Solved: Re:dot1x pae authenticator

jeremys8137 · ‎06-01-2013

I have 3 ws-c3750-48ps in a stack and i'd like to enable dot1x on the stack I entered the commands:

dot1x system-auth-control

aaa authorization network default group radius

aaa authentication dot1x default group radius

I also have dot1x enabled on several interface on the 2nd and 3rd switches in the stack with these commands

dot1x pae authenticator

authentication port-control auto

dot1x successfully works on these ports and I see the logs in acs, heres where the problem comes in when i try to enable dot1x using the above commands on any interface on the first switch in the stack it doesn't work its like the switch doesn't support dot1x. I dont get any of the commands for dot1x in the context sensitive help.

I think it has something to do with the version numbers of the switch

Switch 1 is v03

Switch 2 is v08

Switch 3 is v06

I'm assuming that there is a bug in version 3 but after googling I didn't come up with much, any ideas?

Jatin Katyal · ‎06-02-2013

You need to add one more command under
Interface fa 1/0/6
Switcport mode access

After that try to enable dot1x on this interface.

Jatin
Do rate helpful posts

Sent from Cisco Technical Support Android App

~Jatin

View solution in original post

Richard Atkin · ‎06-01-2013

When you talk about switch versions, I assume you're talking about the output from a Show Switch command?

If so, then yes that will most likely be your problem, upgrade the software on the switches within the stack to a consistent version across the board. See here for details;

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/troubleshooting/switch_stacks.html#wp55831

jeremys8137 · ‎06-02-2013

Richard,

This is the optput from the show ver from the stack at the end is the output from the show switch command

cisco WS-C3750-48P (PowerPC405) processor (revision E0) with 131072K bytes of memory.

Processor board ID CAT0906R08U

Last reset from bus error

20 Virtual Ethernet interfaces

144 FastEthernet interfaces

12 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:13:60:1D:20:00

Motherboard assembly number : 73-9675-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT09050NCX

Power supply serial number : LIT0901039A

Model revision number : E0

Motherboard revision number : A0

Model number : WS-C3750-48PS-E

System serial number : CAT0906R08U

SFP Module assembly part number : 73-7757-02

SFP Module revision Number : A0

SFP Module serial number : CAT09060FEX

Top Assembly Part Number : 800-26377-01

Top Assembly Revision Number : A0

Version ID : V03

CLEI Code Number : CNMWD00ARB

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C3750-48P 12.2(53)SE2 C3750-IPSERVICESK9-M

2 52 WS-C3750-48P 12.2(53)SE2 C3750-IPSERVICESK9-M

3 52 WS-C3750-48P 12.2(53)SE2 C3750-IPSERVICESK9-M

Switch 02

---------

Switch Uptime : 6 hours, 4 minutes

Base ethernet MAC Address : 00:23:AC:00:AF:80

Motherboard assembly number : 73-9675-13

Power supply part number : 341-0029-05

Motherboard serial number : FDO124110B7

Power supply serial number : DTN1236441T

Model revision number : M0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : FDO1241X4S8

SFP Module assembly part number : 73-7757-03

SFP Module revision number : A0

SFP Module serial number : FDO12390TM3

Top assembly part number : 800-25858-04

Top assembly revision number : B0

Version ID : V06

CLEI Code Number : COMUX10ARA

Switch 03

---------

Switch Uptime : 23 weeks, 3 days, 21 hours, 12 minutes

Base ethernet MAC Address : EC:30:91:BC:E0:00

Motherboard assembly number : 73-9675-15

Power supply part number : 341-0029-05

Motherboard serial number : FDO133918M3

Power supply serial number : DTN1335409A

Model revision number : P0

Motherboard revision number : A0

Model number : WS-C3750-48PS-E

System serial number : FDO1339R1QG

SFP Module assembly part number : 73-7757-03

SFP Module revision number : A0

SFP Module serial number : FDO13390VU5

Top assembly part number : 800-26377-06

Top assembly revision number : A0

Version ID : V08

CLEI Code Number : COMDC10BRA

OBT_L3SW1#show switch

Switch/Stack Mac Address : 0013.601d.2000

H/W Current

Switch# Role Mac Address Priority Version State

----------------------------------------------------------

*1 Master 0013.601d.2000 10 0 Ready

2 Member 0023.ac00.af80 5 0 Ready

3 Member ec30.91bc.e000 1 0 Ready

Jatin Katyal · ‎06-02-2013

Can you paste the configuration of one of the interface from switch 1?

Show run interface type number

Jatin Katyal
- Do rate helpful posts -

~Jatin

jeremys8137 · ‎06-02-2013

Jatin,

here's the config from 3 different interfaces one from each switch in the stack

interface FastEthernet1/0/6

switchport access vlan 25

switchport voice vlan 125

speed 100

duplex full

srr-queue bandwidth share 1 25 70 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

interface fa2/0/46

switchport access vlan 25

switchport mode access

switchport voice vlan 125

srr-queue bandwidth share 1 25 70 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

interface FastEthernet3/0/32

switchport access vlan 25

switchport mode access

switchport voice vlan 125

srr-queue bandwidth share 1 25 70 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

end

Jatin Katyal · ‎06-02-2013

You need to add one more command under
Interface fa 1/0/6
Switcport mode access

After that try to enable dot1x on this interface.

Jatin
Do rate helpful posts

Sent from Cisco Technical Support Android App

~Jatin

jeremys8137 · ‎06-02-2013

It works thanks, you are awesome. I don't know how I missed that. late nights way to many of them.

tuanmb2009 · ‎10-15-2013

Dear all,

i am implementin 802.1.X with sw 2960 version:

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 50 WS-C2960-48TT-L 12.2(44)SE6 C2960-LANBASEK9-M

Server acs 4.2 config authen for radius .

When i config sw for authen 802.1x on f0/14 at below:

!

interface FastEthernet0/14

switchport mode access

dot1x port-control auto

!

But I show config on f0/14:

!

interface FastEthernet0/14

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

!

So, when is authen not notication input user and pass for authen.

I want ask , why ?

@ please see config sw.

- config aaa:

aaa new-model

aaa authentication login default local none

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa session-id common

- config dot1x:

aaa authentication dot1x default group radius

dot1x system-auth-control

- Config radius:

LAB#

LAB#sh run | i radius

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host 10.1.40.70 auth-port 1645 acct-port 1646

radius-server key mbadmin1@3

LAB#

Jatin Katyal · ‎10-15-2013

I didnt understand your problem completely. Guess authentication on int fa0/14 not working. Are we pushing data vlan from the radius server. Can you please turn on the debugs
Debug radius
Debug dot1x all

Shut and no shut the port fa0/14

And paste the debugs output here.

Sent from Cisco Technical Support Android App

~Jatin