08-04-2017 12:26 PM - edited 03-11-2019 12:54 AM
I have been trying to get an access point in my lab environment to authenticate using .1x credentials for network access to ISE. I followed the steps in this document:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html
And it doesn't work. I don't even see it trying to authenticate. I change it to MAB and it works instantly. I have 8510 controllers running 8.2.151 and 2700i AP's running 15.3(3)JC6$.
Has anyone been successful getting the access points to authenticate with .1x?
08-04-2017 12:38 PM
When the AP attempts authentication if you run tcpdump from within ISE and see what the output is.
Have you tested another 802.1x capable device connected to the switch to prove the 802.1x configuration is working as expected? If yes and it works ok, that may proved some clues as to where the issue lies.
HTH
08-04-2017 12:41 PM
Yes I have successfully authenticated by .1x with my test laptop and ISE doing vlan steering. That works well. I will try your suggestion as see where that takes me.
08-04-2017 02:01 PM
I ran debug on ISE against the mac address and the result is the AP failed in authentication. My configuration matches the document. I don't know why authentication is failing.
08-04-2017 02:22 PM
If you can post the error message as to why the AP failed authentication, hopefully we can workout what is wrong.
08-07-2017 06:41 AM
08-07-2017 10:01 AM
Well, yes, it looks like it is attempting MAB straight away, I'd expected some 802.1x errors.
Can you run some debugs on the switch debug aaa authentication and debug radius authentication, plug in the AP again and capture the output, upload the debug output here.
Could you attach the running-config of the switch as well please?
08-07-2017 11:48 AM
08-07-2017 12:59 PM
So I can see from the error in your log:
Aug 7 13:11:19.782: %DOT1X-5-FAIL: Switch 1 R0/0: smd: Authentication failed for client (E00E.DA28.4638) on Interface Gi1/0/38 AuditSessionID 0AFCC80F00001273BDE4A218
that the APis attempting dot1x authentication, so there should be a corresponding error on ISE?
If you run the command debug radius authentication we should get a detailed output which may indicate where the issue is.
08-07-2017 01:42 PM
08-07-2017 01:52 PM
Did you run debug radius authentication or debug aaa authentication? I used debug radius authentication to verify and I had pages of dot1x debug. The screenshot is of a mab auth failure, is that the correct error?
08-07-2017 02:00 PM
Sorry i must have misread the last comment. I just issued the debug radius authentication command and nothing was logged any different than what was on my last log attachment.
Yes the ISE error is from that AP at that timestamp. That is what's been confusing me, seeing it fail on MAB according to the ISE live log. I wonder could it be failing on .1x while booting and by the time it comes online the switch has already moved on to MAB authentication?
08-07-2017 02:22 PM
Well with the IBNS 2.0 style configuration you are using, it can run both mab and dot1x authentication concurrently, so it may be authenticating mab and then not attempting dot1x.
Check out https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-cntrl-pol.html - section Example: Configuring Control Policy for Concurrent Authentication Methods.
Potentially its these commands that is required in your config:
event agent-found match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10
08-10-2017 12:59 PM
I added that to my configuration and took away the MAB config on the port. It still won't pass the authorization rule. In the ISE report the error says
24423 | ISE has not been able to confirm previous successful machine authentication |
I opened a TAC case for assistance. I am at a loss now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide