh yeah, the (55) train is the way to go if you are not on 15.x. Thank you for taking the time to provide the solution to the problem! (+5 from me)
Now, since your issue is resolved, you should mark the thread as "answered" :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide