08-03-2015 11:36 AM - edited 03-10-2019 10:57 PM
Hello,
This a Catalyst 3850 pilot so to speak (C3750's MAB Auth working like a charm) and the strange thing is that I cannot see the RAIUS client on the switch sending packets anywhere:
#show radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 0
Maximum waitQ length: NA NA 0
Maximum doneQ length: NA NA 0
Total responses seen: 0 0 0
Packets with responses: 0 0 0
Packets without responses: 0 0 0
Access Rejects : 0
Average response delay(ms): 0 0 0
Maximum response delay(ms): 0 0 0
Number of Radius timeouts: 0 0 0
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 0 0 0
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/0
1646/0
Elapsed time since counters last cleared: 6h44m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 0 0
Current inQ length : 0
Current doneQ length: 0
#debug radius verbose
// All mac adresses are unable to authenticate
#sh log
03007: Aug 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX
003008: Aug 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXX
// There's very insteresting log entry in the MAB debug Invalid EVT 9 from EAP (I have no idea what it could be)
#debug mab all
003085: Aug 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Received MAB context create from AuthMgr
003086: Aug 3 18:04:26.146 UTC: mab-ev: MAB authorizing XXXX.XXXX.XXXX
003087: Aug 3 18:04:26.146 UTC: mab-ev: Created MAB client context 0x1B00004B
003088: Aug 3 18:04:26.146 UTC: mab : initial state mab_initialize has enter
003089: Aug 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Sending create new context event to EAP from MAB for 0x1B00004B (XXXX.XXXX.XXXX)
003090: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB authentication started for 0x536EE850 (XXXX.XXXX.XXXX)
003091: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003092: Aug 3 18:04:26.147 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_CONTINUE' on handle 0x1B00004B
003093: Aug 3 18:04:26.147 UTC: mab : during state mab_initialize, got event 1(mabContinue)
003094: Aug 3 18:04:26.147 UTC: @@@ mab : mab_initialize -> mab_authorizing
003095: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] formatted mac = XXXXXXXXXXXX
003096: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] created mab pseudo dot1x profile dot1x_mac_auth_XXXX.XXXX.XXXX
003097: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Starting MAC-AUTH-BYPASS for 0x1B00004B (XXXX.XXXX.XXXX)
003098: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003099: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB received an Access-Reject for 0x1B00004B (XXXX.XXXX.XXXX)
003100: Aug 3 18:04:26.148 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/48 AuditSessionID 0A48021200000FD1007B87DE
003101: Aug 3 18:04:26.148 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_RESULT' on handle 0x1B00004B
003102: Aug 3 18:04:26.148 UTC: mab : during state mab_authorizing, got event 5(mabResult)
003103: Aug 3 18:04:26.148 UTC: @@@ mab : mab_authorizing -> mab_terminate
003104: Aug 3 18:04:26.149 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Deleted credentials profile for 0x1B00004B (dot1x_mac_auth_XXXX.XXXX.XXXX)
003105: Aug 3 18:04:26.150 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_DELETE' on handle 0x1B00004B
The configuration is below:
aaa group server radius XXX-XXXXXX
server 10.XX.XX.30
server 10.XXX.XX.30
aaa authorization network default group XXX-XXXXXX none
aaa accounting dot1x default start-stop group XXX-XXXXXX
ip radius source-interface Loopback0
radius-server host 10.XX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server host 10.XXX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server retransmit 0
radius-server timeout 3
interface GigabitEthernet1/0/6
description XXXX XXXXX
switchport access vlan XXX
switchport mode access
switchport voice vlan XXX
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication timer restart 180
mab
no snmp trap link-status
storm-control broadcast level 0.50
spanning-tree portfast
end
#sh ver
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48P 03.07.02E cat3k_caa-universalk9 INSTALL
2 56 WS-C3850-48P 03.07.02E cat3k_caa-universalk9 INSTALL
Any ideas?
P.
Solved! Go to Solution.
08-04-2015 02:35 AM
Your missing "aaa authentication dot1x"
08-04-2015 01:05 AM
Just look at this:
(config)#radius-server ?
accounting Accounting information configuration
attribute Customize selected radius attributes
authorization Authorization processing information
backoff Retry backoff pattern(Default is retransmits with constant delay)
cache AAA auth cache default server group
challenge-noecho Data echoing to screen is disabled during Access-Challenge
configure-nas Attempt to upload static routes and IP pools at startup
dead-criteria Set the criteria used to decide when a radius server is marked dead
deadtime Time to stop using a server that doesn't respond
directed-request Allow user to specify radius server to use with `@server'
domain-stripping Strip the domain from the username
load-balance Radius load-balancing options.
optional-passwords The first RADIUS request can be made without requesting a password
retransmit Specify the number of retries to active server
retry Specify how the next packet is sent after timeout.
source-ports source ports used for sending out RADIUS requests
throttle Throttle requests to radius server
timeout Time to wait for a RADIUS server to reply
transaction Specify per-transaction parameters
unique-ident Higher order bits of Acct-Session-Id
vsa Vendor specific attribute configuration
There's no host statement as you can see but full entry above presents in the configuraion
#show radius server-group
Server group XXX-XXXXX
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(10.XX.XX.30:1645,1646) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server(10.XXX.XX.30:1645,1646) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
08-04-2015 02:35 AM
Your missing "aaa authentication dot1x"
08-04-2015 09:34 AM
Exactly! That entry simply didnt migrate somehow from C3750 configuration. Many thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: