Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2241
Views
0
Helpful
4
Replies

C2960X NAC Not Working

KayChan
Level 1
Level 1

‎12-12-2019 10:32 PM - edited ‎02-21-2020 11:12 AM

Hi All,

 

We have applied NAC setting on 2960S. It is working properly without issue.

When we applied the same setting on 2960X. It doesn't work.

 

IOS: WS-C2960XR-48TS-I 15.2(2)E4

===================================================================================

Here are the setting:

 

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius

 

aaa session-id common

 

authentication mac-move permit

dot1x system-auth-control

 

interface GigabitEthernet2/0/11
description MeetingRm1-D55
switchport access vlan 150
switchport mode access
authentication event fail retry 4 action authorize vlan 300
authentication event server dead action authorize vlan 150
authentication event no-response action authorize vlan 300
authentication order mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
spanning-tree portfast

 

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server host 192.168.97.100 auth-port 1812 acct-port 1813 key 7 1218071443595F
radius-server deadtime 10

 

Log:

===================================================================================

BJSSTK0001#sh authentication sessions

Interface MAC Address Method Domain Status Fg Session ID
Gi2/0/11 00e0.4cf0.d72f mab UNKNOWN Auth C0A896020000004837D71D49

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
BJSSTK0001#
BJSSTK0001#sh authentication sessions int

 

Dec 12 09:27:39.036: RADIUS: No response from (192.168.97.100:1812,1813) for id 1646/188
Dec 12 09:27:39.036: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00000030 failed to receive Accounting Response.
Dec 12 09:27:39.036: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Dec 12 09:27:39.036: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Dec 12 09:27:39.036: AUTH-EVENT: Auth-mgr aaa_acct_reply

Labels:
0 Helpful
4 Replies 4

Damien Miller
VIP Alumni
VIP Alumni

‎12-12-2019 11:06 PM

The logs indicate a communication issue with ISE, so return to the basics. Ensure the switch is able to communicate with ISE on the interface defined as the radius source interface. Confirm that the RADIUS keys defined on the switch and in ISE match and the NAD is defined in ISE.
0 Helpful

KayChan
Level 1
Level 1
In response to Damien Miller

‎12-12-2019 11:12 PM

Thanks for your reply.

I retest the key. I pretty sure the key is correct.
I tried to use ip radius source-interface vlan150
0 Helpful

KayChan
Level 1
Level 1
In response to KayChan

‎12-12-2019 11:42 PM

This is the config that we applied now
 
Config
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
aaa new-model
!
!
aaa group server radius NACSvr
 server name HKGNAC0001
!
aaa authentication dot1x default group NACSvr
aaa authorization network default group NACSvr
aaa accounting dot1x default start-stop group NACSvr
aaa accounting system default start-stop group NACSvr
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.97.100 server-key 7 130415115A5E57
!
authentication mac-move permit

dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
interface GigabitEthernet2/0/6
 description MeetingRm1-D50
 switchport access vlan 150
 switchport mode access
 authentication event fail retry 4 action authorize vlan 300
 authentication event server dead action authorize vlan 150
 authentication event no-response action authorize vlan 300
 authentication order mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 spanning-tree portfast
ip radius source-interface Vlan150
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 10
!
radius server HKGNAC0001
 address ipv4 192.168.97.100 auth-port 1812 acct-port 1813
 key 7 03055908575D72
!
!
BJSSTK0001#          sh authentication session
 
Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi2/0/6      6c2b.59d8.4a1c mab     UNKNOWN Auth      C0A896020000005E3CA5BB44
 
Session count = 1
 
Key to Session Events Blocked Status Flags:
 
