cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2371
Views
0
Helpful
13
Replies

Aironet 2700i .1x Authentication to ISE

TMaddox
Level 1
Level 1

I have been trying to get an access point in my lab environment to authenticate using .1x credentials for network access to ISE. I followed the steps in this document:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-fixed/107946-LAP-802-1x.html

And it doesn't work. I don't even see it trying to authenticate. I change it to MAB and it works instantly. I have 8510 controllers running 8.2.151 and 2700i AP's running 15.3(3)JC6$. 

Has anyone been successful getting the access points to authenticate with .1x?

13 Replies 13

When the AP attempts authentication if you run tcpdump from within ISE and see what the output is.

Have you tested another 802.1x capable device connected to the switch to prove the 802.1x configuration is working as expected? If yes and it works ok, that may proved some clues as to where the issue lies.

HTH

Yes I have successfully authenticated by .1x with my test laptop and ISE doing vlan steering. That works well. I will try your suggestion as see where that takes me.

I ran debug on ISE against the mac address and the result is the AP failed in authentication. My configuration matches the document. I don't know why authentication is failing.

If you can post the error message as to why the AP failed authentication, hopefully we can workout what is wrong.

The debug is attached. Looks to me like it is trying to authenticate with the MAC even though .1x credentials are configured on the AP. 

Well, yes, it looks like it is attempting MAB straight away, I'd expected some 802.1x errors.

Can you run some debugs on the switch debug aaa authentication and debug radius authentication, plug in the AP again and capture the output, upload the debug output here.

Could you attach the running-config of the switch as well please?

I have the info attached. My ISE policy is similar to the one in the document and the authorization profile is configured to call  the interface template in the config one authenticated properly.  What you see in the debug is all I get. Immediately goes to fail.

So I can see from the error in your log:

Aug  7 13:11:19.782: %DOT1X-5-FAIL: Switch 1 R0/0: smd:  Authentication failed for client (E00E.DA28.4638) on Interface Gi1/0/38 AuditSessionID 0AFCC80F00001273BDE4A218

that the APis attempting dot1x authentication, so there should be a corresponding error on ISE?

If you run the command debug radius authentication we should get a detailed output which may indicate where the issue is.

I did use debug aaa authentication command. That is what was logged. The screenshot below is the authentication details from ISE.

Did you run debug radius authentication or debug aaa authentication? I used debug radius authentication to verify and I had pages of dot1x debug. The screenshot is of a mab auth failure, is that the correct error?

Sorry i must have misread the last comment. I just issued the debug radius authentication command and nothing was logged any different than what was on my last log attachment.

Yes the ISE error is from that AP at that timestamp. That is what's been confusing me, seeing it fail on MAB according to the ISE live log. I wonder could it be failing on .1x while booting and by the time it comes online the switch has already moved on to MAB authentication?

Well with the IBNS 2.0 style configuration you are using, it can run both mab and dot1x authentication concurrently, so it may be authenticating mab and then not attempting dot1x.

Check out https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-cntrl-pol.html - section Example: Configuring Control Policy for Concurrent Authentication Methods.

Potentially its these commands that is required in your config:

 event agent-found match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10

I added that to my configuration and took away the MAB config on the port. It still won't pass the authorization rule. In the ISE report the error says

24423 ISE has not been able to confirm previous successful machine authentication

I opened a TAC case for assistance. I am at a loss now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: