Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8766
Views
8
Helpful
6
Replies

dot1x auth doesn't work on 3550/60

Istvan kelemen
Level 1
Level 1

‎03-20-2014 10:46 AM - edited ‎03-10-2019 09:33 PM

Hi,

I have configured dot1x based on a cisco config guide. I have tried on both 3550 and 3560 neither worked. I was using radius and local database. The port stays amber.

3560's config:

Aaa new-model

Aaa authentication login default group radius local

Aaa authentication dot1x default group radius local

Dot1x system-auth-control

 

Int fa0/15

Switchport mode access

Switchport access vlan 10

Authentication port-control auto

 

OS's what i tried: win8.1 ubuntu 12.10/13.10 : PEAP

 

Any suggestion? Thanks!

Labels:
0 Helpful
6 Replies 6

Bikramjit Majumdar
Cisco Employee
Cisco Employee

‎03-20-2014 11:39 AM

Hello stvnkelemen, Get us the below outputs: 1] show dot1x int <> detail [2] show authentication session interface <> [3] What kind of authentication are we using for dot1x? [4] show port-security interface <> [5] show tech of the switch. [6] Document that you've followed. [7] show dot1x summary Dot1x communication steps: - First packet from supplicant to Switch is EAPOL-Start(Optional messae depending on software on supplicant). - From Switch to supplicant: EAP-Identity-request (Mandatory) - Supplicant to Sw: EAP-Identity-response (Mandatory) - SW strip off the .1x header and put the original EAP packet inside an ip packet as a radius form of data. (EAP auth exchange). from this point SW will just pass data in between supplicant and AAA server. Note: All Dot1x frames sent to/from supplicant to/from authenticator use the reserved destination MAC 01-80-C2-00-00-03. Regards, Bikramjit

Istvan kelemen
Level 1
Level 1
In response to Bikramjit Majumdar

‎03-20-2014 01:38 PM

Dear Bimajumd,

Thanks for helping me!

Here you go:

Configuration guide attached as pdf.

 

 Sh ver:  WS-C3560-24PS      12.2(55)SE8           C3560-IPSERVICESK9-M

 

 

SW1#show dot1x interface f0/15 details

Dot1x Info for FastEthernet0/15
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

Dot1x Authenticator Client List Empty

Port Status               = UNAUTHORIZED

 

SW1#show authentication session interface f0/15
            Interface:  FastEthernet0/15
          MAC Address:  Unknown
           IP Address:  Unknown
            User-Name:  UNRESPONSIVE
               Status:  Running
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0063010000000500076EDE
      Acct Session ID:  0x00000007
               Handle:  0x0F000005

Runnable methods list:
       Method   State
       dot1x    Running

 

 

SW1#show port-security interface f0/15
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0


Win8.1 Authentication method: Protected EAP (PEAP)

 

 

 

The authentication is failed... i think there is some protocol mismatch, i am looking the debug now

 

debug dot1x all

 

*Mar  1 00:04:25.312: dot1x-ev(Fa0/15): Interface state changed to UP
*Mar  1 00:04:25.321:     dot1x_auth Fa0/15: initial state auth_initialize has enter
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_initialize_enter called
*Mar  1 00:04:25.321:     dot1x_auth Fa0/15: during state auth_initialize, got event 0(cfg_auto)
*Mar  1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_initialize -> auth_disconnected
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_disconnected_enter called
*Mar  1
SW1# 00:04:25.321:     dot1x_auth Fa0/15: idle during state auth_disconnected
*Mar  1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_disconnected -> auth_restart
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_restart_enter called
*Mar  1 00:04:25.321: dot1x-ev(Fa0/15): Sending create new context event to EAP for 0x88000001 (0000.0000.0000)
*Mar  1 00:04:25.321:     dot1x_auth_bend Fa0/15: initial state auth_bend_initialize has enter
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_bend_initiali
SW1#ze_enter called
*Mar  1 00:04:25.321:     dot1x_auth_bend Fa0/15: initial state auth_bend_initialize has idle
*Mar  1 00:04:25.321:     dot1x_auth_bend Fa0/15: during state auth_bend_initialize, got event 16383(idle)
*Mar  1 00:04:25.321: @@@ dot1x_auth_bend Fa0/15: auth_bend_initialize -> auth_bend_idle
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called
*Mar  1 00:04:25.321: dot1x-ev(Fa0/15): Created a client entry (0x88000001)
*Mar  1 00:04:25.321: dot1x-ev(Fa0/15): Dot1
SW1#x authentication started for 0x88000001 (0000.0000.0000)
*Mar  1 00:04:25.321: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/15
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): Posting !EAP_RESTART on Client 0x88000001
*Mar  1 00:04:25.321:     dot1x_auth Fa0/15: during state auth_restart, got event 6(no_eapRestart)
*Mar  1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_restart -> auth_connecting
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_enter called
*Mar  1 00:04:25.321: dot1x-sm
SW1#(Fa0/15): 0x88000001:auth_restart_connecting_action called
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): Posting RX_REQ on Client 0x88000001
*Mar  1 00:04:25.321:     dot1x_auth Fa0/15: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar  1 00:04:25.321: @@@ dot1x_auth Fa0/15: auth_connecting -> auth_authenticating
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_enter called
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_authenticating_action calle
SW1#d
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): Posting AUTH_START for 0x88000001
*Mar  1 00:04:25.321:     dot1x_auth_bend Fa0/15: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar  1 00:04:25.321: @@@ dot1x_auth_bend Fa0/15: auth_bend_idle -> auth_bend_request
*Mar  1 00:04:25.321: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_enter called
*Mar  1 00:04:25.321: dot1x-ev(Fa0/15): Sending EAPOL packet to group PAE address
*Mar  1 00:04:25.321: dot1x-ev(Fa0/15): Role determination not require
SW1#d
*Mar  1 00:04:25.321: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar  1 00:04:25.329: dot1x-ev(Fa0/15): Sending out EAPOL packet
*Mar  1 00:04:25.329: EAPOL pak dump Tx
*Mar  1 00:04:25.329: EAPOL Version: 0x3  type: 0x0  length: 0x0005
*Mar  1 00:04:25.329: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
*Mar  1 00:04:25.329: dot1x-packet(Fa0/15): EAPOL packet sent to client 0x88000001 (0000.0000.0000)
*Mar  1 00:04:25.329: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_request_action cal
SW1#led
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): Role determination not required
*Mar  1 00:04:25.589: dot1x-packet(Fa0/15): queuing an EAPOL pkt on Auth Q
*Mar  1 00:04:25.589: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar  1 00:04:25.589: EAPOL pak dump rx
*Mar  1 00:04:25.589: EAPOL Version: 0x1  type: 0x1  length: 0x0000
*Mar  1 00:04:25.589: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/15 CODE= 0,TYPE= 0,LEN= 0

*Mar  1 00:04:25.589: dot1x-packet(Fa0/15): Received an EAPOL
SW1# frame
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): Received pkt saddr =0023.18e4.9a7c , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0101.0000
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): Couldn't find the supplicant in the list
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): New client detected, notifying AuthMgr
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): Sending event (0) to Auth Mgr for 0023.18e4.9a7c
*Mar  1 00:04:25.589: dot1x-packet(Fa0/15): Received an EAPOL-Start packet
*Mar  1 00:04:25.589: EAPOL pak d
SW1#ump rx
*Mar  1 00:04:25.589: EAPOL Version: 0x1  type: 0x1  length: 0x0000
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): Posting EAPOL_START on Client 0x88000001
*Mar  1 00:04:25.589:     dot1x_auth Fa0/15: during state auth_authenticating, got event 4(eapolStart)
*Mar  1 00:04:25.589: @@@ dot1x_auth Fa0/15: auth_authenticating -> auth_aborting
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_exit called
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_aborting_enter called
*M
SW1#ar  1 00:04:25.589: dot1x-ev(Fa0/15): 802.1x method gets the go ahead from Auth Mgr for 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.589: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID 0A0063010000000100040C6B
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): Posting AUTH_ABORT for 0x88000001
*Mar  1 00:04:25.589:     dot1x_auth_bend Fa0/15: during state auth_bend_request, got event 1(authAbort)
*Mar  1 00:04:25.589: @@@ dot1x_auth_bend Fa0/15: auth_bend_request
SW1# -> auth_bend_initialize
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_bend_initialize_enter called
*Mar  1 00:04:25.589:     dot1x_auth_bend Fa0/15: idle during state auth_bend_initialize
*Mar  1 00:04:25.589: @@@ dot1x_auth_bend Fa0/15: auth_bend_initialize -> auth_bend_idle
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): Posting !AUTH_ABORT on Client 0x88000001
*Mar  1 00:04:25.589:     dot1x_auth Fa0/15: during state
SW1# auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
*Mar  1 00:04:25.589: @@@ dot1x_auth Fa0/15: auth_aborting -> auth_restart
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_aborting_exit called
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_restart_enter called
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): Resetting the client 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.589: dot1x-ev(Fa0/15): Sending create new context event to EAP for 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.
SW1#589: dot1x-sm(Fa0/15): 0x88000001:auth_aborting_restart_action called
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): Posting !EAP_RESTART on Client 0x88000001
*Mar  1 00:04:25.589:     dot1x_auth Fa0/15: during state auth_restart, got event 6(no_eapRestart)
*Mar  1 00:04:25.589: @@@ dot1x_auth Fa0/15: auth_restart -> auth_connecting
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_enter called
*Mar  1 00:04:25.589: dot1x-sm(Fa0/15): 0x88000001:auth_restart_connecting_action called
*Mar  1
SW1#00:04:25.589: dot1x-sm(Fa0/15): Posting RX_REQ on Client 0x88000001
*Mar  1 00:04:25.589:     dot1x_auth Fa0/15: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar  1 00:04:25.597: @@@ dot1x_auth Fa0/15: auth_connecting -> auth_authenticating
*Mar  1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_enter called
*Mar  1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_connecting_authenticating_action called
*Mar  1 00:04:25.597: dot1x-sm(Fa0/15): Posting AUTH_START for 0x
SW1#88000001
*Mar  1 00:04:25.597:     dot1x_auth_bend Fa0/15: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar  1 00:04:25.597: @@@ dot1x_auth_bend Fa0/15: auth_bend_idle -> auth_bend_request
*Mar  1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_enter called
*Mar  1 00:04:25.597: dot1x-ev(Fa0/15): Sending EAPOL packet to group PAE address
*Mar  1 00:04:25.597: dot1x-ev(Fa0/15): Role determination not required
*Mar  1 00:04:25.597: dot1x-registry:registry:dot1x_ether_macaddr
SW1# called
*Mar  1 00:04:25.597: dot1x-ev(Fa0/15): Sending out EAPOL packet
*Mar  1 00:04:25.597: EAPOL pak dump Tx
*Mar  1 00:04:25.597: EAPOL Version: 0x3  type: 0x0  length: 0x0005
*Mar  1 00:04:25.597: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
*Mar  1 00:04:25.597: dot1x-packet(Fa0/15): EAPOL packet sent to client 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.597: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_request_action called
*Mar  1 00:04:25.597: dot1x-ev(Fa0/15): Role determination not
SW1#required
*Mar  1 00:04:25.597: dot1x-packet(Fa0/15): Queuing an EAPOL pkt on Authenticator Q
*Mar  1 00:04:25.597: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar  1 00:04:25.597: EAPOL pak dump rx
*Mar  1 00:04:25.597: EAPOL Version: 0x1  type: 0x0  length: 0x000B
*Mar  1 00:04:25.597: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/15 CODE= 2,TYPE= 1,LEN= 11

*Mar  1 00:04:25.597: dot1x-packet(Fa0/15): Received an EAPOL frame
*Mar  1 00:04:25.597: dot1x-ev(Fa0/15): Received p
SW1#kt saddr =0023.18e4.9a7c , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0100.000b
*Mar  1 00:04:25.597: dot1x-packet(Fa0/15): Received an EAP packet
*Mar  1 00:04:25.597: EAPOL pak dump rx
*Mar  1 00:04:25.597: EAPOL Version: 0x1  type: 0x0  length: 0x000B
*Mar  1 00:04:25.597: dot1x-packet(Fa0/15): Received an EAP packet from 0023.18e4.9a7c
*Mar  1 00:04:25.606: dot1x-sm(Fa0/15): Posting EAPOL_EAP for 0x88000001
*Mar  1 00:04:25.606:     dot1x_auth_bend Fa0/15: during state auth_bend_reques
SW1#t, got event 6(eapolEap)
*Mar  1 00:04:25.606: @@@ dot1x_auth_bend Fa0/15: auth_bend_request -> auth_bend_response
*Mar  1 00:04:25.606: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_enter called
*Mar  1 00:04:25.606: dot1x-ev(Fa0/15): dot1x_sendRespToServer: Response sent to the server from 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.606: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_response_action called
*Mar  1 00:04:25.614: dot1x-ev(Fa0/15): Received an EAP Fail
*Mar  1 00:04:25.614: dot1x-s
SW1#m(Fa0/15): Posting EAP_FAIL for 0x88000001
*Mar  1 00:04:25.614:     dot1x_auth_bend Fa0/15: during state auth_bend_response, got event 10(eapFail)
*Mar  1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_response -> auth_bend_fail
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_exit called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_fail_enter called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_fail_action called
*Mar  1 00:04:25.614
SW1#:     dot1x_auth_bend Fa0/15: idle during state auth_bend_fail
*Mar  1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_fail -> auth_bend_idle
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): Posting AUTH_FAIL on Client 0x88000001
*Mar  1 00:04:25.614:     dot1x_auth Fa0/15: during state auth_authenticating, got event 15(authFail)
*Mar  1 00:04:25.614: @@@ dot1x_auth Fa0/15: auth_authenticating -> auth_authc_result
*Mar  1 00:04
SW1#:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_exit called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authc_result_enter called
*Mar  1 00:04:25.614: %DOT1X-5-FAIL: Authentication failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID
*Mar  1 00:04:25.614: dot1x-ev(Fa0/15): Sending event (2) to Auth Mgr for 0023.18e4.9a7c
*Mar  1 00:04:25.614: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSession
SW1#ID 0A0063010000000100040C6B
*Mar  1 00:04:25.614: %AUTHMGR-5-FAIL: Authorization failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID 0A0063010000000100040C6B
*Mar  1 00:04:25.614: dot1x-redundancy: State for client  0023.18e4.9a7c successfully retrieved
*Mar  1 00:04:25.614: dot1x-ev(Fa0/15): Received Authz fail for the client  0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.623: dot1x-sm(Fa0/15): Posting_AUTHZ_FAIL on Client 0x88000001
*Mar  1 00:04:25.623:     dot1x_auth Fa0/15: durin
SW1#g state auth_authc_result, got event 22(authzFail)
*Mar  1 00:04:25.623: @@@ dot1x_auth Fa0/15: auth_authc_result -> auth_held
*Mar  1 00:04:25.623: dot1x-sm(Fa0/15): 0x88000001:auth_held_enter called
*Mar  1 00:04:25.623: dot1x-ev(Fa0/15): Sending EAPOL packet to group PAE address
*Mar  1 00:04:25.623: dot1x-ev(Fa0/15): Role determination not required
*Mar  1 00:04:25.623: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar  1 00:04:25.623: dot1x-ev(Fa0/15): Sending out EAPOL packet
*Mar  1 00:
SW1#04:25.623: EAPOL pak dump Tx
*Mar  1 00:04:25.623: EAPOL Version: 0x3  type: 0x0  length: 0x0004
*Mar  1 00:04:25.623: EAP code: 0x4  id: 0x1  length: 0x0004
*Mar  1 00:04:25.623: dot1x-packet(Fa0/15): EAPOL packet sent to client 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:27.317: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to up

Preview file
442 KB
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Istvan kelemen

‎03-20-2014 11:12 PM

Debugs suggest that supplicant did send the request to radius server however radius server rejected it. It would be worth looking at the server to know the reason of failure. You could also run debug radius on the switch to understand radius communication. Do you have validate server certificate option checked on the supplicany under ethernet adapter settings? If yes, do you have the root certificate installed on the machine? If no, please uncheck the 'validate server certificate option and attempt to authenticate again. Most likely you will see an "ssl handshake" error but it would be great if you look for an exact error message.

