Re: Dot1x on 3750 version 12.2 Not Working

IskoTech · ‎04-18-2023

Hi ,

First time posting here. Thanks in advanced

We are trying to deploy dot1x in our environment with 3750s switches version 12.2, but the

Logs on our existing Aruba Central ( authentication server )keeps showing TIMEOUT .

The desktop has certificates from AD and the deslktop is authenticated when tested on 3650 but not when plugged into a 3750

We only plug in the PC , no phone yet. We just want see .1x to works with PC on 3750 before mixing the phone later.

Noticed that the MAC Address is not shown, although it says authorized on Authentication Server it’s status still TIMEOUT not Accepted or Allowed

Below are some snippets of trouble shooting

sho auth sess#

Interface MAC Address Method Domain Status Session ID

Gi1/0/5 aaaa.bbbb.cccc dot1x UNKNOWN Running 0AD57B010000009101FE3BCD

sho auth sess#

Interface MAC Address Method Domain Status Session ID

Gi1/0/5 (unknown) N/A DATA Authz Success 0AD57B01000000BA037F286B

Interface Config

interface GigabitEthernet1/0/5

description dot1x Corp/Phone

switchport access vlan 10

switchport mode access

switchport nonegotiate

switchport voice vlan 20

shutdown

authentication event fail action authorize vlan 99

authentication event server dead action authorize vlan 99

authentication event server dead action authorize voice

authentication event no-response action authorize vlan 99

authentication event server alive action reinitialize

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

end

Debug results

031339: Apr 18 22:13:57.991 SGST: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x6C0000A1

031340: Apr 18 22:13:57.991 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)

031341: Apr 18 22:13:57.991 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request

031342: Apr 18 22:13:57.991 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_request_request_action called

031343: Apr 18 22:13:57.991 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_request_enter called

031344: Apr 18 22:13:57.991 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031345: Apr 18 22:13:57.991 SGST: dot1x-ev(Gi1/0/5): Role determination not required

SWITCH#

031346: Apr 18 22:13:57.991 SGST: dot1x-registry:registry:dot1x_ether_macaddr called

031347: Apr 18 22:13:57.991 SGST: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

031348: Apr 18 22:13:57.991 SGST: EAPOL pak dump Tx

031349: Apr 18 22:13:57.991 SGST: EAPOL Version: 0x3 type: 0x0 length: 0x0005

031350: Apr 18 22:13:57.991 SGST: EAP code: 0x1 id: 0x9 length: 0x0005 type: 0x1

031351: Apr 18 22:13:57.991 SGST: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x6C0000A1 (aaaa.bbbb.cccc)

SWITCH#

031352: Apr 18 22:14:28.861 SGST: dot1x-ev(Gi1/0/5): Received an EAP Timeout

031353: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x6C0000A1

031354: Apr 18 22:14:28.861 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)

031355: Apr 18 22:14:28.861 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout

031356: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_timeout_enter called

031357: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_request_timeout_action called

031358: Apr 18 22:14:28.861 SGST: dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout

031359: Apr 18 22:14:28.861 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle

031360: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_idle_enter called

031361: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x6C0000A1

031362: Apr 18 22:14:28.861 SGST: dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)

031363: Apr 18 22:14:28.861 SGST: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result

031364: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_authenticating_exit called

031365: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_authc_result_enter called

031366: Apr 18 22:14:28.861 SGST: %DOT1X-5-FAIL: Authentication failed for client (aaaa.bbbb.cccc) on Interface Gi1/0/5 AuditSessionID

031367: Apr 18 22:14:28.861 SGST: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for aaaa.bbbb.cccc

031368: Apr 18 22:14:28.861 SGST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (aaaa.bbbb.cccc) on Interface Gi1/0/5 AuditSessionID 0AD57B010000009101FE3BCD

031369: Apr 18 22:14:28.861 SGST: dot1x-ev(Gi1/0/5): Received Authz fail for the client 0x6C0000A1 (aaaa.bbbb.cccc)

031370: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x6C0000A1

031371: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)

031372: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held

031373: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): Posting RESTART on Client 0x6C0000A1

031374: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_held, got event 13(restart)

031375: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_held -> auth_restart

031376: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_held_exit called

031377: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_restart_enter called

031378: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Resetting the client 0x6C0000A1 (aaaa.bbbb.cccc)

031379: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x6C0000A1 (aaaa.bbbb.cccc)

031380: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x6C0000A1

031381: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)

031382: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

031383: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_connecting_enter called

031384: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_restart_connecting_action called

031385: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): Posting REAUTH_MAX on Client 0x6C0000A1

031386: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_connecting, got event 11(reAuthMax)

031387: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_disconnected

031388: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_disconnected_enter called

031389: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): aaaa.bbbb.cccc:auth_disconnected_enter sending canned failure to version 1 supplicant

031390: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031391: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Role determination not required

031392: Apr 18 22:14:28.870 SGST: dot1x-registry:registry:dot1x_ether_macaddr called

031393: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

031394: Apr 18 22:14:28.870 SGST: EAPOL pak dump Tx

031395: Apr 18 22:14:28.870 SGST: EAPOL Version: 0x3 type: 0x0 length: 0x0004

031396: Apr 18 22:14:28.870 SGST: EAP code: 0x4 id: 0x9 length: 0x0004

031397: Apr 18 22:14:28.870 SGST: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0x6C0000A1 (aaaa.bbbb.cccc)

031398: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_connecting_disconnected_reAuthMax_action called

SWITCH#

031399: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: idle during state auth_disconnected

031400: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart

031401: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending event (1) to Auth Mgr for aaaa.bbbb.cccc

031402: Apr 18 22:14:28.870 SGST: dot1x-ev:Delete auth client (0x6C0000A1) message

031403: Apr 18 22:14:28.870 SGST: dot1x-ev:Auth client ctx destroyed

031404: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: initial state auth_initialize has enter

031405: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_initialize_enter called

031406: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)

031407: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected

031408: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_disconnected_enter called

031409: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: idle during state auth_disconnected

031410: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart

031411: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_restart_enter called

031412: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0xB60000A2 (0000.0000.0000)

031413: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter

031414: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_initialize_enter called

031415: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle

031416: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)

031417: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle

031418: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_idle_enter called

031419: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Created a client entry (0xB60000A2)

031420: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0xB60000A2 (0000.0000.0000)

031421: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0xB60000A2

031422: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)

031423: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

031424: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_connecting_enter called

031425: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_restart_connecting_action called

031426: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0xB60000A2

031427: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)

031428: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating

031429: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_authenticating_enter called

031430: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_connecting_authenticating_action called

031431: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0xB60000A2

031432: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)

031433: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request

031434: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_request_enter called

031435: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031436: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Role determination not required

031437: Apr 18 22:14:29.079 SGST: dot1x-registry:registry:dot1x_ether_macaddr called

031438: Apr 18 22:14:29.088 SGST: dot1x-ev(Gi1/0/5):

SWITCH#Sending out EAPOL packet

031439: Apr 18 22:14:29.088 SGST: EAPOL pak dump Tx

031440: Apr 18 22:14:29.088 SGST: EAPOL Version: 0x3 type: 0x0 length: 0x0005

031441: Apr 18 22:14:29.088 SGST: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1

031442: Apr 18 22:14:29.088 SGST: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xB60000A2 (0000.0000.0000)

031443: Apr 18 22:14:29.088 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_idle_request_action called

SWITCH#

031444: Apr 18 22:14:45.823 SGST: dot1x-ev(Gi1/0/5): New client notification from AuthMgr for 0xB60000A2 - aaaa.bbbb.cccc

SWITCH#

031445: Apr 18 22:14:45.823 SGST: %AUTHMGR-5-START: Starting 'dot1x' for client (aaaa.bbbb.cccc) on Interface Gi1/0/5 AuditSessionID 0AD57B010000009202000525

SWITCH#

031446: Apr 18 22:14:59.950 SGST: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0xB60000A2

031447: Apr 18 22:14:59.950 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)

031448: Apr 18 22:14:59.950 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request

031449: Apr 18 22:14:59.950 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_request_request_action called

031450: Apr 18 22:14:59.950 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_request_enter called

031451: Apr 18 22:14:59.950 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031452: Apr 18 22:14:59.950 SGST: dot1x-ev(Gi1/0/5): Role determination not required

Please advice if you need more show command results or extra info.

Thanks,

Isko

MHM Cisco World · ‎04-18-2023

authentication open <<- why you add this, remove it and check again

IskoTech · ‎04-18-2023

Hi ,

I've removed it, shut and and no shut the interface but still the same.

Cheers,

Isko

MHM Cisco World · ‎04-18-2023

show auth session interface x/x <<- share this please

IskoTech · ‎04-18-2023

SWITCH#sho auth sess inte g1/0/5

Interface: GigabitEthernet1/0/5

MAC Address: Unknown

IP Address: Unknown

User-Name: UNRESPONSIVE

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-host

Oper control dir: both

Authorized By: Guest Vlan

Vlan Policy: 99

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0AD57B01000000C7043D6345

Acct Session ID: 0x0000025A

Handle: 0xB00000C7

Runnable methods list:

Method State

dot1x Failed over

mab Failed over

SWITCH#sho auth sess

Interface MAC Address Method Domain Status Session ID

Gi1/0/5 (unknown) N/A DATA Authz Success 0AD57B01000000C7043D6345

Cheers,

Isko

Flavio Miranda · ‎04-18-2023

Hi

Do you have this command ?

aaa authorization network default group radius

dot1x system-auth-control

IskoTech · ‎04-18-2023

Hi Flavio,

Yes we have that in global config.

Cheers,

Isko

Flavio Miranda · ‎04-18-2023

Show aaa servers show the servers as UP?

IskoTech · ‎04-18-2023

Hi,

Yes its UP
RADIUS: id 10, priority 1, host 10.10.2.10, auth-port 1812, acct-port 1813
State: current UP, duration 582s, previous duration 0s
Dead: total time 0s, count 24

Cheers,

Isko

ahollifield · ‎04-18-2023

Aruba Central? Do you mean ClearPass?

IskoTech · ‎04-18-2023

Hi,

You're right, it's Clearpass.

Apologies.

Regards,

Isko

IskoTech · ‎04-19-2023

Hi ,

Global Config relating to radius , dot1x

aaa new-model
aaa group server radius RAD.1X
server 10.10.2.10, auth-port 1812 acc 1813
ip radius source-interface vlan 10
exit
aaa authorization network default group RAD.1X
aaa accounting dot1x default start-stop group RAD.1X
aaa authentication dot1x default group RAD.1X
radius-server host 10.10.2.10 auth-port 1812 acct-port 1813 key XXXXXX
dot1x system-auth-control

radius-server host 10.10.2.10 auth-port 1812 acct-port 1813
radius-server retransmit 1
radius-server timeout 2
radius-server key 7 XXXXXXX

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include

MHM Cisco World · ‎04-19-2023

radius-server timeout 2<<- increase this please and check again make it 10

IskoTech · ‎04-19-2023

Hi MHM,

It worked but on different vlan
sho authe sess
Interface MAC Address Method Domain Status Session ID
Gi1/0/5 aaaa.bbbb.cccc dot1x DATA Authz Success 0AD57B010000012408C9850D

But it falls on VLAN 99

sho authe sess int g1/0/5
Interface: GigabitEthernet7/0/5
MAC Address: aaaa.bbbb.cccc
IP Address: 10.10.3.120
User-Name: host/aaa.AD.xxx
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Critical Auth
Vlan Policy: 99
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AD57B010000012408C9850D
Acct Session ID: 0x0000043F
Handle: 0x87000124

Runnable methods list:
Method State
dot1x Authc Failed
mab Not run

Seems hitting the authentication event fail action authorize vlan 99 on interface config

interface GigabitEthernet1/0/5
description dot1x Corp/Phone
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 20
shutdown
authentication event fail action authorize vlan 99
authentication event server dead action authorize vlan 99
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 99
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

Cheers,

Isko

IskoTech · ‎04-19-2023

Hi,

When I changed authentication event server dead action authorize vlan 99 to authentication event server dead action authorize vlan 10, it gets DHCP address and corrrect VLAN. still no dot1X auth processed

sho auth sessions int g7/0/5
Interface: GigabitEthernet1/0/5
MAC Address: aaaa.bbbb.cccc
IP Address: 10.10.x.x
User-Name: host/aaaa.AD.xxx
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: in
Authorized By: Critical Auth
Vlan Policy: 10
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AD57B010000013309517A91
Acct Session ID: 0x000004B5
Handle: 0x77000133

Runnable methods list:
Method State
dot1x Authc Failed
mab Not run

Thanks,

Isko