08-26-2016 06:01 AM
Hi guys,
I this error messages on my win7 machine:
SW1_c3750#
00:23:47: %LINK-5-CHANGED: Interface FastEthernet2/0/7, changed state to adminis
tratively down
00:23:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/7, cha
nged state to down
00:23:56: %LINK-3-UPDOWN: Interface FastEthernet2/0/7, changed state to up
00:23:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/7, cha
nged state to up
00:23:56: %AUTHMGR-5-START: Starting 'dot1x' for client (000c.2986.1153) on Inte
rface Fa2/0/7
00:23:57: %AUTHMGR-5-START: Starting 'dot1x' for client (c83a.35d2.398f) on Inte
rface Fa2/0/7
00:24:26: %DOT1X-5-FAIL: Authentication failed for client (000c.2986.1153) on In
terface Fa2/0/7
00:24:26: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' fo
r client (000c.2986.1153) on Interface Fa2/0/7
00:24:26: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (000c.2986.1
153) on Interface Fa2/0/7
00:24:26: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for cli
ent (000c.2986.1153) on Interface Fa2/0/7
00:24:26: %AUTHMGR-5-FAIL: Authorization failed for client (000c.2986.1153) on I
nterface Fa2/0/7
00:24:27: %DOT1X-5-FAIL: Authentication failed for client (c83a.35d2.398f) on In
terface Fa2/0/7
00:24:27: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' fo
r client (c83a.35d2.398f) on Interface Fa2/0/7
00:24:27: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (c83a.35d2.3
98f) on Interface Fa2/0/7
00:24:27: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for cli
ent (c83a.35d2.398f) on Interface Fa2/0/7
00:24:27: %AUTHMGR-5-FAIL: Authorization failed for client (c83a.35d2.398f) on I
nterface Fa2/0/7
I have c3750 with ios 12.2(50)SE2
My win7 connect to port 2/0/7 on this switch, and I have the configuration as follows:
interface FastEthernet2/0/7
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
On my win7 machine I start the Wired Autoconfig service and setup the authentication to PEAP with method of PEA-MSCHAPv2,
This PC are in lab enviroent so I disable the "Authomatic use my windows login name" and setup credential instead (Local Area Connection Status>Properties>Authentication>Additional Settings...>Replace credential)
at the debug radius auth I get
SW1_c3750#
SW1_c3750#
00:37:48: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
00:37:48: RADIUS(0000001D): Config NAS IP: 0.0.0.0
00:37:48: RADIUS/ENCODE(0000001D): acct_session_id: 29
00:37:48: RADIUS(0000001D): sending
00:37:48: RADIUS/ENCODE: Best Local IP-Address 192.168.1.121 for Radius-Server 1
92.168.1.117
00:37:48: RADIUS(0000001D): Send Access-Request to 192.168.1.117:1812 id 1645/22
, len 201
00:37:48: RADIUS: authenticator D8 C5 63 73 E1 31 92 63 - F7 1B 78 4A 87 06 9D
3E
00:37:48: RADIUS: User-Name [1] 8 "bob-it"
00:37:48: RADIUS: Service-Type [6] 6 Framed [2]
00:37:48: RADIUS: Framed-IP-Address [8] 6 192.168.1.10
00:37:48: RADIUS: Framed-MTU [12] 6 1500
00:37:48: RADIUS: Called-Station-Id [30] 19 "00-22-90-A6-BC-09"
00:37:48: RADIUS: Calling-Station-Id [31] 19 "00-0C-29-86-11-53"
00:37:48: RADIUS: EAP-Message [79] 13
00:37:48: RADIUS: 02 01 00 0B 01 62 6F 62 2D 69 74 [ bob-it]
00:37:48: RADIUS: Message-Authenticato[80] 18
00:37:48: RADIUS: 4E 52 DB C5 66 E9 8A D8 2A D0 D5 BE DE B1 63 E3
[ NRf*c]
00:37:48: RADIUS: Vendor, Cisco [26] 49
00:37:48: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8017900000
01A00227E41"
00:37:48: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
00:37:48: RADIUS: NAS-Port [5] 6 50207
00:37:48: RADIUS: NAS-Port-Id [87] 19 "FastEthernet2/0/7"
00:37:48: RADIUS: NAS-IP-Address [4] 6 192.168.1.121
00:37:48: RADIUS: Received from id 1645/22 192.168.1.117:1812, Access-Reject, le
n 38
00:37:48: RADIUS: authenticator 0B B5 21 76 89 64 A4 57 - B3 AD 56 23 A3 52 55
BE
00:37:48: RADIUS: Message-Authenticato[80] 18
00:37:48: RADIUS: 93 F7 C1 6F 80 0A 03 DA 18 34 8F 18 66 DE 81 DE
[ o4f]
00:37:48: RADIUS(0000001D): Received from id 1645/22
00:37:48: %DOT1X-5-FAIL: Authentication failed for client (000c.2986.1153) on In
terface Fa2/0/7
00:37:48: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for clien
t (000c.2986.1153) on Interface Fa2/0/7
00:37:48: %AUTHMGR-5-FAIL: Authorization failed for client (000c.2986.1153) on I
nterface Fa2/0/7
00:38:49: %AUTHMGR-5-START: Starting 'dot1x' for client (000c.2986.1153) on Inte
rface Fa2/0/7
Please help
Solved! Go to Solution.
08-29-2016 10:54 AM
Hi Hariprasad,
At the same day or more lately I restart the PC and after that it works for me,
I don't know why... but it work
Thanks for the reply.. really appreciate it
Thanks
08-26-2016 10:36 AM
I see nothing wrong with the interface configuration on the 3750.
In the first half, since you haven’t enabled 802.1X (Wired AutoConfig service) on the Windows client, the dot1x on the switch port is timing out throwing a ‘no-response’ message:
00:24:26: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (000c.2986.1153) on Interface Fa2/0/7
In the second half, I see that the client is doing 802.1X, the authentication request going to the server, but the response is an ‘Access-Reject’:
00:37:48: RADIUS: Received from id 1645/22 192.168.1.117:1812, Access-Reject, len 38
Could you share your ISE RADIUS live log and details relating to this session to understand why the server is rejecting the authentication request?
08-29-2016 10:54 AM
Hi Hariprasad,
At the same day or more lately I restart the PC and after that it works for me,
I don't know why... but it work
Thanks for the reply.. really appreciate it
Thanks
09-28-2016 06:20 PM
You maybe hitting the Rejection period in ISE. By default, ISE will silently reject authentication after some number of failed attempts by a certain MAC address. The default reject period is 60 minutes which would explain why you eventually got on later that day.
You can find this setting under Admin|Settings|Protocols|RADIUS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide