Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
1
Replies

Authorization state with cisco switch 2960 version 15.02.se6

citestsco
Level 1
Level 1

‎05-11-2022 05:13 AM - edited ‎05-11-2022 05:15 AM

Hi ,

 

Recently we have connected our switch to  a nac with dot1x .

We have implemented all the best practice of cisco to connect the switch to our radius server .

The clients authenticating successfully but as for the authorization side we are facing a problem.

Once the client is authenticated and authorized we cannot implement any authorization step.

Which means from the radius we cannot procedure an action which related to authorization such as:

Reauthenticate

Vlan assignment

filter-id

 

Any of this does not being applied to the session of the client but the client status is "Authz success"

At debug we can see that the authorization details are being sent from the radius but not being applied to the switch.

 

 

Although when we perform an CoA action ( no matter which kind of CoA) we receive:

COA: Illegal authenticator in COA from X.X.X.X

 

Please help , there is some logs from the switch while i've procedure a debug on:

debug aaa pod

debug aaa authorization

debug aaa coa

debug radius

 

logs:

*Mar 22 22:31:03.268: RADIUS: 62 80 C7 3A 08 92 F9 8C A1 EA 85 5E F5 FB 73 94 [ b:^s]
*Mar 22 22:31:03.268: RADIUS: EAP-Key-Name [102] 2 *
*Mar 22 22:31:03.268: RADIUS: Vendor, Cisco [26] 49
*Mar 22 22:31:03.268: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A28000D0000010C70FA5BC0"
*Mar 22 22:31:03.268: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 22 22:31:03.268: RADIUS: Vendor, Cisco [26] 23
*Mar 22 22:31:03.268: RADIUS: cisco-nas-port [2] 17 "FastEthernet0/9"
*Mar 22 22:31:03.268: RADIUS: NAS-Port [5] 6 50009
*Mar 22 22:31:03.268: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/9"
*Mar 22 22:31:03.268: RADIUS: State [24] 18
*Mar 22 22:31:03.268: RADIUS: DD C5 47 5C D1 CB 5E 0E A8 7B F5 1C F4 F8 30 A1 [ G\^{0]
*Mar 22 22:31:03.268: RADIUS: NAS-IP-Address [4] 6 10.40.0.13
*Mar 22 22:31:03.268: RADIUS(00000147): Sending a IPv4 Radius Packet
*Mar 22 22:31:03.268: RADIUS(00000147): Started 5 sec timeout
*Mar 22 22:31:03.327: RADIUS: Received from id 1645/83 10.110.11.8:1812, Access-Challenge, len 150
*Mar 22 22:31:03.327: RADIUS: authenticator 03 03 A0 B7 12 8B D6 05 - 30 2C A4 30 8A BA 2D 73
*Mar 22 22:31:03.327: RADIUS: EAP-Message [79] 94
*Mar 22 22:31:03.327: RADIUS: 01 0F 00 5C 19 00 17 03 03 00 51 6B 90 2C A0 E5 01 17 B2 D7 81 11 F0 62 7B C3 28 C7 11 38 15 FC D6 D3 8F EA F2 C5 8D E8 B0 1D 2C B5 B9 9D 6F DB 96 E6 1E A9 F9 72 33 70 F3 88 6F 35 6E [\Qk,b{(8,or3po5n]
*Mar 22 22:31:03.327: RADIUS: F2 7D C4 2E 90 BA A2 A0 67 61 EB 3C D4 2C 9C 85 E8 E9 AB 61 19 11 7C 44 61 2C 5A 63 7F F3 D1 [ }.ga<,a|Da,Zc]
*Mar 22 22:31:03.327: RADIUS: Message-Authenticato[80] 18
