hi

In my lab environment I configured 802.1x with "Multi-Auth" mode for multiple clients on a single protected port to be authenticated agains Microsoft NPS AAA server.

Switch ports configured with Single-Host or Mult-Host options are working fine but "Multi-Auth" mode its not working. My hardware details and configurations are as follows

Catalyst Model = WS-C2960S-24TSL running IOS 12.2(55)SE2

Current configuration : 10423 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

!

aaa new-model

!

!

aaa group server radius NPS

server-private x.x.x.x auth-port 1645 acct-port 1646 key <removed>

!

aaa authentication dot1x default group NPS

aaa authorization network default group NPS

!

!

!

aaa session-id common

switch 1 provision ws-c2960s-24ts-l

authentication mac-move permit

!

!

!

dot1x system-auth-control

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

!

interface GigabitEthernet1/0/1

switchport access vlan 5

switchport mode access

authentication order dot1x webauth

authentication priority dot1x webauth

authentication port-control auto

authentication timer reauthenticate 7200

authentication violation protect

dot1x pae authenticator

spanning-tree portfast

!

interface GigabitEthernet1/0/5

switchport access vlan 5

switchport mode access

switchport voice vlan 98

authentication host-mode multi-auth

authentication order dot1x mab webauth

authentication priority dot1x

authentication port-control auto

dot1x pae authenticator

!

interface GigabitEthernet1/0/7

switchport access vlan 5

switchport mode access

authentication host-mode multi-host

authentication order dot1x webauth

authentication priority dot1x webauth

authentication port-control auto

authentication timer reauthenticate 7200

authentication violation protect

dot1x pae authenticator

spanning-tree portfast

!

interface Vlan5

ip address x.x.x.x x.x.x.x

!

interface Vlan98

no ip address

!

radius-server vsa send accounting

radius-server vsa send authentication

end

My debug log for Authentication, dot1x and AAA is as follows.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 98, data VLAN 5

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Setting domain ALL to UNATHED

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5

*Mar  1 01:58:51.354: dot1x-ev(Gi1/0/5): Interface state changed to UP

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Enabling dot1x in switch shim

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation

*Mar  1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Link UP

*Mar  1 01:58:51.360: AAA/BIND(00000004): Bind i/f

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Assigned AAA ID 0x00000004

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Retrieved Accounting Session ID 0x00000004

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Allocated new Auth Manager context (handle 0x83000002)

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Adding method dot1x to runnable list for Auth Mgr context 0x

*Mar  1 01:58:51.360: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0000000000000002006CD0E0

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Sending START to dot1x (handle 0x83000002)

*Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: initial state auth_initialize has enter

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_initialize_enter called

*Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)

*Mar  1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_disconnected_enter called

*Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: idle during state auth_disconnected

*Mar  1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_enter called

*Mar  1 01:58:51.360: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x4100002D (0000.0000.0000)

*Mar  1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_initialize_enter called

*Mar  1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle

*Mar  1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)

*Mar  1 01:58:51.360: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called

*Mar  1 01:58:51.360: dot1x-ev(Gi1/0/5): Created a client entry (0x4100002D)

*Mar  1 01:58:51.360: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0x4100002D (0000.0000.0000)

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Received handle 0x4100002D from method

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'

*Mar  1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'

*Mar  1 01:58:51.360: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x4100002D

*Mar  1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)

*Mar  1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_enter called

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_connecting_action called

*Mar  1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0x4100002D

*Mar  1 01:58:51.365:     dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)

*Mar  1 01:58:51.365: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating

*Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_enter called

*Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_authenticating_action called

*Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0x4100002D

*Mar  1 01:58:51.365:     dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)

*Mar  1 01:58:51.365: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request

*Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called

*Mar  1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

*Mar  1 01:58:51.365: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 01:58:51.365: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

*Mar  1 01:58:51.365: EAPOL pak dump Tx

*Mar  1 01:58:51.365: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 01:58:51.365: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 01:58:51.365: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)

*Mar  1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_request_action called

*Mar  1 01:58:53.352: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to up

*Mar  1 01:58:54.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up

*Mar  1 01:59:22.188: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D

*Mar  1 01:59:22.188:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)

*Mar  1 01:59:22.188: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request

*Mar  1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called

*Mar  1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called

*Mar  1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

*Mar  1 01:59:22.188: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 01:59:22.188: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

*Mar  1 01:59:22.188: EAPOL pak dump Tx

*Mar  1 01:59:22.188: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 01:59:22.188: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 01:59:22.188: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)

*Mar  1 01:59:53.016: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D

*Mar  1 01:59:53.016:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)

*Mar  1 01:59:53.016: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request

*Mar  1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called

*Mar  1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called

*Mar  1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

*Mar  1 01:59:53.016: dot1x-ev(Gi1/0/5): Role determination not required

*Mar  1 01:59:53.016: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

*Mar  1 01:59:53.016: EAPOL pak dump Tx

*Mar  1 01:59:53.016: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 01:59:53.016: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 01:59:53.016: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)

*Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Received an EAP Timeout

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x4100002D

*Mar  1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)

*Mar  1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_timeout_enter called

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_timeout_action called

*Mar  1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout

*Mar  1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x4100002D

*Mar  1 02:00:23.844:     dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)

*Mar  1 02:00:23.844: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_exit called

*Mar  1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authc_result_enter called

*Mar  1 02:00:23.844: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID

*Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for 0000.0000.0000

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AUTHC_RESULT from dot1x (handle 0x83000002)

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authc Result: no-response

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Running' to 'Authc Failed'

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Running' to 'Authc Failed'

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Existing AAA ID: 0x00000004

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AAA ID 0x00000004 from method

*Mar  1 02:00:23.844: AUTH-EVENT: Enter auth_mgr_idc_modify_keys

*Mar  1 02:00:23.844: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending AUTHZ_FAIL to dot1x (handle 0x83000002)

*Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Received Authz fail for the client  0x4100002D (0000.0000.0000)

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Authc Failed' to 'Failed over'

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending DELETE to dot1x (handle 0x83000002)

*Mar  1 02:00:23.844: dot1x-ev(Gi1/0/5): Deleting client 0x4100002D (0000.0000.0000)

*Mar  1 02:00:23.844: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0

*Mar  1 02:00:23.844: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) No more runnable methods

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Authc Failed' to 'No Methods'

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Building default attribute list for unresponsive client

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Signalling Authc fail for client 0000.0000.0000

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 02:00:23.844: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0

*Mar  1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'No Methods' to 'Authz Failed'

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Signalling Authz fail for client 0000.0000.0000

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) dot1x_switch_authz_fail: Called for GigabitEthernet1/0/5 and 0000.0000.0000

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5)  host access set to 1 on GigabitEthernet1/0/5

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Setting domain DATA to UNATHED

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0

*Mar  1 02:00:23.849: AUTH-SYNC (Gi1/0/5) Syncing update for context (0000.0000.0000)

*Mar  1 02:00:23.849: AUTH-EVENT: Started Auth Manager tick timer

*Mar  1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Started 'restart' timer (60s) for client 0000.0000.0000

*Mar  1 02:00:23.849: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x4100002D

*Mar  1 02:00:23.849:     dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)

*Mar  1 02:00:23.849: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held

*Mar  1 02:00:23.849: dot1x-ev:Delete auth client (0x4100002D) message

*Mar  1 02:00:23.849: dot1x-ev:Auth client ctx destroyed

*Mar  1 02:00:23.849: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client