Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
1
Replies

Dot1x host authentication failure

haidar_alm
Level 1
Level 1

‎08-05-2015 05:39 AM - edited ‎03-10-2019 10:57 PM

Hi guys,

 

I'm working on configuring 802.1x on a 3750 and a free WinRadius server.

WinRadius is up and running, I can even test authentication using the testing tool as per image.

I've also ran the testing command from the switch to make sure that it can communicate with the Radius and it was successful:

 

Switch#test aaa group radius cisco cisco new-code 
User successfully authenticated

 

However, when I try to authenticate from the host/laptop I get an authentication failure. I do get prompted to enter the username and password. however, for some reason the Radius seems to be returning an failure to authenticate.

Error on the switch shows:

 

*Mar  1 20:45:14.133: %LINK-3-UPDOWN: Interface FastEthernet1/0/16, changed state to up
*Mar  1 20:45:22.387: %DOT1X-5-FAIL: Authentication failed for client (ecf4.bb08.7e76) on Interface Fa1/0/16 AuditSessionID C0A80A1E0000001F0474044A
*Mar  1 20:45:22.387: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (ecf4.bb08.7e76) on Interface Fa1/0/16 AuditSessionID C0A80A1E0000001F0474044A
*Mar  1 20:45:22.387: %AUTHMGR-5-FAIL: Authorization failed for client (ecf4.bb08.7e76) on Interface Fa1/0/16 AuditSessionID C0A80A1E0000001F0474044A

 


Switch#sho authentication sessions int f1/0/16         
            Interface:  FastEthernet1/0/16
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  C0A80A1E0000002004751782
      Acct Session ID:  0x00000027
               Handle:  0x4D000020

Runnable methods list:
       Method   State
       dot1x    Running

And on the Radius server it shows that user authentication failed.

I'm not sure where the issue is...

Switch configuration for dot1x is:

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius 

authentication mac-move permit

interface FastEthernet1/0/16
 switchport access vlan 10
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator

interface FastEthernet1/0/20
 switchport access vlan 10

interface Vlan10
 ip address 192.168.10.30 255.255.255.0
!         
!         
ip sla enable reaction-alerts
radius-server host 192.168.10.10 auth-port 1812 acct-port 1813 key WinRadius
!         

I'm not sure what I'm doing wrong... 

Can you please have a look and advise??

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

jasonmadruga84
Level 1
Level 1

‎06-26-2016 01:18 AM

Haidar,

I was able to have success if I changed the settings in WinRadius. Those are:

Authorization Port 1645
Accounting Port 1646

Let me know if that helps.

-Jason

0 Helpful
Customers Also Viewed These Support Documents