*Mar 22 22:31:03.327: RADIUS: B6 76 AA 93 42 A5 F5 A8 21 CA 68 C6 E6 57 B2 D4 [ vB!hW]
*Mar 22 22:31:03.327: RADIUS: State [24] 18
*Mar 22 22:31:03.327: RADIUS: DD C5 47 5C D0 CA 5E 0E A8 7B F5 1C F4 F8 30 A1 [ G\^{0]
*Mar 22 22:31:03.327: RADIUS(00000147): Received from id 1645/83
*Mar 22 22:31:03.327: RADIUS/DECODE: EAP-Message fragments, 92, total 92 bytes
*Mar 22 22:31:03.335: AAA SRV(00000147): protocol reply GET_CHALLENGE_RESPONSE for Authentication
*Mar 22 22:31:03.335: AAA SRV(00000147): Return Authentication status=GET_CHALLENGE_RESPONSE
*Mar 22 22:31:03.385: AAA SRV(00000147): process authen req
*Mar 22 22:31:03.385: AAA SRV(00000147): Authen method=SERVER_GROUP radius
*Mar 22 22:31:03.385: RADIUS/ENCODE(00000147):Orig. component type = Dot1X
*Mar 22 22:31:03.385: RADIUS(00000147): Config NAS IP: 0.0.0.0
*Mar 22 22:31:03.385: RADIUS(00000147): Config NAS IPv6: ::
*Mar 22 22:31:03.385: RADIUS/ENCODE(00000147): acct_session_id: 301
*Mar 22 22:31:03.394: RADIUS(00000147): sending
*Mar 22 22:31:03.394: RADIUS/ENCODE: Best Local IP-Address 10.40.0.13 for Radius-Server 10.110.11.8
*Mar 22 22:31:03.394: RADIUS(00000147): Send Access-Request to 10.110.11.8:1812 id 1645/84, len 322
*Mar 22 22:31:03.394: RADIUS: authenticator 1D DE 15 9F DC FF C6 F6 - E4 32 D7 A6 58 35 A7 D0
*Mar 22 22:31:03.394: RADIUS: User-Name [1] 35 "****************************"
*Mar 22 22:31:03.394: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 22 22:31:03.394: RADIUS: Vendor, Cisco [26] 27
*Mar 22 22:31:03.394: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
*Mar 22 22:31:03.394: RADIUS: Framed-IP-Address [8] 6 172.30.0.32
*Mar 22 22:31:03.394: RADIUS: Framed-MTU [12] 6 1500
*Mar 22 22:31:03.394: RADIUS: Called-Station-Id [30] 19 "E0-AC-F1-82-55-89"
*Mar 22 22:31:03.394: RADIUS: Calling-Station-Id [31] 19 "00-E0-4C-78-02-81"
*Mar 22 22:31:03.394: RADIUS: EAP-Message [79] 39
*Mar 22 22:31:03.394: RADIUS: 02 0F 00 25 19 00 17 03 03 00 1A 00 00 00 00 00 00 00 09 1D 49 D6 86 C1 06 66 35 37 7F C3 46 2F 70 EB 1E FE 61 [ ?If57F/pa]
*Mar 22 22:31:03.394: RADIUS: Message-Authenticato[80] 18
*Mar 22 22:31:03.394: RADIUS: 23 2B E2 43 42 8B A9 BE 7D 52 E1 1B 08 3F 3E CF [ #+CB}R?>]
*Mar 22 22:31:03.394: RADIUS: EAP-Key-Name [102] 2 *
*Mar 22 22:31:03.394: RADIUS: Vendor, Cisco [26] 49
*Mar 22 22:31:03.394: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A28000D0000010C70FA5BC0"
*Mar 22 22:31:03.394: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 22 22:31:03.394: RADIUS: Vendor, Cisco [26] 23
*Mar 22 22:31:03.394: RADIUS: cisco-nas-port [2] 17 "FastEthernet0/9"
*Mar 22 22:31:03.394: RADIUS: NAS-Port [5] 6 50009
*Mar 22 22:31:03.394: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/9"
*Mar 22 22:31:03.394: RADIUS: State [24] 18
*Mar 22 22:31:03.394: RADIUS: DD C5 47 5C D0 CA 5E 0E A8 7B F5 1C F4 F8 30 A1 [ G\^{0]
*Mar 22 22:31:03.394: RADIUS: NAS-IP-Address [4] 6 10.40.0.13
*Mar 22 22:31:03.394: RADIUS(00000147): Sending a IPv4 Radius Packet
*Mar 22 22:31:03.394: RADIUS(00000147): Started 5 sec timeout
*Mar 22 22:31:03.889: RADIUS: Received from id 1645/84 10.110.11.8:1812, Access-Challenge, len 104
*Mar 22 22:31:03.889: RADIUS: authenticator 1D 22 56 FA 21 F1 8A B5 - 71 3C B1 7A 08 19 9A 48
*Mar 22 22:31:03.889: RADIUS: EAP-Message [79] 48
*Mar 22 22:31:03.889: RADIUS: 01 10 00 2E 19 00 17 03 03 00 23 6B 90 2C A0 E5 01 17 B3 B5 77 6B 65 AD 55 20 39 F4 C2 09 EF 12 4D BC 34 FE B7 2C F4 12 10 55 D5 99 2B 22 [ .#k,wkeU 9M4,U+"]
*Mar 22 22:31:03.897: RADIUS: Message-Authenticato[80] 18
*Mar 22 22:31:03.897: RADIUS: 90 B0 E7 07 BC 4C 73 04 81 DE F2 1B 0D 30 81 F1 [ Ls0]
*Mar 22 22:31:03.897: RADIUS: State [24] 18
*Mar 22 22:31:03.897: RADIUS: DD C5 47 5C D3 D5 5E 0E A8 7B F5 1C F4 F8 30 A1 [ G\^{0]
*Mar 22 22:31:03.897: RADIUS(00000147): Received from id 1645/84
*Mar 22 22:31:03.897: RADIUS/DECODE: EAP-Message fragments, 46, total 46 bytes
*Mar 22 22:31:03.897: AAA SRV(00000147): protocol reply GET_CHALLENGE_RESPONSE for Authentication
*Mar 22 22:31:03.897: AAA SRV(00000147): Return Authentication status=GET_CHALLENGE_RESPONSE
*Mar 22 22:31:04.719: AAA SRV(00000147): process authen req
*Mar 22 22:31:04.719: AAA SRV(00000147): Authen method=SERVER_GROUP radius
*Mar 22 22:31:04.719: RADIUS/ENCODE(00000147):Orig. component type = Dot1X
*Mar 22 22:31:04.719: RADIUS(00000147): Config NAS IP: 0.0.0.0
*Mar 22 22:31:04.719: RADIUS(00000147): Config NAS IPv6: ::
*Mar 22 22:31:04.719: RADIUS/ENCODE(00000147): acct_session_id: 301
*Mar 22 22:31:04.719: RADIUS(00000147): sending
*Mar 22 22:31:04.728: RADIUS/ENCODE: Best Local IP-Address 10.40.0.13 for Radius-Server 10.110.11.8
*Mar 22 22:31:04.728: RADIUS(00000147): Send Access-Request to 10.110.11.8:1812 id 1645/85, len 331
*Mar 22 22:31:04.728: RADIUS: authenticator 02 13 76 CD 8A 02 EC 9A - F6 14 41 F3 F1 B9 AF 58
*Mar 22 22:31:04.728: RADIUS: User-Name [1] 35 "****************************"
*Mar 22 22:31:04.728: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 22 22:31:04.728: RADIUS: Vendor, Cisco [26] 27
*Mar 22 22:31:04.728: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
*Mar 22 22:31:04.728: RADIUS: Framed-IP-Address [8] 6 172.30.0.32
*Mar 22 22:31:04.728: RADIUS: Framed-MTU [12] 6 1500
*Mar 22 22:31:04.728: RADIUS: Called-Station-Id [30] 19 "E0-AC-F1-82-55-89"
*Mar 22 22:31:04.728: RADIUS: Calling-Station-Id [31] 19 "00-E0-4C-78-02-81"
*Mar 22 22:31:04.728: RADIUS: EAP-Message [79] 48
*Mar 22 22:31:04.736: RADIUS: 02 10 00 2E 19 00 17 03 03 00 23 00 00 00 00 00 00 00 0A 32 A4 DC 76 26 69 89 07 11 73 2A A5 EE 74 94 91 6E 69 C7 07 8F 6E D6 68 74 32 0E [ .#2v&is*tninht2]
*Mar 22 22:31:04.736: RADIUS: Message-Authenticato[80] 18
*Mar 22 22:31:04.736: RADIUS: 10 8D 1F 7B 99 4F 63 45 2E C0 CD 5B FC 50 C8 F5 [ {OcE.[P]
*Mar 22 22:31:04.736: RADIUS: EAP-Key-Name [102] 2 *
*Mar 22 22:31:04.736: RADIUS: Vendor, Cisco [26] 49
*Mar 22 22:31:04.736: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A28000D0000010C70FA5BC0"
*Mar 22 22:31:04.736: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 22 22:31:04.736: RADIUS: Vendor, Cisco [26] 23
*Mar 22 22:31:04.736: RADIUS: cisco-nas-port [2] 17 "FastEthernet0/9"
*Mar 22 22:31:04.736: RADIUS: NAS-Port [5] 6 50009
*Mar 22 22:31:04.736: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/9"
*Mar 22 22:31:04.736: RADIUS: State [24] 18
*Mar 22 22:31:04.736: RADIUS: DD C5 47 5C D3 D5 5E 0E A8 7B F5 1C F4 F8 30 A1 [ G\^{0]
*Mar 22 22:31:04.736: RADIUS: NAS-IP-Address [4] 6 10.40.0.13
*Mar 22 22:31:04.736: RADIUS(00000147): Sending a IPv4 Radius Packet
*Mar 22 22:31:04.736: RADIUS(00000147): Started 5 sec timeout
*Mar 22 22:31:04.795: RADIUS: Received from id 1645/85 10.110.11.8:1812, Access-Accept, len 218
*Mar 22 22:31:04.795: RADIUS: authenticator 45 95 E6 06 39 53 AF B5 - 2E 3C 60 38 B0 BA 19 D8
*Mar 22 22:31:04.795: RADIUS: User-Name [1] 35 "********************************"
*Mar 22 22:31:04.795: RADIUS: Vendor, Microsoft [26] 58
*Mar 22 22:31:04.795: RADIUS: MS-MPPE-Recv-Key [17] 52 *
*Mar 22 22:31:04.795: RADIUS: Vendor, Microsoft [26] 58
*Mar 22 22:31:04.795: RADIUS: MS-MPPE-Send-Key [16] 52 *
*Mar 22 22:31:04.795: RADIUS: EAP-Message [79] 6
*Mar 22 22:31:04.795: RADIUS: 03 10 00 04
*Mar 22 22:31:04.795: RADIUS: Message-Authenticato[80] 18
*Mar 22 22:31:04.795: RADIUS: 7E 94 50 0B E7 8B 2A 4B DD 5B 0D 41 87 2A D0 32 [ ~P*K[A*2]
*Mar 22 22:31:04.795: RADIUS: Tunnel-Private-Group[81] 5 "231"
*Mar 22 22:31:04.795: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
*Mar 22 22:31:04.795: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
*Mar 22 22:31:04.795: RADIUS: Filter-Id [11] 6
*Mar 22 22:31:04.795: RADIUS: 74 65 73 74 [ test]
*Mar 22 22:31:04.795: RADIUS(00000147): Received from id 1645/85
*Mar 22 22:31:04.795: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 22 22:31:04.795: AAA SRV(00000147): protocol reply PASS for Authentication
*Mar 22 22:31:04.795: AAA SRV(00000147): Return Authentication status=PASS
*Mar 22 22:31:04.795: AAA/AUTHOR (00000147): Method list id=0 not configured. Skip author
*Mar 22 22:31:04: %DOT1X-5-SUCCESS: Authentication successful for client (00e0.4c78.0281) on Interface Fa0/9 AuditSessionID 0A28000D0000010C70FA5BC0
*Mar 22 22:31:04: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (00e0.4c78.0281) on Interface Fa0/9 AuditSessionID 0A28000D0000010C70FA5BC0
*Mar 22 22:31:05.508: AAA/AUTHOR: auth_need : user= '****' ruser= 'Cisco2960-FL15-LAB'rem_addr= '10.110.11.7' priv= 1 list= '' AUTHOR-TYPE= 'commands'
