cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1238
Views
5
Helpful
2
Replies
Highlighted

Clients not authenticating over dot1x after IOS upgrade

Hello everyone!

I have two clients that are not authenticating over dot1x, all others connected to the switch are able to authenticate. I've checked the settings on the workstations and everything is properly configured (the same as the workstations that are working). 

I checked the logs on the RADIUS server and it appears that the radius is not even coming into the picture because there aren't any logs regarding the two workstations. 

The following message is the same for both interfaces. 

Jan 14 15:32:50.862: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (xxxx.xxxx.xxxx) with reason (No Response from Client) on Interface Gi1/0/25 
Jan 14 15:32:50.863: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface GigabitEthernet1/0/25 AuditSessionID xxxxxxxxxxxxxxxx. Failure reason: Authc fail. Authc failure reason: No Response from Client.

 

I'm on version Fuji 16.9.4 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Make sure the supplicant service is running on the client and that there is no firewall running on the device.  Also, make sure there is no adapter or transceiver between the PC and the switchport that could not be forwarding the EAPOL frames.  You could do a packet capture on the client or SPAN the switchport to see if the client is even sending any EAPOL frames.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee
Cisco Employee

From the logs it seem client are not responding to dot1x request. You can confirm this by taking pcap on client machine.

 

Highlighted
Rising star

Make sure the supplicant service is running on the client and that there is no firewall running on the device.  Also, make sure there is no adapter or transceiver between the PC and the switchport that could not be forwarding the EAPOL frames.  You could do a packet capture on the client or SPAN the switchport to see if the client is even sending any EAPOL frames.

View solution in original post