Re: Dot1x on 3750 version 12.2 Not Working - Page 2

IskoTech · ‎04-18-2023

Hi ,

First time posting here. Thanks in advanced

We are trying to deploy dot1x in our environment with 3750s switches version 12.2, but the

Logs on our existing Aruba Central ( authentication server )keeps showing TIMEOUT .

The desktop has certificates from AD and the deslktop is authenticated when tested on 3650 but not when plugged into a 3750

We only plug in the PC , no phone yet. We just want see .1x to works with PC on 3750 before mixing the phone later.

Noticed that the MAC Address is not shown, although it says authorized on Authentication Server it’s status still TIMEOUT not Accepted or Allowed

Below are some snippets of trouble shooting

sho auth sess#

Interface MAC Address Method Domain Status Session ID

Gi1/0/5 aaaa.bbbb.cccc dot1x UNKNOWN Running 0AD57B010000009101FE3BCD

sho auth sess#

Interface MAC Address Method Domain Status Session ID

Gi1/0/5 (unknown) N/A DATA Authz Success 0AD57B01000000BA037F286B

Interface Config

interface GigabitEthernet1/0/5

description dot1x Corp/Phone

switchport access vlan 10

switchport mode access

switchport nonegotiate

switchport voice vlan 20

shutdown

authentication event fail action authorize vlan 99

authentication event server dead action authorize vlan 99

authentication event server dead action authorize voice

authentication event no-response action authorize vlan 99

authentication event server alive action reinitialize

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

end

Debug results

031339: Apr 18 22:13:57.991 SGST: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x6C0000A1

031340: Apr 18 22:13:57.991 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)

031341: Apr 18 22:13:57.991 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request

031342: Apr 18 22:13:57.991 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_request_request_action called

031343: Apr 18 22:13:57.991 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_request_enter called

031344: Apr 18 22:13:57.991 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031345: Apr 18 22:13:57.991 SGST: dot1x-ev(Gi1/0/5): Role determination not required

SWITCH#

031346: Apr 18 22:13:57.991 SGST: dot1x-registry:registry:dot1x_ether_macaddr called

031347: Apr 18 22:13:57.991 SGST: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

031348: Apr 18 22:13:57.991 SGST: EAPOL pak dump Tx

031349: Apr 18 22:13:57.991 SGST: EAPOL Version: 0x3 type: 0x0 length: 0x0005

031350: Apr 18 22:13:57.991 SGST: EAP code: 0x1 id: 0x9 length: 0x0005 type: 0x1

031351: Apr 18 22:13:57.991 SGST: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x6C0000A1 (aaaa.bbbb.cccc)

SWITCH#

031352: Apr 18 22:14:28.861 SGST: dot1x-ev(Gi1/0/5): Received an EAP Timeout

031353: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x6C0000A1

031354: Apr 18 22:14:28.861 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)

031355: Apr 18 22:14:28.861 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout

031356: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_timeout_enter called

031357: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_request_timeout_action called

031358: Apr 18 22:14:28.861 SGST: dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout

031359: Apr 18 22:14:28.861 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle

031360: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_bend_idle_enter called

031361: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x6C0000A1

031362: Apr 18 22:14:28.861 SGST: dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)

031363: Apr 18 22:14:28.861 SGST: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result

031364: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_authenticating_exit called

031365: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_authc_result_enter called

031366: Apr 18 22:14:28.861 SGST: %DOT1X-5-FAIL: Authentication failed for client (aaaa.bbbb.cccc) on Interface Gi1/0/5 AuditSessionID

031367: Apr 18 22:14:28.861 SGST: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for aaaa.bbbb.cccc

031368: Apr 18 22:14:28.861 SGST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (aaaa.bbbb.cccc) on Interface Gi1/0/5 AuditSessionID 0AD57B010000009101FE3BCD

031369: Apr 18 22:14:28.861 SGST: dot1x-ev(Gi1/0/5): Received Authz fail for the client 0x6C0000A1 (aaaa.bbbb.cccc)

031370: Apr 18 22:14:28.861 SGST: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x6C0000A1

031371: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)

031372: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held

031373: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): Posting RESTART on Client 0x6C0000A1

031374: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_held, got event 13(restart)

031375: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_held -> auth_restart

031376: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_held_exit called

031377: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_restart_enter called

031378: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Resetting the client 0x6C0000A1 (aaaa.bbbb.cccc)

031379: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x6C0000A1 (aaaa.bbbb.cccc)

031380: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x6C0000A1

031381: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)

031382: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

031383: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_connecting_enter called

031384: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_restart_connecting_action called

031385: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): Posting REAUTH_MAX on Client 0x6C0000A1

031386: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: during state auth_connecting, got event 11(reAuthMax)

031387: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_disconnected

031388: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_disconnected_enter called

031389: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): aaaa.bbbb.cccc:auth_disconnected_enter sending canned failure to version 1 supplicant

031390: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031391: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Role determination not required

031392: Apr 18 22:14:28.870 SGST: dot1x-registry:registry:dot1x_ether_macaddr called

031393: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending out EAPOL packet

031394: Apr 18 22:14:28.870 SGST: EAPOL pak dump Tx

031395: Apr 18 22:14:28.870 SGST: EAPOL Version: 0x3 type: 0x0 length: 0x0004

031396: Apr 18 22:14:28.870 SGST: EAP code: 0x4 id: 0x9 length: 0x0004

031397: Apr 18 22:14:28.870 SGST: dot1x-packet(Gi1/0/5): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0x6C0000A1 (aaaa.bbbb.cccc)

031398: Apr 18 22:14:28.870 SGST: dot1x-sm(Gi1/0/5): 0x6C0000A1:auth_connecting_disconnected_reAuthMax_action called

SWITCH#

031399: Apr 18 22:14:28.870 SGST: dot1x_auth Gi1/0/5: idle during state auth_disconnected

031400: Apr 18 22:14:28.870 SGST: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart

031401: Apr 18 22:14:28.870 SGST: dot1x-ev(Gi1/0/5): Sending event (1) to Auth Mgr for aaaa.bbbb.cccc

031402: Apr 18 22:14:28.870 SGST: dot1x-ev:Delete auth client (0x6C0000A1) message

031403: Apr 18 22:14:28.870 SGST: dot1x-ev:Auth client ctx destroyed

031404: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: initial state auth_initialize has enter

031405: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_initialize_enter called

031406: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)

031407: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected

031408: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_disconnected_enter called

031409: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: idle during state auth_disconnected

031410: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart

031411: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_restart_enter called

031412: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0xB60000A2 (0000.0000.0000)

031413: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter

031414: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_initialize_enter called

031415: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle

031416: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)

031417: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle

031418: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_idle_enter called

031419: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Created a client entry (0xB60000A2)

031420: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0xB60000A2 (0000.0000.0000)

031421: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0xB60000A2

031422: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)

031423: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting

031424: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_connecting_enter called

031425: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_restart_connecting_action called

031426: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0xB60000A2

031427: Apr 18 22:14:29.079 SGST: dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)

031428: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating

031429: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_authenticating_enter called

031430: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_connecting_authenticating_action called

031431: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0xB60000A2

031432: Apr 18 22:14:29.079 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)

031433: Apr 18 22:14:29.079 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request

031434: Apr 18 22:14:29.079 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_request_enter called

031435: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031436: Apr 18 22:14:29.079 SGST: dot1x-ev(Gi1/0/5): Role determination not required

031437: Apr 18 22:14:29.079 SGST: dot1x-registry:registry:dot1x_ether_macaddr called

031438: Apr 18 22:14:29.088 SGST: dot1x-ev(Gi1/0/5):

SWITCH#Sending out EAPOL packet

031439: Apr 18 22:14:29.088 SGST: EAPOL pak dump Tx

031440: Apr 18 22:14:29.088 SGST: EAPOL Version: 0x3 type: 0x0 length: 0x0005

031441: Apr 18 22:14:29.088 SGST: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1

031442: Apr 18 22:14:29.088 SGST: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0xB60000A2 (0000.0000.0000)

031443: Apr 18 22:14:29.088 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_idle_request_action called

SWITCH#

031444: Apr 18 22:14:45.823 SGST: dot1x-ev(Gi1/0/5): New client notification from AuthMgr for 0xB60000A2 - aaaa.bbbb.cccc

SWITCH#

031445: Apr 18 22:14:45.823 SGST: %AUTHMGR-5-START: Starting 'dot1x' for client (aaaa.bbbb.cccc) on Interface Gi1/0/5 AuditSessionID 0AD57B010000009202000525

SWITCH#

031446: Apr 18 22:14:59.950 SGST: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0xB60000A2

031447: Apr 18 22:14:59.950 SGST: dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)

031448: Apr 18 22:14:59.950 SGST: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request

031449: Apr 18 22:14:59.950 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_request_request_action called

031450: Apr 18 22:14:59.950 SGST: dot1x-sm(Gi1/0/5): 0xB60000A2:auth_bend_request_enter called

031451: Apr 18 22:14:59.950 SGST: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address

031452: Apr 18 22:14:59.950 SGST: dot1x-ev(Gi1/0/5): Role determination not required

Please advice if you need more show command results or extra info.

Thanks,

Isko

IskoTech · ‎04-19-2023

Update

With the above interface config , I did a debug and one line shows dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5

Is therea any other commands needed ?

Cheers,

Isko

MHM Cisco World · ‎04-19-2023

Dot1 system-auth-control <<- this need in global mode of sw

IskoTech · ‎04-20-2023

Thanks MHM,

I've confirmed its on the Global Config.

Cheers,

isko

IskoTech · ‎04-20-2023

UPDATE.

So I’ve tried changing the interface configs one at a a time to test and set dot1x pae supplicant, it worked , but not dot1x but failover to MAB
sho authe ses
Interface MAC Address Method Domain Status Session ID
Gi1/0/5 aaaa.bbbb.cccc mab DATA Authz Success 0AD57B010000003D00DC 05D5
sho authe ses int gigabitEthernet 1/0/5
No Auth Manager contexts match supplied criteria
dot1xtestswitch#sho authe ses int gigabitEthernet 1/0/5
Interface: GigabitEthernet 1/0/5
MAC Address: aaaa.bbbb.cccc
IP Address: Unknown
User-Name: aaaa.bbbb.cccc
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: in
Authorized By: Critical Auth
Vlan Policy: 99
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AD57B010000003D00DC05D5
Acct Session ID: 0x0000017C
Handle: 0xA800003D

Runnable methods list:
Method State
mab Authc Failed

It seems it actually hitting the line authentication event server dead action authorize vlan 99

Cheers,
isko

MHM Cisco World · ‎04-20-2023

• debug radius
• debug dot1x all
enable both debug and then shut no shut the interface and final disable debug I need to see full debug
thanks

Rob Ingram · ‎04-20-2023

@IskoTech if the switch has placed the interface in critical auth it's because the RADIUS server is unable to process the request.

Have you defined the switch as a Network Device on the RADIUS server?
Is the RADIUS request coming from the correct IP?
Is the shared secret correct on both ends?

IskoTech · ‎04-20-2023

Hi Rob,

Answers below

Have you defined the switch as a Network Device on the RADIUS server? Yes
Is the RADIUS request coming from the correct IP? the ip radius source interface vlan 10 line is under the aaa group server radius RADGROUP

Is the shared secret correct on both ends? I've re-copied and pasted again the shared secret on both switch and server.

Cheers,

isko

Rob Ingram · ‎04-20-2023

@IskoTech take a packet capture on the Radius server, filter on this switch IP, provide the output for review.

MHM Cisco World · ‎04-20-2023

the client not reply with EAP response or start dot1x with EAP start
can you confirm that
try below command and check result
dot1xport-control auto

IskoTech · ‎04-20-2023

Hi ,

Its not available on this version

dot1xtestswitch(config-if)#dot1x ?
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts

dot1xtestswitch(config-if)#authe
dot1xtestswitch(config-if)#authentication ?
control-direction Set the control-direction on the interface
event Set action for authentication events
fallback Enable the Webauth fallback mechanism
host-mode Set the Host mode for authentication on this interface
linksec Configure link security parameters
open Enable or Disable open access on this port
order Add an authentication method to the order list
periodic Enable or Disable Reauthentication for this port
port-control Set the port-control value
priority Add an authentication method to the priority list
timer Set authentication timer values
violation Configure action to take on security violations

dot1xtestswitch(config-if)#authentication por
dot1xtestswitch(config-if)#authentication port-control ?
auto PortState set to automatic
force-authorized PortState set to AUTHORIZED
force-unauthorized PortState set to UnAuthorized

Cheers,

isko

NOTE: I've used the same desktop on another switch 3650 and it's been authenticated.

Cheers

MHM Cisco World · ‎04-21-2023

I wake to morning for this case,
access-session host-mode multi-domain <<- if the access-session not accept then use authen

shut and no shut the port and share the debug if you can

IskoTech · ‎04-23-2023

Hi,

I'll update you asap when I return to the site as I lost my remote access to that switch.

Thanks,

Isko

Aref Alsouqi · ‎04-21-2023

What do you see in the output of the command "show aaa servers"? if they are showing down then you should check the path between the switch and the RADIUS servers and ensure nothing is blocking RADIUS traffic. Also, I would consider upgrading the switches to the latest recommended release.

IskoTech · ‎04-23-2023

Hi Aref,

show aaa servers showed that the server is UP.

I've tried this on 15.0.2 version of 3750 and I have the same result, so I thoughtof downgrading to 12.2 and test

Cheers,

Isko