  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker
BJSSTK0001#
 
Log
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Dec 13 07:34:11.774: AUTH-EVENT: [6c2b.59d8.4a1c, Gi2/0/6] Handling external PRE event AuthZ Success for context 0xFA000031.
Dec 13 07:34:11.774: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Dec 13 07:34:11.777: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Dec 13 07:34:11.777: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 13 07:34:11.777: RADIUS(00000000): Config NAS IP: 192.168.150.2
Dec 13 07:34:11.777: RADIUS(00000000): Config NAS IPv6: ::
Dec 13 07:34:11.777: RADIUS(00000000): sending
Dec 13 07:34:11.777: RADIUS(00000000): Send Access-Request to 192.168.97.100:1812 id 1645/47, len 260
Dec 13 07:34:11.777: RADIUS:  authenticator 8F A0 BF E5 D7 CA 8F 0A - 8E 65 6C 47 78 A6 5E ED
Dec 13 07:34:11.777: RADIUS:  User-Name           [1]   14  "6c2b59d84a1c"
Dec 13 07:34:11.777: RADIUS:  User-Password       [2]   18  *
Dec 13 07:34:11.777: RADIUS:  Service-Type        [6]   6   Call Check                [10]
Dec 13 07:34:11.777: RADIUS:  Vendor, Cisco       [26]  31
Dec 13 07:34:11.777: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"
Dec 13 07:34:11.777: RADIUS:  Framed-MTU          [12]  6   1500
Dec 13 07:34:11.777: RADIUS:  Called-Station-Id   [30]  19  "00-56-2B-FE-01-06"
Dec 13 07:34:11.777: RADIUS:  Calling-Station-Id  [31]  19  "6C-2B-59-D8-4A-1C"
Dec 13 07:34:11.777: RADIUS:  Message-Authenticato[80]  18
Dec 13 07:34:11.781: RADIUS:   45 EE B6 AF 51 4F 29 E8 B6 23 C5 20 48 D3 95 6C          [ EQO)# Hl]
Dec 13 07:34:11.781: RADIUS:  EAP-Key-Name        [102] 2   *
Dec 13 07:34:11.781: RADIUS:  Vendor, Cisco       [26]  49
Dec 13 07:34:11.781: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A896020000005E3CA5BB44"
Dec 13 07:34:11.781: RADIUS:  Vendor, Cisco       [26]  18
Dec 13 07:34:11.781: RADIUS:   Cisco AVpair       [1]   12  "method=mab"
Dec 13 07:34:11.781: RADIUS:  NAS-IP-Address      [4]   6   192.168.150.2
Dec 13 07:34:11.781: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet2/0/6"
Dec 13 07:34:11.781: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Dec 13 07:34:11.781: RADIUS:  NAS-Port            [5]   6   50206
Dec 13 07:34:11.781: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 13 07:34:11.781: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:12.379: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 07:34:13.612: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 07:34:13.717: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/6, changed state to up
Dec 13 07:34:12.379: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 07:34:13.612: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 07:34:13.717: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/6, changed state to up
Dec 13 07:34:14.280: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 07:34:15.413: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8103 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 07:34:15.444: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/6, changed state to up
Dec 13 07:34:15.465: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 07:34:17.262: RADIUS(00000000): Request timed out!
Dec 13 07:34:17.262: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/46
Dec 13 07:34:17.262: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:17.331: RADIUS(00000000): Request timed out!
Dec 13 07:34:17.331: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.97.100:1812,1813 is not responding.
Dec 13 07:34:17.331: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/47
Dec 13 07:34:17.331: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:21.421: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.0702 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 07:34:21.582: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8100 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 07:34:22.298: RADIUS(00000000): Request timed out!
Dec 13 07:34:22.298: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/46
Dec 13 07:34:22.298: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:22.368: RADIUS(00000000): Request timed out!
Dec 13 07:34:22.372: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/47
Dec 13 07:34:22.372: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:27.328: RADIUS(00000000): Request timed out!
Dec 13 07:34:27.328: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/46
Dec 13 07:34:27.328: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:27.408: RADIUS(00000000): Request timed out!
Dec 13 07:34:27.408: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/47
Dec 13 07:34:27.412: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:31.382: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8103 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 07:34:32.368: RADIUS(00000000): Request timed out!
Dec 13 07:34:32.368: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/46
Dec 13 07:34:32.368: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:32.448: RADIUS(00000000): Request timed out!
Dec 13 07:34:32.448: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/47
Dec 13 07:34:32.452: RADIUS(00000000): Started 5 sec timeout
Dec 13 07:34:35.143: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8100 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
BJSSTK0001#
0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to KayChan

‎12-14-2019 05:11 PM

Please perform a tcpdump at ISE side. If ISE receiving the requests, check any info in ISE live logs.

If you need more help, please engage TAC.

0 Helpful
Customers Also Viewed These Support Documents