 

*Mar  1 00:04:25.606: dot1x-ev(Fa0/15): dot1x_sendRespToServer: Response sent to the server from 0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.606: dot1x-sm(Fa0/15): 0x88000001:auth_bend_request_response_action called
*Mar  1 00:04:25.614: dot1x-ev(Fa0/15): Received an EAP Fail
*Mar  1 00:04:25.614: dot1x-s
SW1#m(Fa0/15): Posting EAP_FAIL for 0x88000001
*Mar  1 00:04:25.614:     dot1x_auth_bend Fa0/15: during state auth_bend_response, got event 10(eapFail)
*Mar  1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_response -> auth_bend_fail
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_exit called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_fail_enter called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_response_fail_action called
*Mar  1 00:04:25.614
SW1#:     dot1x_auth_bend Fa0/15: idle during state auth_bend_fail
*Mar  1 00:04:25.614: @@@ dot1x_auth_bend Fa0/15: auth_bend_fail -> auth_bend_idle
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_bend_idle_enter called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): Posting AUTH_FAIL on Client 0x88000001
*Mar  1 00:04:25.614:     dot1x_auth Fa0/15: during state auth_authenticating, got event 15(authFail)
*Mar  1 00:04:25.614: @@@ dot1x_auth Fa0/15: auth_authenticating -> auth_authc_result
*Mar  1 00:04
SW1#:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authenticating_exit called
*Mar  1 00:04:25.614: dot1x-sm(Fa0/15): 0x88000001:auth_authc_result_enter called
*Mar  1 00:04:25.614: %DOT1X-5-FAIL: Authentication failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID
*Mar  1 00:04:25.614: dot1x-ev(Fa0/15): Sending event (2) to Auth Mgr for 0023.18e4.9a7c
*Mar  1 00:04:25.614: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSession
SW1#ID 0A0063010000000100040C6B
*Mar  1 00:04:25.614: %AUTHMGR-5-FAIL: Authorization failed for client (0023.18e4.9a7c) on Interface Fa0/15 AuditSessionID 0A0063010000000100040C6B
*Mar  1 00:04:25.614: dot1x-redundancy: State for client  0023.18e4.9a7c successfully retrieved
*Mar  1 00:04:25.614: dot1x-ev(Fa0/15): Received Authz fail for the client  0x88000001 (0023.18e4.9a7c)
*Mar  1 00:04:25.623: dot1x-sm(Fa0/15): Posting_AUTHZ_FAIL on Client 0x88000001
*Mar  1 00:04:25.623:     dot1x_auth Fa0/15: durin
SW1#g state auth_authc_result, got event 22(authzFail)

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful

Istvan kelemen
Level 1
Level 1
In response to Jatin Katyal

‎03-24-2014 04:35 PM

Hi,

 

Thanks!

 

I tried with Cisco ACS 4.2

It works with MD5 authentication, i guess to get it working with win7/8 i need to install certificates on server side.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Istvan kelemen

‎03-24-2014 04:52 PM

you're right. Certificate is required on the server side to process EAP packet however it's optional with PEAP on the client side. All you need to do uncheck "validate server certificate" on the supplicant win7/8 settings. For now, you can install self signed certificate on the server side.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

Istvan kelemen
Level 1
Level 1
In response to Jatin Katyal

‎11-26-2014 09:36 AM

Hello,

 

I have unchecked, it does not work. Win8.1 latest updates

0 Helpful
Customers Also Viewed These Support Documents