3980
Views
0
Helpful
3
Replies
DOT1X-5-FAIL: Authentication failed for client (Unknown MAC)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2019 05:32 AM - edited 05-13-2019 06:25 AM
Hi
I configured dot1x but i received log message
Switch(config)# *Mar 1 01:10:10.326: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18 *Mar 1 01:10:10.326: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18 *Mar 1 01:10:10.326: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18 *Mar 1 01:10:10.326: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3
don't authenticate but when disable enable NIC's client authentication is success .
please help me
Labels:
- Labels:
-
Identity Services Engine (ISE)
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2019 05:56 AM
Please share your interface configs. Also, are you using a native supplicant or Anyconnect?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2019 06:05 AM - edited 05-13-2019 06:18 AM
I using native supplicant aaa authentication login default group radius local aaa authentication dot1x default group radius local aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 1 com1 group tacacs+ local if-authenticated aaa authorization commands 15 com15 group tacacs+ local if-authenticated aaa authorization network default group radius local aaa accounting dot1x default start-stop group radius aaa accounting exec exec start-stop group tacacs+ aaa accounting commands 1 com1 start-stop group tacacs+ aaa accounting commands 15 com15 start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common system mtu routing 1500 authentication mac-move permit ! ! no ip domain-lookup ! ! ! dot1x system-auth-control ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! interface FastEthernet0/3 switchport access vlan 10 switchport mode access authentication port-control auto dot1x pae authenticator mab dot1x timeout tx-period 5 ! ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address 192.168.100.3 255.255.255.0 ! radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ! ip http server ip http secure-server ip radius source-interface Vlan10 radius-server host 192.168.100.4 key 1234 ! ! ! ! line con 0 line vty 0 4 authorization commands 1 com1 authorization commands 15 com15 authorization exec exec accounting commands 1 com1 accounting commands 15 com15 accounting exec exec transport input telnet line vty 5 15 authorization commands 1 com1 authorization commands 15 com15 authorization exec exec accounting commands 1 com1 accounting commands 15 com15 accounting exec exec transport input telnet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2019 09:02 AM
So based on this comment: don't authenticate but when disable enable NIC's client authentication is success
When you trigger it via the nic bounce the node actually authenticates via 8021x? What is used as the identity? Can you share what ISE live log says on failure & a successful attempt?
I am a little confused based on your comment. Have you attempted this:
authentication order dot1x mab
authentication priority dot1x mab
Also, is your end goal to authenticate nodes via mac address? If so, test with the commands above and maybe re-order them so mab is tried first.
When you trigger it via the nic bounce the node actually authenticates via 8021x? What is used as the identity? Can you share what ISE live log says on failure & a successful attempt?
I am a little confused based on your comment. Have you attempted this:
authentication order dot1x mab
authentication priority dot1x mab
Also, is your end goal to authenticate nodes via mac address? If so, test with the commands above and maybe re-order them so mab is tried first.
