Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
1
Helpful
7
Replies

Cisco Switch authentication issue on window computer

keith-mk-li
Level 1
Level 1

‎09-17-2024 02:19 AM - last edited on ‎09-17-2024 02:25 AM by Cisco Employee

Dear All,

              I have a question would like to ask the different from the 2 commands ? and the command at Site A has enabled the authentication, whereas in Site B didn't, and in Site A all computer can access to network whereas in Site B its not obtaining any IP addresses at all, as the authentication has not been active in site B switch ports, i do not understand why laptop can not obtain IP addresses, as in both switches has self certificates and AAA configured on it, just wonder anything else need to configure in the computer itself ? the previously colleagues has left to company, and i do not have enough information on what it has been done by him, any help would be appreicated 

 

From Site A 

!

interface GigabitEthernet1/0/9

 description User 

 switchport access vlan 100

 switchport mode access

 device-tracking attach-policy IPDT_POLICY

 authentication periodic

 authentication timer reauthenticate server

 access-session closed

 access-session port-control auto

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 10

 spanning-tree portfast

 service-policy type control subscriber ISE_POLICY

!

 

 

 

from site B

!

interface GigabitEthernet1/0/5

 description User data port

 switchport mode access

 authentication event fail action next-method

 authentication event server alive action reinitialize

 authentication host-mode multi-auth

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication periodic

 authentication timer reauthenticate server

 authentication timer inactivity 180

 authentication violation restrict

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 10

 spanning-tree portfast

end

 

Piaa

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎09-17-2024 04:33 AM

Depends what model of switches here, how your Layer 3 VLAN SVI have helper address or not ?

Try adding on Site B. Access VLAN XXX (switchport access vlan 100) config and check.

below guide help you for more information :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎09-17-2024 04:36 AM

authentication order mab dot1x <<- change the order make it dot1x mab

 authentication priority dot1x mab

Then check

MHM

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎09-17-2024 07:33 AM

Did they successfully authenticate? You have not provided any information about the authentications from the respective switch.

Without any other details, it sounds like a DHCP problem.

 

keith-mk-li
Level 1
Level 1

‎09-18-2024 01:44 AM

The DHCP is leasing IP from the site itself, please find below running config and aaa loggings, i found there is no authentication sessions in the switch at all, kindly check any if the setting is correct ? in ISE i don't see any logging from this ip segment in this site 

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.18 14:29:01 =~=~=~=~=~=~=~=~=~=~=~=
login as: cisco
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

Switch>en
Password:
Switch#sh run

Building configuration...

Current configuration : 58518 bytes
!
! Last configuration change at 15:34:19 HKG Tue Sep 17 2024 by adm_kli
! NVRAM config last updated at 12:01:52 HKG Mon Sep 16 2024 by adm_klam
!
version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
--More--  aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 300
!
aaa authentication login NO_AUTH none
aaa authentication login SSH-LOGIN local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
!
!
!
!
aaa server radius dynamic-author
client 10.12.101.10 server-key 7 01360xxxxxxxxxxxxxxx
client 10.12.101.11 server-key 7 14321xxxxxxxxxxxxxxx
!
--More--  aaa session-id common
clock timezone HKG 8 0
switch 1 provision ws-c2960x-48lps-l
switch 2 provision ws-c2960x-48lps-l
switch 3 provision ws-c2960x-48lps-l
!
!
login on-success log
vtp mode transparent
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-2xxxxxxxxxxx
!
!
--More--  crypto pki certificate chain TP-self-signed-2xxxxxxxx
certificate self-signed 01
quit
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 3
name Devices
!
vlan 100
name WiFi
!

!
!
--More--  !
!
!
!
!
!
!
!
!
interface Port-channel1
description uplink to C9200 Switch
switchport mode trunk
!
interface Port-channel2
description uplink to Server
switchport mode access
switchport nonegotiate
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
--More--   description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
--More--   authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
--More--   dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

 

==========================================================================================

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.18 16:33:36 =~=~=~=~=~=~=~=~=~=~=~=
login as: cisco
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

Switch>en
Password:
Switch#sh aaa server

RADIUS: id 1, priority 1, host 10.12.101.10, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 18000s
Dead: total time 18000s, count 1
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 19, timeouts 19, failover 1, retransmission 14
Request: start 0, interim 0, stop 5
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 5
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 12w4h38m
Estimated Outstanding Access Transactions: 0
--More--   Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 10.12.101.11, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 18000s
Dead: total time 18000s, count 1
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
--More--   Account: request 19, timeouts 19, failover 5, retransmission 14
Request: start 0, interim 0, stop 5
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 5
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 12w4h37m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 44 minutes ago: 0
low - 3 hours, 44 minutes ago: 0
average: 0
Switch#sh aaa sessions
Total sessions since last reload: 108
Session Id: 176
Unique Id: 186
User Name: cisco
IP Address: 192.168.1.132
Idle Time: 0
CT Call Handle: 0
Switch#  sh radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 2
Maximum waitQ length: NA NA 4
Maximum doneQ length: NA NA 1
Total responses seen: 68 134 202
Packets with responses: 68 134 202
Packets without responses: 0 4 4
Access Rejects : 0
Average response delay(ms): 1496 218 649
Maximum response delay(ms): 35379 5240 35379
Number of Radius timeouts: 8 40 48
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 279 335 335
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/68
1646/178

Elapsed time since counters last cleared: 39w3d12h30m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 68 134

Current inQ length : 0
Current doneQ length: 0

Switch#sh aaa l clients

Dynamic Author Client 10.12.101.10
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0

Dynamic Author Client 10.12.101.11
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
--More--   Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0

Dropped request packets: 0
Switch#sh aaa ss essions
Total sessions since last reload: 108
Session Id: 176
Unique Id: 186

Switch# sh aaa user all
--------------------------------------------------
Unique id 186 is currently in use.
No data for type 0
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000000B0 Unique Id=000000BA
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
090CA57C 0 00000001 session-id(408) 4 176(B0)
090CA5B0 0 00000001 start_time(418) 4 Sep 18 2024 16:33:38
--------
No data for type CMD
No data for type SYSTEM
No data for type VRRS
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type DOT1X
No data for type CALL
No data for type VPDN-TUNNEL
--More--   No data for type VPDN-TUNNEL-LINK
No data for type IPSEC-TUNNEL
No data for type MCAST
No data for type RESOURCE
No data for type SSG
No data for type IDENTITY
No data for type ConnectedApps
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NEWINFO
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
090CA57C 0 00000001 connect-progress(75) 4 No Progress
090CA5B0 0 00000001 pre-session-time(334) 4 65(41)
090CA5E4 0 00000001 elapsed_time(414) 4 0(0)
090CA618 0 00000001 pre-bytes-in(330) 4 0(0)
090CA64C 0 00000001 pre-bytes-out(331) 4 0(0)
--More--   090CA680 0 00000001 pre-paks-in(332) 4 0(0)
090CA6B4 0 00000001 pre-paks-out(333) 4 0(0)
Debg: No data available
Radi: No data available
Interface:
TTY Num = 1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 0 Bytes Out = 0
Paks In = 0 Paks Out = 0
StartTime = 16:33:38 HKG Sep 18 2024
Component = Exec
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
--More--   Unique Id = 000000BA
Session Id = 000000B0
Attribute List:
090CA57C 0 00000081 interface(221) 4 tty1
090CA5B0 0 00000001 port-type(225) 4 Virtual Terminal
090CA5E4 0 00000081 clid(36) 14 192.168.81.161
PerU: No data available
Service Profile: No Service Profile data.
Unkn: No data available
Unkn: No data available

Switch#sh auth
Switch#sh authentication his

Switch#sh authentication his   sessions
No sessions currently exist

Piaa 

 

 

0 Helpful

keith-mk-li
Level 1
Level 1

‎09-18-2024 02:37 AM

i found there is a GPO to changing the user computer network adapter EAP (PEAP) 802.1x, and i see in the switch "aaa authentication login NO_AUTH none", does it mean the authentication has been been active in the switch and the NIC adapter has forced to use EAP (PEAP) 802.1x, and its can not successfully authenticate that why can not reaching the LAN ? but its weird that for below, this devices need to be auth via the ISE by whitelisting the device mac address, as in the switch authenticate has not been active, how can this device to be able to reaching the LAN, any help would be appreicated 

 

interface GigabitEthernet2/0/5
description Devices 
switchport access vlan 3
switchport mode access
authentication host-mode multi-host
authentication order mab
mab
dot1x pae authenticator
spanning-tree portfast
end

 

Switch#sh authentication sessions int gi2/0/5
No sessions match supplied criteria.

Runnable methods list:
Handle Priority Name
9 5 dot1x
16 10 mab
14 15 webauth

 

Piaa

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to keith-mk-li

‎09-23-2024 03:16 AM

This issue solved?

MHM

0 Helpful

keith-mk-li
Level 1
Level 1

‎10-03-2024 08:57 AM

not resolve 

0 Helpful
Customers Also Viewed These Support Documents