Re: DOT1X-5-FAIL: Authentication failed for client (Unknown MAC)

samna50042702 · ‎05-13-2019

Hi

I configured dot1x but i received log message

Switch(config)#
*Mar  1 01:10:10.326: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18
*Mar  1 01:10:10.326: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18
*Mar  1 01:10:10.326: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18
*Mar  1 01:10:10.326: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3

don't authenticate but when disable enable NIC's client authentication is success .

please help me

Mike.Cifelli · ‎05-13-2019

Please share your interface configs. Also, are you using a native supplicant or Anyconnect?

samna50042702 · ‎05-13-2019

I using native supplicant
aaa authentication login default group radius local
aaa authentication dot1x default group radius local
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 com1 group tacacs+ local if-authenticated
aaa authorization commands 15 com15 group tacacs+ local if-authenticated
aaa authorization network default group radius local
aaa accounting dot1x default start-stop group radius
aaa accounting exec exec start-stop group tacacs+
aaa accounting commands 1 com1 start-stop group tacacs+
aaa accounting commands 15 com15 start-stop group tacacs+
! ! ! ! ! ! aaa session-id common system mtu routing 1500 authentication mac-move permit
! ! no ip domain-lookup ! ! !
dot1x system-auth-control ! ! ! ! !
spanning-tree mode pvst spanning-tree extend system-id !
vlan internal allocation policy ascending ! ! !
interface FastEthernet0/3 switchport access vlan 10
switchport mode access
authentication port-control auto
dot1x pae authenticator mab
dot1x timeout tx-period 5
! ! interface Vlan1 no ip address shutdown !
interface Vlan10 ip address 192.168.100.3 255.255.255.0
! radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
! ip http server
ip http secure-server
ip radius source-interface Vlan10
radius-server host 192.168.100.4 key 1234
! ! ! ! line con 0 line vty 0 4 authorization commands 1 com1 authorization commands 15 com15 authorization exec exec accounting commands 1 com1
accounting commands 15 com15
accounting exec exec transport input telnet line vty 5 15 authorization commands 1 com1
authorization commands 15 com15
authorization exec exec
accounting commands 1 com1
accounting commands 15 com15
accounting exec exec transport input telnet

Mike.Cifelli · ‎05-13-2019

So based on this comment: don't authenticate but when disable enable NIC's client authentication is success

When you trigger it via the nic bounce the node actually authenticates via 8021x? What is used as the identity? Can you share what ISE live log says on failure & a successful attempt?

I am a little confused based on your comment. Have you attempted this:
authentication order dot1x mab
authentication priority dot1x mab

Also, is your end goal to authenticate nodes via mac address? If so, test with the commands above and maybe re-order them so mab is tried first.