*Mar 22 22:31:06: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (00e0.4c78.0281) on Interface Fa0/9 AuditSessionID 0A28000D0000010C70FA5BC0
*Mar 22 22:31:06.305: AAA SRV(147): process acct req
*Mar 22 22:31:06.305: RADIUS/ENCODE(00000147):Orig. component type = Dot1X
*Mar 22 22:31:06.305: RADIUS(00000147): Config NAS IP: 0.0.0.0
*Mar 22 22:31:06.305: RADIUS(00000147): Config NAS IPv6: ::
*Mar 22 22:31:06.305: RADIUS(00000147): sending
*Mar 22 22:31:06.347: RADIUS/ENCODE: Best Local IP-Address 10.40.0.13 for Radius-Server 10.110.11.8
*Mar 22 22:31:06.347: RADIUS(00000147): Send Accounting-Request to 10.110.11.8:1813 id 1646/28, len 282
*Mar 22 22:31:06.347: RADIUS: authenticator E9 17 AD 42 97 E3 64 39 - 85 2D 3C C7 06 C5 9F ED
*Mar 22 22:31:06.347: RADIUS: Acct-Session-Id [44] 10 "0000012D"
*Mar 22 22:31:06.347: RADIUS: Calling-Station-Id [31] 19 "00-E0-4C-78-02-81"
*Mar 22 22:31:06.347: RADIUS: Vendor, Cisco [26] 49
*Mar 22 22:31:06.347: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A28000D0000010C70FA5BC0"
*Mar 22 22:31:06.347: RADIUS: Framed-IP-Address [8] 6 172.30.0.32
*Mar 22 22:31:06.347: RADIUS: User-Name [1] 35 "********************************"
*Mar 22 22:31:06.347: RADIUS: Vendor, Cisco [26] 32
*Mar 22 22:31:06.347: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
*Mar 22 22:31:06.347: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 22 22:31:06.347: RADIUS: Acct-Status-Type [40] 6 Start [1]
*Mar 22 22:31:06.347: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 22 22:31:06.355: RADIUS: Vendor, Cisco [26] 23
*Mar 22 22:31:06.355: RADIUS: cisco-nas-port [2] 17 "FastEthernet0/9"
*Mar 22 22:31:06.355: RADIUS: NAS-Port [5] 6 50009
*Mar 22 22:31:06.355: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/9"
*Mar 22 22:31:06.355: RADIUS: Called-Station-Id [30] 19 "E0-AC-F1-82-55-89"
*Mar 22 22:31:06.355: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 22 22:31:06.355: RADIUS: NAS-IP-Address [4] 6 10.40.0.13
*Mar 22 22:31:06.355: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 22 22:31:06.355: RADIUS: 45 34 36 42 45 33 46 43 [ E46BE3FC]
*Mar 22 22:31:06.355: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 22 22:31:06.355: RADIUS(00000147): Sending a IPv4 Radius Packet
*Mar 22 22:31:06.355: RADIUS(00000147): Started 5 sec timeout
*Mar 22 22:31:06.724: RADIUS: Received from id 1646/28 10.110.11.8:1813, Accounting-response, len 20
*Mar 22 22:31:06.724: RADIUS: authenticator 08 05 5C CF 0F 8C 84 F9 - 1D 9A 95 D9 0B F8 03 56

Labels:
0 Helpful
1 Reply 1

Marcelo Morais
VIP
VIP

‎06-03-2022 02:37 PM

Hi @citestsco ,

please double check if you have the following lines (for ex.):

(config)# aaa server radius dynamic-author
(config-xxx)# client <LB1/PSN1 IP Addr> server-key <shared-secret>

 

Hope this helps !!!

0 Helpful
Customers Also Viewed These Support Documents