08-03-2015 11:36 AM - edited 03-10-2019 10:57 PM
Hello,
This a Catalyst 3850 pilot so to speak (C3750's MAB Auth working like a charm) and the strange thing is that I cannot see the RAIUS client on the switch sending packets anywhere:
#show radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 0
Maximum waitQ length: NA NA 0
Maximum doneQ length: NA NA 0
Total responses seen: 0 0 0
Packets with responses: 0 0 0
Packets without responses: 0 0 0
Access Rejects : 0
Average response delay(ms): 0 0 0
Maximum response delay(ms): 0 0 0
Number of Radius timeouts: 0 0 0
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 0 0 0
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/0
1646/0
Elapsed time since counters last cleared: 6h44m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 0 0
Current inQ length : 0
Current doneQ length: 0
#debug radius verbose
// All mac adresses are unable to authenticate
#sh log
03007: Aug 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX
003008: Aug 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXX
// There's very insteresting log entry in the MAB debug Invalid EVT 9 from EAP (I have no idea what it could be)
#debug mab all
003085: Aug 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Received MAB context create from AuthMgr
003086: Aug 3 18:04:26.146 UTC: mab-ev: MAB authorizing XXXX.XXXX.XXXX
003087: Aug 3 18:04:26.146 UTC: mab-ev: Created MAB client context 0x1B00004B
003088: Aug 3 18:04:26.146 UTC: mab : initial state mab_initialize has enter
003089: Aug 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Sending create new context event to EAP from MAB for 0x1B00004B (XXXX.XXXX.XXXX)
003090: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB authentication started for 0x536EE850 (XXXX.XXXX.XXXX)
003091: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003092: Aug 3 18:04:26.147 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_CONTINUE' on handle 0x1B00004B
003093: Aug 3 18:04:26.147 UTC: mab : during state mab_initialize, got event 1(mabContinue)
003094: Aug 3 18:04:26.147 UTC: @@@ mab : mab_initialize -> mab_authorizing
003095: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] formatted mac = XXXXXXXXXXXX
003096: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] created mab pseudo dot1x profile dot1x_mac_auth_XXXX.XXXX.XXXX
003097: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Starting MAC-AUTH-BYPASS for 0x1B00004B (XXXX.XXXX.XXXX)
003098: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003099: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB received an Access-Reject for 0x1B00004B (XXXX.XXXX.XXXX)
003100: Aug 3 18:04:26.148 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/48 AuditSessionID 0A48021200000FD1007B87DE
003101: Aug 3 18:04:26.148 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_RESULT' on handle 0x1B00004B
003102: Aug 3 18:04:26.148 UTC: mab : during state mab_authorizing, got event 5(mabResult)
003103: Aug 3 18:04:26.148 UTC: @@@ mab : mab_authorizing -> mab_terminate
003104: Aug 3 18:04:26.149 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Deleted credentials profile for 0x1B00004B (dot1x_mac_auth_XXXX.XXXX.XXXX)
003105: Aug 3 18:04:26.150 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_DELETE' on handle 0x1B00004B
The configuration is below:
aaa group server radius XXX-XXXXXX
server 10.XX.XX.30
server 10.XXX.XX.30
aaa authorization network default group XXX-XXXXXX none
aaa accounting dot1x default start-stop group XXX-XXXXXX
ip radius source-interface Loopback0
radius-server host 10.XX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server host 10.XXX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server retransmit 0
radius-server timeout 3
interface GigabitEthernet1/0/6
description XXXX XXXXX
switchport access vlan XXX
switchport mode access
switchport voice vlan XXX
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication timer restart 180
mab
no snmp trap link-status
storm-control broadcast level 0.50
spanning-tree portfast
end
#sh ver
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48P 03.07.02E cat3k_caa-universalk9 INSTALL
2 56 WS-C3850-48P 03.07.02E cat3k_caa-universalk9 INSTALL
Any ideas?
P.
Solved! Go to Solution.
08-04-2015 02:35 AM
Your missing "aaa authentication dot1x"
08-04-2015 01:05 AM
Just look at this:
(config)#radius-server ?
accounting Accounting information configuration
attribute Customize selected radius attributes
authorization Authorization processing information
backoff Retry backoff pattern(Default is retransmits with constant delay)
cache AAA auth cache default server group
challenge-noecho Data echoing to screen is disabled during Access-Challenge
configure-nas Attempt to upload static routes and IP pools at startup
dead-criteria Set the criteria used to decide when a radius server is marked dead
deadtime Time to stop using a server that doesn't respond
directed-request Allow user to specify radius server to use with `@server'
domain-stripping Strip the domain from the username
load-balance Radius load-balancing options.
optional-passwords The first RADIUS request can be made without requesting a password
retransmit Specify the number of retries to active server
retry Specify how the next packet is sent after timeout.
source-ports source ports used for sending out RADIUS requests
throttle Throttle requests to radius server
timeout Time to wait for a RADIUS server to reply
transaction Specify per-transaction parameters
unique-ident Higher order bits of Acct-Session-Id
vsa Vendor specific attribute configuration
There's no host statement as you can see but full entry above presents in the configuraion
#show radius server-group
Server group XXX-XXXXX
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(10.XX.XX.30:1645,1646) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server(10.XXX.XX.30:1645,1646) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
08-04-2015 02:35 AM
Your missing "aaa authentication dot1x"
08-04-2015 09:34 AM
Exactly! That entry simply didnt migrate somehow from C3750 configuration. Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide