09-17-2024 02:19 AM - last edited on 09-17-2024 02:25 AM by shaiksh
Dear All,
I have a question would like to ask the different from the 2 commands ? and the command at Site A has enabled the authentication, whereas in Site B didn't, and in Site A all computer can access to network whereas in Site B its not obtaining any IP addresses at all, as the authentication has not been active in site B switch ports, i do not understand why laptop can not obtain IP addresses, as in both switches has self certificates and AAA configured on it, just wonder anything else need to configure in the computer itself ? the previously colleagues has left to company, and i do not have enough information on what it has been done by him, any help would be appreicated
From Site A
!
interface GigabitEthernet1/0/9
description User
switchport access vlan 100
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
from site B
!
interface GigabitEthernet1/0/5
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
Piaa
09-17-2024 04:33 AM
Depends what model of switches here, how your Layer 3 VLAN SVI have helper address or not ?
Try adding on Site B. Access VLAN XXX (switchport access vlan 100) config and check.
below guide help you for more information :
09-17-2024 04:36 AM
authentication order mab dot1x <<- change the order make it dot1x mab
authentication priority dot1x mab
Then check
MHM
09-17-2024 07:33 AM
Did they successfully authenticate? You have not provided any information about the authentications from the respective switch.
Without any other details, it sounds like a DHCP problem.
09-18-2024 01:44 AM
The DHCP is leasing IP from the site itself, please find below running config and aaa loggings, i found there is no authentication sessions in the switch at all, kindly check any if the setting is correct ? in ISE i don't see any logging from this ip segment in this site
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.18 14:29:01 =~=~=~=~=~=~=~=~=~=~=~=
login as: cisco
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Switch>en
Password:
Switch#sh run
Building configuration...
Current configuration : 58518 bytes
!
! Last configuration change at 15:34:19 HKG Tue Sep 17 2024 by adm_kli
! NVRAM config last updated at 12:01:52 HKG Mon Sep 16 2024 by adm_klam
!
version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5
!
aaa new-model
!
!
--More-- aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 300
!
aaa authentication login NO_AUTH none
aaa authentication login SSH-LOGIN local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
!
!
!
!
aaa server radius dynamic-author
client 10.12.101.10 server-key 7 01360xxxxxxxxxxxxxxx
client 10.12.101.11 server-key 7 14321xxxxxxxxxxxxxxx
!
--More-- aaa session-id common
clock timezone HKG 8 0
switch 1 provision ws-c2960x-48lps-l
switch 2 provision ws-c2960x-48lps-l
switch 3 provision ws-c2960x-48lps-l
!
!
login on-success log
vtp mode transparent
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2xxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-2xxxxxxxxxxx
!
!
--More-- crypto pki certificate chain TP-self-signed-2xxxxxxxx
certificate self-signed 01
quit
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 3
name Devices
!
vlan 100
name WiFi
!
!
!
--More-- !
!
!
!
!
!
!
!
!
interface Port-channel1
description uplink to C9200 Switch
switchport mode trunk
!
interface Port-channel2
description uplink to Server
switchport mode access
switchport nonegotiate
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
--More-- description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
--More-- authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description User data port
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
--More-- dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
==========================================================================================
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.18 16:33:36 =~=~=~=~=~=~=~=~=~=~=~=
login as: cisco
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Switch>en
Password:
Switch#sh aaa server
RADIUS: id 1, priority 1, host 10.12.101.10, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 18000s
Dead: total time 18000s, count 1
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 19, timeouts 19, failover 1, retransmission 14
Request: start 0, interim 0, stop 5
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 5
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 12w4h38m
Estimated Outstanding Access Transactions: 0
--More-- Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0
RADIUS: id 2, priority 2, host 10.12.101.11, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 18000s
Dead: total time 18000s, count 1
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
--More-- Account: request 19, timeouts 19, failover 5, retransmission 14
Request: start 0, interim 0, stop 5
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 5
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 12w4h37m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 3 hours, 44 minutes ago: 0
low - 3 hours, 44 minutes ago: 0
average: 0
Switch#sh aaa sessions
Total sessions since last reload: 108
Session Id: 176
Unique Id: 186
User Name: cisco
IP Address: 192.168.1.132
Idle Time: 0
CT Call Handle: 0
Switch# sh radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 2
Maximum waitQ length: NA NA 4
Maximum doneQ length: NA NA 1
Total responses seen: 68 134 202
Packets with responses: 68 134 202
Packets without responses: 0 4 4
Access Rejects : 0
Average response delay(ms): 1496 218 649
Maximum response delay(ms): 35379 5240 35379
Number of Radius timeouts: 8 40 48
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 279 335 335
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/68
1646/178
Elapsed time since counters last cleared: 39w3d12h30m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 68 134
Current inQ length : 0
Current doneQ length: 0
Switch#sh aaa l clients
Dynamic Author Client 10.12.101.10
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0
Dynamic Author Client 10.12.101.11
CoA: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
PoD: requests: 0, transactions: 0
retransmissions: 0, active transactions: 0
--More-- Ack responses: 0, Nak reponses: 0
invalid requests: 0, errors: 0
Average Ack response time: 0 msec
Requests per minute past 24 hours:
high - 3 hours, 45 minutes ago: 0
low - 3 hours, 45 minutes ago: 0
average: 0
Dropped request packets: 0
Switch#sh aaa ss essions
Total sessions since last reload: 108
Session Id: 176
Unique Id: 186
Switch# sh aaa user all
--------------------------------------------------
Unique id 186 is currently in use.
No data for type 0
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000000B0 Unique Id=000000BA
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
090CA57C 0 00000001 session-id(408) 4 176(B0)
090CA5B0 0 00000001 start_time(418) 4 Sep 18 2024 16:33:38
--------
No data for type CMD
No data for type SYSTEM
No data for type VRRS
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type DOT1X
No data for type CALL
No data for type VPDN-TUNNEL
--More-- No data for type VPDN-TUNNEL-LINK
No data for type IPSEC-TUNNEL
No data for type MCAST
No data for type RESOURCE
No data for type SSG
No data for type IDENTITY
No data for type ConnectedApps
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NEWINFO
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
090CA57C 0 00000001 connect-progress(75) 4 No Progress
090CA5B0 0 00000001 pre-session-time(334) 4 65(41)
090CA5E4 0 00000001 elapsed_time(414) 4 0(0)
090CA618 0 00000001 pre-bytes-in(330) 4 0(0)
090CA64C 0 00000001 pre-bytes-out(331) 4 0(0)
--More-- 090CA680 0 00000001 pre-paks-in(332) 4 0(0)
090CA6B4 0 00000001 pre-paks-out(333) 4 0(0)
Debg: No data available
Radi: No data available
Interface:
TTY Num = 1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 0 Bytes Out = 0
Paks In = 0 Paks Out = 0
StartTime = 16:33:38 HKG Sep 18 2024
Component = Exec
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
--More-- Unique Id = 000000BA
Session Id = 000000B0
Attribute List:
090CA57C 0 00000081 interface(221) 4 tty1
090CA5B0 0 00000001 port-type(225) 4 Virtual Terminal
090CA5E4 0 00000081 clid(36) 14 192.168.81.161
PerU: No data available
Service Profile: No Service Profile data.
Unkn: No data available
Unkn: No data available
Switch#sh auth
Switch#sh authentication his
Switch#sh authentication his sessions
No sessions currently exist
Piaa
09-18-2024 02:37 AM
i found there is a GPO to changing the user computer network adapter EAP (PEAP) 802.1x, and i see in the switch "aaa authentication login NO_AUTH none", does it mean the authentication has been been active in the switch and the NIC adapter has forced to use EAP (PEAP) 802.1x, and its can not successfully authenticate that why can not reaching the LAN ? but its weird that for below, this devices need to be auth via the ISE by whitelisting the device mac address, as in the switch authenticate has not been active, how can this device to be able to reaching the LAN, any help would be appreicated
interface GigabitEthernet2/0/5
description Devices
switchport access vlan 3
switchport mode access
authentication host-mode multi-host
authentication order mab
mab
dot1x pae authenticator
spanning-tree portfast
end
Switch#sh authentication sessions int gi2/0/5
No sessions match supplied criteria.
Runnable methods list:
Handle Priority Name
9 5 dot1x
16 10 mab
14 15 webauth
Piaa
09-23-2024 03:16 AM
This issue solved?
MHM
10-03-2024 08:57 AM
not resolve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide