cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1030
Views
2
Helpful
3
Replies

Cisco 2960X not sending Radius machine authentication

Ruelb2214
Level 1
Level 1

Hi All,

We have machine that is joined in AD and supposed to be doing machine auth, we notice for 2960x not sending radius machine authentication, instead it only does mac address. IPPhone/Printer authentication are working fine no issue at all.

We are using Anyconnect network module, and the same XML file we use all throughout deployment, with other switch model we do not encounter the issue.

Does anyone encounter the same issue? Please share your idea

Apr 5 12:59:22.118: RADIUS(00000000): Send Access-Request to 10.62.32.19:1812 onvrf(0) id 1645/123, len 274
Apr 5 12:59:22.118: RADIUS: authenticator 96 97 20 A7 63 28 A9 71 - EA FE 25 86 29 D7 CB 5C
Apr 5 12:59:22.118: RADIUS: User-Name [1] 14 "10E7C67821E8"
Apr 5 12:59:22.118: RADIUS: User-Password [2] 18 *
Apr 5 12:59:22.118: RADIUS: Service-Type [6] 6 Call Check [10]
Apr 5 12:59:22.118: RADIUS: Vendor, Cisco [26] 31
Apr 5 12:59:22.118: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Apr 5 12:59:22.118: RADIUS: Framed-MTU [12] 6 1500
Apr 5 12:59:22.118: RADIUS: Called-Station-Id [30] 19 "6C-41-0E-BD-98-8A"
Apr 5 12:59:22.122: RADIUS: Calling-Station-Id [31] 19 "10-E7-C6-78-21-E8"
Apr 5 12:59:22.122: RADIUS: Message-Authenticato[80] 18
Apr 5 12:59:22.122: RADIUS: 17 88 CA ED AF 58 4F 00 4A A3 F8 A8 93 EE 33 DA [ XOJ3]
Apr 5 12:59:22.122: RADIUS: EAP-Key-Name [102] 2 *
Apr 5 12:59:22.122: RADIUS: Vendor, Cisco [26] 49
Apr 5 12:59:22.122: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A7106FE00000BA2643F8AEF"
Apr 5 12:59:22.122: RADIUS: Vendor, Cisco [26] 18
Apr 5 12:59:22.122: RADIUS: Cisco AVpair [1] 12 "method=mab"
Apr 5 12:59:22.122: RADIUS: NAS-IP-Address [4] 6 10.113.6.254
Apr 5 12:59:22.122: RADIUS: Nas-Identifier [32] 13 "SEL-SWC-06S"
Apr 5 12:59:22.122: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/10"
Apr 5 12:59:22.122: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Apr 5 12:59:22.122: RADIUS: NAS-Port [5] 6 50110
Apr 5 12:59:22.122: RADIUS(00000000): Sending a IPv4 Radius Packet
Apr 5 12:59:22.122: RADIUS(00000000): Started 5 sec timeout
Apr 5 12:59:22.387: RADIUS: Received from id 1645/123 10.62.32.19:1812, Access-Reject, len 92
Apr 5 12:59:22.387: RADIUS: authenticator C2 25 DA DB 9F 79 15 6F - E4 24 A3 CB AA EE 6C 9F
Apr 5 12:59:22.387: RADIUS: Message-Authenticato[80] 18
Apr 5 12:59:22.387: RADIUS: 11 80 C2 6C 8E C6 58 99 CD 95 FE 99 4A D3 C1 42 [ lXJB]
Apr 5 12:59:22.387: RADIUS: Vendor, Cisco [26] 54
Apr 5 12:59:22.387: RADIUS: Cisco AVpair [1] 48 "AuthenticationIdentityStore=Internal Endpoints"
Apr 5 12:59:22.391: RADIUS(00000000): Received from id 1645/123

Switch port configuration:

interface GigabitEthernet1/0/10
switchport mode access
switchport voice vlan 2
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

Radius/AAA configuration:

aaa group server radius SP-ISE-GROUP
server name VMISE02
server name VMISE01
aaa authentication login CONSOLE local
aaa authentication login THALOGIN group ISE-TACACS local
aaa authentication dot1x default group SP-ISE-GROUP
aaa authorization exec default group ISE-TACACS local if-authenticated
aaa authorization network default group SP-ISE-GROUP
aaa authorization auth-proxy default group SP-ISE-GROUP
aaa accounting send stop-record authentication failure
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group SP-ISE-GROUP
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting network default start-stop group SP-ISE-GROUP
aaa accounting system default start-stop group SP-ISE-GROUP
aaa server radius dynamic-author
client 10.62.x.xserver-key 7 (omitted)
client 10.62.x.x server-key 7 (omitted)
aaa session-id common

ip radius source-interface Vlan11
radius server VMISE01
address ipv4 10.62.x.x auth-port 1812 acct-port 1813
automate-tester username dummy idle-time 5
key 7 (omitted)
radius server VMISE02
address ipv4 10.62.x.x auth-port 1812 acct-port 1813
automate-tester username dummy idle-time 5
key 7(omitted)

 

3 Accepted Solutions

Accepted Solutions

Nancy Saini
Cisco Employee
Cisco Employee

The authentication order and priority in the switchport configuration is "mab dot1x". With this configuration, dot1x will only happen if MAB fails.

NancySaini_0-1680804702466.png

Change the authentication priority to "dot1x mab" and you should see switch initiating EAPoL.

Reference : https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

 

View solution in original post

Sri Harsha Dasari
Spotlight
Spotlight

I agree with Nancy. Also, i dont see below command for data vlan on this port.

switchport access vlan xx

Thanks, Sri.

View solution in original post

thomas
Cisco Employee
Cisco Employee

@Nancy Saini  had a great suggestion and you may compare your configuration with our ISE Secure Wired Access Prescriptive Deployment Guide which has example configurations following best practices. 

Also, we always recommend authentication host-mode multi-auth over multi-domain. if you have problems with phones+workstations on the same port, switch to multi-auth.

View solution in original post

3 Replies 3

Nancy Saini
Cisco Employee
Cisco Employee

The authentication order and priority in the switchport configuration is "mab dot1x". With this configuration, dot1x will only happen if MAB fails.

NancySaini_0-1680804702466.png

Change the authentication priority to "dot1x mab" and you should see switch initiating EAPoL.

Reference : https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

 

Sri Harsha Dasari
Spotlight
Spotlight

I agree with Nancy. Also, i dont see below command for data vlan on this port.

switchport access vlan xx

Thanks, Sri.

thomas
Cisco Employee
Cisco Employee

@Nancy Saini  had a great suggestion and you may compare your configuration with our ISE Secure Wired Access Prescriptive Deployment Guide which has example configurations following best practices. 

Also, we always recommend authentication host-mode multi-auth over multi-domain. if you have problems with phones+workstations on the same port, switch to multi-auth.