cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2541
Views
0
Helpful
3
Replies
peteroseneff
Beginner

Catalyst 3850, MAB and RADIUS

Hello,

This a Catalyst 3850 pilot so to speak (C3750's MAB Auth working like a charm) and the strange thing is that I cannot see the RAIUS client on the switch sending packets anywhere:

#show radius statistics
                                  Auth.      Acct.       Both
         Maximum inQ length:         NA         NA          0
       Maximum waitQ length:         NA         NA          0
       Maximum doneQ length:         NA         NA          0
       Total responses seen:          0          0          0
     Packets with responses:          0          0          0
  Packets without responses:          0          0          0
  Access Rejects           :          0
 Average response delay(ms):          0          0          0
 Maximum response delay(ms):          0          0          0
  Number of Radius timeouts:          0          0          0
       Duplicate ID detects:          0          0          0
 Buffer Allocation Failures:          0          0          0
Maximum Buffer Size (bytes):          0          0          0
Malformed Responses        :          0          0          0
Bad Authenticators         :          0          0          0
Unknown Responses          :          0          0          0
 Source Port Range: (2 ports only)
 1645 - 1646
 Last used Source Port/Identifier:
 1645/0
 1646/0

  Elapsed time since counters last cleared: 6h44m
Radius Latency Distribution:
<= 2ms :          0          0
3-5ms  :          0          0
5-10ms :          0          0
10-20ms:          0          0
20-50ms:          0          0
50-100m:          0          0
>100ms :          0          0

Current inQ length  : 0
Current doneQ length: 0

#debug radius verbose

 

// All mac adresses are unable to authenticate

#sh log

03007: Aug  3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXXX
003008: Aug  3 17:55:20.239 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXX) on Interface Gi1/0/7 AuditSessionID XXXXXXXXXXXXXXXXXXXXXXXXX

 

// There's very insteresting log entry in the MAB debug Invalid EVT 9 from EAP (I have no idea what it could be)

#debug mab all   

003085: Aug  3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Received MAB context create from AuthMgr
003086: Aug  3 18:04:26.146 UTC: mab-ev: MAB authorizing XXXX.XXXX.XXXX
003087: Aug  3 18:04:26.146 UTC: mab-ev: Created MAB client context 0x1B00004B
003088: Aug  3 18:04:26.146 UTC:     mab : initial state mab_initialize has enter
003089: Aug  3 18:04:26.146 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Sending create new context event to EAP from MAB for 0x1B00004B (XXXX.XXXX.XXXX)
003090: Aug  3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB authentication started for 0x536EE850 (XXXX.XXXX.XXXX)
003091: Aug  3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003092: Aug  3 18:04:26.147 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_CONTINUE' on handle 0x1B00004B
003093: Aug  3 18:04:26.147 UTC:     mab : during state mab_initialize, got event 1(mabContinue)
003094: Aug  3 18:04:26.147 UTC: @@@ mab : mab_initialize -> mab_authorizing
003095: Aug  3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] formatted mac = XXXXXXXXXXXX
003096: Aug  3 18:04:26.147 UTC: mab-ev: [XXXX.XXXX.XXXX] created mab pseudo dot1x profile dot1x_mac_auth_XXXX.XXXX.XXXX
003097: Aug  3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Starting MAC-AUTH-BYPASS for 0x1B00004B (XXXX.XXXX.XXXX)
003098: Aug  3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Invalid EVT 9 from EAP
003099: Aug  3 18:04:26.148 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] MAB received an Access-Reject for 0x1B00004B (XXXX.XXXX.XXXX)
003100: Aug  3 18:04:26.148 UTC: %MAB-5-FAIL: Authentication failed for client (XXXX.XXXX.XXXX) on Interface Gi1/0/48 AuditSessionID 0A48021200000FD1007B87DE
003101: Aug  3 18:04:26.148 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_RESULT' on handle 0x1B00004B
003102: Aug  3 18:04:26.148 UTC:     mab : during state mab_authorizing, got event 5(mabResult)
003103: Aug  3 18:04:26.148 UTC: @@@ mab : mab_authorizing -> mab_terminate
003104: Aug  3 18:04:26.149 UTC: mab-ev: [XXXX.XXXX.XXXX, Gi1/0/48] Deleted credentials profile for 0x1B00004B (dot1x_mac_auth_XXXX.XXXX.XXXX)
003105: Aug  3 18:04:26.150 UTC: mab-sm: [XXXX.XXXX.XXXX, Gi1/0/48] Received event 'MAB_DELETE' on handle 0x1B00004B

 

The configuration is below:

aaa group server radius XXX-XXXXXX
 server 10.XX.XX.30
 server 10.XXX.XX.30

aaa authorization network default group XXX-XXXXXX none
aaa accounting dot1x default start-stop group XXX-XXXXXX

ip radius source-interface Loopback0

radius-server host 10.XX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server host 10.XXX.XX.30 key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server retransmit 0
radius-server timeout 3

interface GigabitEthernet1/0/6
 description XXXX XXXXX
 switchport access vlan XXX
 switchport mode access
 switchport voice vlan XXX
 authentication host-mode multi-auth
 authentication order mab
 authentication port-control auto
 authentication timer restart 180
 mab
 no snmp trap link-status
 storm-control broadcast level 0.50
 spanning-tree portfast
end

 

#sh ver

Switch Ports Model              SW Version        SW Image              Mode  
------ ----- -----              ----------        ----------            ----  
*    1 56    WS-C3850-48P       03.07.02E         cat3k_caa-universalk9 INSTALL
     2 56    WS-C3850-48P       03.07.02E         cat3k_caa-universalk9 INSTALL

 

Any ideas?

P.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Your missing "aaa authentication dot1x"

View solution in original post

3 REPLIES 3
peteroseneff
Beginner

Just look at this:

 

(config)#radius-server ?
  accounting          Accounting information configuration
  attribute           Customize selected radius attributes
  authorization       Authorization processing information
  backoff             Retry backoff pattern(Default is retransmits with constant delay)
  cache               AAA auth cache default server group
  challenge-noecho    Data echoing to screen is disabled during Access-Challenge
  configure-nas       Attempt to upload static routes and IP pools at startup
  dead-criteria       Set the criteria used to decide when a radius server is marked dead
  deadtime            Time to stop using a server that doesn't respond
  directed-request    Allow user to specify radius server to use with `@server'
  domain-stripping    Strip the domain from the username
  load-balance        Radius load-balancing options.
  optional-passwords  The first RADIUS request can be made without requesting a password
  retransmit          Specify the number of retries to active server
  retry               Specify how the next packet is sent after timeout.
  source-ports        source ports used for sending out RADIUS requests
  throttle            Throttle requests to radius server
  timeout             Time to wait for a RADIUS server to reply
  transaction         Specify per-transaction parameters
  unique-ident        Higher order bits of Acct-Session-Id
  vsa                 Vendor specific attribute configuration

There's no host statement as you can see but full entry above presents in the configuraion

#show radius server-group

Server group XXX-XXXXX
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(10.XX.XX.30:1645,1646) Transactions:
    Authen: 0   Author: 0       Acct: 0
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE
    Server(10.XXX.XX.30:1645,1646) Transactions:
    Authen: 0   Author: 0       Acct: 0
    Server_auto_test_enabled: FALSE
     Keywrap enabled: FALSE

Your missing "aaa authentication dot1x"

View solution in original post

Exactly! That entry simply didnt migrate somehow from C3750 configuration. Many thanks. 

Content for Community-Ad