Solved: Authentication result 'no-response'

Krasnoperov · ‎01-29-2013

Hi I have a simple MDA config

interface FastEthernet0/4

switchport access vlan 84

switchport mode access

switchport voice vlan 70

ip access-group default_acl in

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 3

dot1x max-reauth-req 3

storm-control broadcast level 5.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

When I try to conect to this port - ONLY PHONE it Authentificates successfuly via mab, When I try to connect only PC it authentificates successfuly via dot1x, but when I try to connect PC through PHONE - Phone authentificate successfuly, but PC -not, on my ISE server log I see only MAB trying for PC, no dot1x attempts.

ARHIV-ROOM36(config-if)#

Jan 29 12:08:04.380: %LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down

Jan 29 12:08:05.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down

ARHIV-ROOM36(config-if)#exi

ARHIV-ROOM36(config)#exi

Jan 29 12:08:06.536: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up

Jan 29 12:08:07.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up

ARHIV-ROOM36(config)#exi

ARHIV-ROOM36#

Jan 29 12:08:08.021: %SYS-5-CONFIG_I: Configured from console by ask on vty0 (10.110.11.253)

ARHIV-ROOM36#

Jan 29 12:08:09.170: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID

0A6E0A0400000077A11BEA81

Jan 29 12:08:10.076: %AUTHMGR-5-START: Starting 'dot1x' for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSessionID

0A6E0A0400000078A11BF97A

ARHIV-ROOM36#

Jan 29 12:08:18.591: %DOT1X-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSession

ID

Jan 29 12:08:18.591: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0023.8b84.fa32)

on Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:08:18.591: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 Au

ditSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:08:18.591: %AUTHMGR-5-START: Starting 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID 0

A6E0A0400000077A11BEA81

Jan 29 12:08:18.608: %MAB-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID

0A6E0A0400000077A11BEA81

Jan 29 12:08:18.608: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0023.8b84.fa32) on

Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:08:18.608: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 Audi

tSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:08:18.608: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0023.8b84.fa32) on In

terface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

ARHIV-ROOM36#

Jan 29 12:08:18.608: %AUTHMGR-5-FAIL: Authorization failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessio

nID 0A6E0A0400000077A11BEA81

ARHIV-ROOM36#

Jan 29 12:08:21.678: %DOT1X-5-FAIL: Authentication failed for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSession

ID

Jan 29 12:08:21.678: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (ccef.485c.f4b9)

on Interface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A

Jan 29 12:08:21.678: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (ccef.485c.f4b9) on Interface Fa0/4 Au

ditSessionID 0A6E0A0400000078A11BF97A

Jan 29 12:08:21.678: %AUTHMGR-5-START: Starting 'mab' for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSessionID 0

A6E0A0400000078A11BF97A

Jan 29 12:08:21.728: %MAB-5-SUCCESS: Authentication successful for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSe

ssionID 0A6E0A0400000078A11BF97A

ARHIV-ROOM36#

Jan 29 12:08:21.728: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccef.485c.f4b9) on Int

erface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A

ARHIV-ROOM36#

Jan 29 12:08:22.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccef.485c.f4b9) on Interface Fa0/4 Audit

SessionID 0A6E0A0400000078A11BF97A

ARHIV-ROOM36#

Jan 29 12:09:19.334: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID

0A6E0A0400000077A11BEA81

ARHIV-ROOM36#

Jan 29 12:09:31.850: %DOT1X-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSession

ID

Jan 29 12:09:31.850: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0023.8b84.fa32)

on Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:09:31.850: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 Au

ditSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:09:31.850: %AUTHMGR-5-START: Starting 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID 0

A6E0A0400000077A11BEA81

Jan 29 12:09:31.866: %MAB-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID

0A6E0A0400000077A11BEA81

Jan 29 12:09:31.866: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0023.8b84.fa32) on

Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:09:31.866: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 Audi

tSessionID 0A6E0A0400000077A11BEA81

Jan 29 12:09:31.866: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0023.8b84.fa32) on In

terface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

ARHIV-ROOM36#

Jan 29 12:09:31.866: %AUTHMGR-5-FAIL: Authorization failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessio

nID 0A6E0A0400000077A11BEA81

ARHIV-ROOM36#sh run | i aaa

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization exec default local

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa session-id common

ARHIV-ROOM36#sh run | i radius

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius-server host 10.5.45.128 auth-port 1812 acct-port 1813 key 7 xxxx

radius-server vsa send accounting

radius-server vsa send authentication

nspasov · ‎01-30-2013

It sure looks like the phone was not passing the 802.1x traffic as the switch was getting no response from its request. That is very interesting and good to know. Good job on finding a solution and sharing it back!

You should probably mark the thread as answered

View solution in original post

nspasov · ‎01-29-2013

Hello again-

I have seen a similar issue before. A few questions:

1. What version of code are you running on your switch

2. What happens when:

Uplug both phone and computer > Connect Phone > Allow the phone to fully boot and authenticate > Connect PC > Disable and re-enable NIC on PC

3. What make and model phones are you using

4. Are you running any type of desktop securty applications (Mcaffee, Norton, CSA, etc)

Thnak you for rating!

Krasnoperov · ‎01-30-2013

Hi,

1) Yesterday I change IOS on this switch from

c2960c405-universalk9-mz.122-55.EX3

to

c2960c405-universalk9-mz.150-2.SE1.bin

2) Same thing, on my ISE server I see only attempt to authentificate my PC via MAB

This I see at the end of log

when phone bootup and authenticate

Jan 30 14:22:24.087: %MAB-5-SUCCESS: Authentication successful for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSe

ssionID 0A6E0A0400000030000EB3C3

Jan 30 14:22:24.087: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccef.485c.f4b9) on Int

erface Fa0/4 AuditSessionID 0A6E0A0400000030000EB3C3

ARHIV-ROOM36#

Jan 30 14:22:24.473: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccef.485c.f4b9) on Interface Fa0/4 Audit

SessionID 0A6E0A0400000030000EB3C3

This I see when plug my PC to the phone

2222.txt

3) Cisco/Linksys SPA502G

Yesterday, I change firmware from 7.4.6, to 7.5.4(on other phone same series SPA502G) and no I see when phone bootup and authenticate

Jan 30 14:41:28.750: %MAB-5-SUCCESS: Authentication successful for client (649e.f377.39f8) on Interface Fa0/4 AuditSe

ssionID 0A6E0A040000003E0020225F

ARHIV-ROOM36#

Jan 30 14:41:28.750: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (649e.f377.39f8) on Int

erface Fa0/4 AuditSessionID 0A6E0A040000003E0020225F

ARHIV-ROOM36#

Jan 30 14:41:29.505: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (649e.f377.39f8) on Interface Fa0/4 Audit

SessionID 0A6E0A040000003E0020225F

This I see when plug my PC to the new firmware phone

3333.txt

So my PC authentificate successfuly.

So I thiks it's a bug in phone firmware, bu I check every release notes for this phone firmware, and nothing about this BUG, so I'm confused.

4) NO I dont have any Norton, Mcafee and so on

Is that possible tha phone block Eaopl messages of dot1x?

nspasov · ‎01-30-2013

It sure looks like the phone was not passing the 802.1x traffic as the switch was getting no response from its request. That is very interesting and good to know. Good job on finding a solution and sharing it back!

You should probably mark the thread as answered