Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5748
Views
0
Helpful
3
Replies

authentication event fail action authorize vlan

mr.locash
Level 1
Level 1

‎07-16-2012 05:41 AM - edited ‎03-10-2019 07:18 PM

hi,

when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant)

and logs show something like that

Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11

version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2

port config:

interface GigabitEthernet0/1

switchport access vlan 104

switchport mode access

switchport voice vlan 200

authentication event fail action authorize vlan 500

authentication event no-response action authorize vlan 500

authentication order mab dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation replace

mab eap

no snmp trap link-status

dot1x pae authenticator

dot1x timeout quiet-period 3

dot1x timeout tx-period 1

dot1x max-req 1

dot1x max-reauth-req 1

dot1x timeout held-period 3

dot1x timeout auth-period 3

spanning-tree portfast

ip dhcp snooping limit rate 20

end

in global config:

dot1x system-auth-control

dot1x guest-vlan supplican

#sh dot1x inter g0/1 det

Dot1x Info for GigabitEthernet0/1

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

QuietPeriod = 3

ServerTimeout = 0

SuppTimeout = 30

ReAuthMax = 1

MaxReq = 1

TxPeriod = 1

Dot1x Authenticator Client List

-------------------------------

EAP Method = (0)

Supplicant = 001e.3718.7297

Session ID = 0A0EFF5D0000024C29E03686

Auth SM State = AUTHENTICATING

Auth BEND SM State = REQUEST

please help

sorry for my bad english

Labels:
131639-config.txt.zip
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎07-16-2012 08:24 AM

Lukasz,

Try to remove the command "authentication event no-response action authorize vlan 500", essential if mab fails they will still get on the correct vlan anyways.

See if that helps with your situation.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

mr.locash
Level 1
Level 1
In response to Tarik Admani

‎07-17-2012 12:13 AM

thanks for replay but ...

...your idea not help, still the same.

Interface:  GigabitEthernet0/1
          MAC Address:  001e.3718.7297
           IP Address:  Unknown
            User-Name:  host/tymczasowosc.krakow.qumak.pl
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0EFF5D000002BB47691865
      Acct Session ID:  0x00000813
               Handle:  0x500002BC

Runnable methods list:
       Method   State
       dot1x    Running

---------------------------------------------------------------------

interface GigabitEthernet0/1

description DOSTEP_DO_KORPO_214.A

switchport access vlan 104

switchport mode access

switchport voice vlan 200

authentication event fail retry 3 action authorize vlan 500

authentication order dot1x

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation replace

mab eap

no snmp trap link-status

dot1x pae authenticator

dot1x timeout quiet-period 3

dot1x timeout tx-period 1

dot1x max-req 1

dot1x max-reauth-req 1

dot1x timeout held-period 3

dot1x timeout auth-period 3

spanning-tree portfast

ip dhcp snooping limit rate 20

end

after i uninstall supplicat laptop (without supplicant - Odysey Access Client) should be in guest vlan500 but after i remove "authentication event no-response action authorize vlan 500" won't work so i need this commend to

i have no idea what to do next

131711-debug dot1x all.txt.zip
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to mr.locash

‎07-17-2012 04:57 AM

I wonder if this is an issue with the dot1x version that the new ios code is using, can you try uninstalling the odessey client and see if the native windows supplicant works? Also can you take a pcap of the client with the odessey client to see where this is failing at?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents