Solved: Exactly! That entry simply

peteroseneff · ‎08-03-2015

Hello,

This a Catalyst 3850 pilot so to speak (C3750's MAB Auth working like a charm) and the strange thing is that I cannot see the RAIUS client on the switch sending packets anywhere:

#show radius statistics
                                  Auth.      Acct.       Both
         Maximum inQ length:         NA         NA          0
       Maximum waitQ length:         NA         NA          0
       Maximum doneQ length:         NA         NA          0
       Total responses seen:          0          0          0
     Packets with responses:          0          0          0
Packets without responses:          0          0          0
Access Rejects           :          0
Average response delay(ms):          0          0          0
Maximum response delay(ms):          0          0          0
Number of Radius timeouts:          0          0          0
       Duplicate ID detects:          0          0          0
Buffer Allocation Failures:          0          0          0
Maximum Buffer Size (bytes):          0          0          0
Malformed Responses        :          0          0          0
Bad Authenticators         :          0          0          0
Unknown Responses          :          0          0          0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/0
1646/0

Elapsed time since counters last cleared: 6h44m
Radius Latency Distribution:
<= 2ms :          0          0
3-5ms :          0          0
5-10ms :          0          0
10-20ms:          0          0
20-50ms:          0          0
50-100m:          0          0
>100ms :          0          0

Current inQ length : 0
Current doneQ length: 0

#debug radius verbose

// All mac adresses are unable to authenticate

#sh log

03007: Aug 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX
003008: Aug 3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXX

// There's very insteresting log entry in the MAB debug Invalid EVT 9 from EAP (I have no idea what it could be)

#debug mab all

003085: Aug 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Received MAB context create from AuthMgr
003086: Aug 3 18:04:26.146 UTC: mab-ev: MAB authorizing XXXX.XXXX.XXXX
003087: Aug 3 18:04:26.146 UTC: mab-ev: Created MAB client context 0x1B00004B
003088: Aug 3 18:04:26.146 UTC:     mab : initial state mab_initialize has enter
003089: Aug 3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Sending create new context event to EAP from MAB for 0x1B00004B (XXXX.XXXX.XXXX)
003090: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB authentication started for 0x536EE850 (XXXX.XXXX.XXXX)
003091: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003092: Aug 3 18:04:26.147 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_CONTINUE' on handle 0x1B00004B
003093: Aug 3 18:04:26.147 UTC:     mab : during state mab_initialize, got event 1(mabContinue)
003094: Aug 3 18:04:26.147 UTC: @@@ mab : mab_initialize -> mab_authorizing
003095: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] formatted mac = XXXXXXXXXXXX
003096: Aug 3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] created mab pseudo dot1x profile dot1x_mac_auth_XXXX.XXXX.XXXX
003097: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Starting MAC-AUTH-BYPASS for 0x1B00004B (XXXX.XXXX.XXXX)
003098: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003099: Aug 3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB received an Access-Reject for 0x1B00004B (XXXX.XXXX.XXXX)
003100: Aug 3 18:04:26.148 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/48 AuditSessionID 0A48021200000FD1007B87DE
003101: Aug 3 18:04:26.148 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_RESULT' on handle 0x1B00004B
003102: Aug 3 18:04:26.148 UTC:     mab : during state mab_authorizing, got event 5(mabResult)
003103: Aug 3 18:04:26.148 UTC: @@@ mab : mab_authorizing -> mab_terminate
003104: Aug 3 18:04:26.149 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Deleted credentials profile for 0x1B00004B (dot1x_mac_auth_XXXX.XXXX.XXXX)
003105: Aug 3 18:04:26.150 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_DELETE' on handle 0x1B00004B

The configuration is below:

aaa group server radius XXX-XXXXXX
server 10.XX.XX.30
server 10.XXX.XX.30

aaa authorization network default group XXX-XXXXXX none
aaa accounting dot1x default start-stop group XXX-XXXXXX

ip radius source-interface Loopback0

radius-server host 10.XX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server host 10.XXX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server retransmit 0
radius-server timeout 3

interface GigabitEthernet1/0/6
description XXXX XXXXX
switchport access vlan XXX
switchport mode access
switchport voice vlan XXX
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication timer restart 180
mab
no snmp trap link-status
storm-control broadcast level 0.50
spanning-tree portfast
end

#sh ver

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 56    WS-C3850-48P       03.07.02E         cat3k_caa-universalk9 INSTALL
     2 56    WS-C3850-48P       03.07.02E         cat3k_caa-universalk9 INSTALL

Any ideas?

P.

jan.nielsen · ‎08-04-2015

Your missing "aaa authentication dot1x"

View solution in original post

peteroseneff · ‎08-04-2015

Just look at this:

(config)#radius-server ?
accounting          Accounting information configuration
attribute           Customize selected radius attributes
authorization       Authorization processing information
backoff             Retry backoff pattern(Default is retransmits with constant delay)
cache               AAA auth cache default server group
challenge-noecho    Data echoing to screen is disabled during Access-Challenge
configure-nas       Attempt to upload static routes and IP pools at startup
dead-criteria       Set the criteria used to decide when a radius server is marked dead
deadtime            Time to stop using a server that doesn't respond
directed-request    Allow user to specify radius server to use with `@server'
domain-stripping    Strip the domain from the username
load-balance        Radius load-balancing options.
optional-passwords The first RADIUS request can be made without requesting a password
retransmit          Specify the number of retries to active server
retry               Specify how the next packet is sent after timeout.
source-ports        source ports used for sending out RADIUS requests
throttle            Throttle requests to radius server
timeout             Time to wait for a RADIUS server to reply
transaction         Specify per-transaction parameters
unique-ident        Higher order bits of Acct-Session-Id
vsa                 Vendor specific attribute configuration

There's no host statement as you can see but full entry above presents in the configuraion

#show radius server-group

Server group XXX-XXXXX
    Sharecount = 1 sg_unconfigured = FALSE
    Type = standard Memlocks = 1
    Server(10.XX.XX.30:1645,1646) Transactions:
    Authen: 0   Author: 0       Acct: 0
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE
    Server(10.XXX.XX.30:1645,1646) Transactions:
    Authen: 0   Author: 0       Acct: 0
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE

jan.nielsen · ‎08-04-2015

Your missing "aaa authentication dot1x"

peteroseneff · ‎08-04-2015

Exactly! That entry simply didnt migrate somehow from C3750 configuration. Many thanks.

Catalyst 3850, MAB and RADIUS