03-14-2019 02:15 AM
Hi all,
I have setup ise on vmware and using a real switch for authentication configurations and a test pc. Network device is setup in ise together with mac-address of client however there is authentication failure! i have disabled windows firewall on host and test pc but no success. Kindly advise how i can sort this. Please find the switch configs attached!
Thanks!
03-14-2019 04:03 AM
03-14-2019 05:31 AM
03-14-2019 04:14 AM - edited 03-14-2019 04:17 AM
In addition to other post.
You need to check radius connectivity on ports 1812 and 1813 udp.
If you type show aaa server in the switch you will see the radius status dead.
Can you also Enable debug : ( to see what is wrong) , since if the packet not reached to ISE, ISE would not have any logs in this case.
debug radius
debug authentication all
debug authentication feature all
03-14-2019 05:27 AM
Hi Balaji,
Firstly,thanks for the prompt response. I have captured logs from switch(please find attached). Kindly, clarify which device i am checking for ports 1812/1813 and if its switch how will i check this. I have check form ISE GUI ,operations>live authentication(is this the correct place?), there is much there just old authentication failure.
Just to clarify f0/1 is connected to my laptop where ise is running, f0/3 is connected to test pc.
i come across this lines in the logs,does it mean dot1x is not enabled on test pc?
Jan 2 04:47:38.428: AUTH-FEAT-CRITICAL-EVENT (Fa0/3) Critcal authc fail, mac a0d3.c19c.5956, auth_event 2
*Jan 2 04:47:38.428: AUTH-FEAT-CRITICAL-EVENT (Fa0/3) Critical auth not applicable. Feature is not enabled
Thanks once more!
03-14-2019 05:35 AM
In your snapshot you will see the column "details"
Please click on that and provide a screen shot of those lots.
As well please provide your Authentication policy you have setup.
03-14-2019 05:50 AM
Hi Idanny,
Thanks for your response. I have taken snapshots of the detail column. Its a fresh installation and am just beginning to use ise so i didn't set any authentication policy on ise.
03-14-2019 06:01 AM
03-15-2019 07:57 AM
Hi,
Please find more debugs from todays tshooting. Thanks.
SW1#
*Jan 2 03:03:18.387: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:04:06.999: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#test aaa group radisu us j Joseph @i Winter2019 ke legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
SW1#
*Jan 2 03:04:50.905: RADIUS: Pick NAS IP for u=0x593D66C tableid=0 cfg_addr=0.0.0.0
*Jan 2 03:04:50.905: RADIUS(00000000): Config NAS IPv6: ::
*Jan 2 03:04:50.905: RADIUS: ustruct sharecount=1
*Jan 2 03:04:50.905: Radius: radius_port_info() success=0 radius_nas_port=1
*Jan 2 03:04:50.905: RADIUS/ENCODE: Best Local IP-Address 192.168.159.2 for Radius-Server 192.168.159.145
*Jan 2 03:04:50.905: RADIUS(00000000): Send Access-Requ
SW1#est to 192.168.159.145:1645 id 1645/6, len 58
*Jan 2 03:04:50.905: RADIUS: authenticator FD 02 72 DE 6F 30 CD 7A - C1 2C 09 6A B0 2D 02 9E
*Jan 2 03:04:50.905: RADIUS: NAS-IP-Address [4] 6 192.168.159.2
*Jan 2 03:04:50.905: RADIUS: NAS-Port-Type [61] 6 Async [0]
*Jan 2 03:04:50.905: RADIUS: User-Name [1] 8 "Joseph"
*Jan 2 03:04:50.905: RADIUS: User-Password [2] 18 *
*Jan 2 03:04:50.905: RADIUS(00000000): Sending a IP
SW1#v4 Radius Packet
*Jan 2 03:04:50.905: RADIUS(00000000): Started 5 sec timeout
*Jan 2 03:04:50.972: RADIUS: Received from id 1645/6 192.168.159.145:1645, Access-Accept, len 122
*Jan 2 03:04:50.972: RADIUS: authenticator F1 D9 34 78 8E DE 1A 14 - 96 23 04 67 EA 4A D3 8A
*Jan 2 03:04:50.972: RADIUS: User-Name [1] 8 "Joseph"
*Jan 2 03:04:50.972: RADIUS: State [24] 40
*Jan 2 03:04:50.972: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 63 30 [ReauthSession:c0] SW1#
*Jan 2 03:04:50.972: RADIUS: 61 38 39 66 39 31 30 30 30 30 30 30 30 35 35 43 [a89f91000000055C]
*Jan 2 03:04:50.972: RADIUS: 38 42 42 37 46 32 [ 8BB7F2]
*Jan 2 03:04:50.972: RADIUS: Class [25] 48
*Jan 2 03:04:50.972: RADIUS: 43 41 43 53 3A 63 30 61 38 39 66 39 31 30 30 30 [CACS:c0a89f91000]
*Jan 2 03:04:50.972: RADIUS: 30 30 30 30 35 35 43 38 42 42 37 46 32 3A 49 53 [000055C8BB7F2:IS]
*Jan 2 03:04:50.972: RADIUS: 45 31 2F 33 34 32 30 30 33 38 35 33 2F
SW1#36 [ E1/342003853/6]
*Jan 2 03:04:50.972: RADIUS: Termination-Action [29] 6 1
*Jan 2 03:04:50.980: RADIUS: saved authorization data for user 593D66C at 593AC94
SW1#
*Jan 2 03:05:32.429: %DOT1X-5-FAIL: Authentication failed for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:05:32.429: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:05:32.429: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:08:05.068: %DOT1X-5-FAIL: Authentication failed for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:08:05.068: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:09:38.005: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
SW1#
*Jan 2 03:12:10.661: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
SW1#
*Jan 2 03:14:43.988: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-NOM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide