cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2847
Views
5
Helpful
7
Replies

Dot1x requests not properly handled by AuthMgr

Kevin Breit
Level 4
Level 4

I was trying to set up 802.1x port authentication with a FreeRADIUS back end and was having problems with authentication. I enter the username and password on my Linux laptop and it asks again after a time out. I enabled debugging on dot1x and it seems to stop after reporting "New client detected, issuing Start Request to AuthMgr". debug output on RADIUS or AAA authentication never reported any information.

7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

Kevin,

Please post the the port configuration, switch model, along with the version information.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

Here is the information. I have had the same problem on both a 3560 and a 2960. I am also including some debug information.

Lab3560#

Aug 28 23:03:16.129: dot1x-ev(Fa0/2): Role determination not required

Aug 28 23:03:16.129: dot1x-packet(Fa0/2): queuing an EAPOL pkt on Auth Q

Aug 28 23:03:16.129: dot1x-ev:Enqueued the eapol packet to the global authenticator queue

Aug 28 23:03:16.129: EAPOL pak dump rx

Aug 28 23:03:16.129: EAPOL Version: 0x1  type: 0x1  length: 0x0000

Aug 28 23:03:16.129: dot1x-ev:

dot1x_auth_queue_event: Int Fa0/2 CODE= 0,TYPE= 0,LEN= 0

Aug 28 23:03:16.129: dot1x-packet(Fa0/2): Received an EAPOL frame

Aug 28 23:03:16.129: dot1x-ev(Fa0/2): Received pkt saddr =001e.ecd0.062d , daddr = 0180.c200.0003,

    pae-ether-type = 888e.0101.0000

Aug 28 23:03:16.129: dot1x-ev(Fa0/2):

Lab3560#New client detected, issuing Start Request to AuthMgr

Aug 28 23:03:16.129: AUTH-EVENT (Fa0/2) Received START_REQUEST from dot1x (handle 0x00000003)

Aug 28 23:03:16.129: AUTH-EVENT (Fa0/2) Start request by method "dot1x" for 001e.ecd0.062d

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Thu 05-May-11 16:14 by prod_rel_team

Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Lab3560 uptime is 11 minutes

System returned to ROM by power-on

System restarted at 22:54:25 UTC Tue Aug 28 2012

System image file is "flash:c3560-ipservicesk9-mz.122-55.SE3.bin"

cisco WS-C3560-24PS (PowerPC405) processor (revision F0) with 131072K bytes of memory

Lab3560#sh run int fa 0/2

Building configuration...

Current configuration : 117 bytes

!

interface FastEthernet0/2

switchport access vlan 3

switchport mode access

authentication port-control auto

end

The codes that you are testing with now run dot1x version 3, there is some issues in the way that supplicants handle this value. This is a bug in the supplicant and wanted to know if you experience the same issue when a windows machine connects.

Thanks,

Tarik Admani
*Please rate helpful posts*

I did some testing and it does appear to still be broke. I am using EAP-MD5 which wasn't enabled on my Windows system so it may not be a great test for bugs. However, when I moved the same computer over to a 3750 running 12.2(25) it did prompt for a username and password.

Yeah in the dot1x messages when you see the following:

Aug 28 23:03:16.129: EAPOL pak dump rx

Aug 28 23:03:16.129: EAPOL Version: 0x1  type: 0x1  length: 0x0000

We had a flood of these come into TAC when customers upgraded their switches, basically the conclusion was that the supplicants were freaking out when the eapol version 3 was being sent.

thanks,

Tarik Admani
*Please rate helpful posts*

michalzejdl
Level 1
Level 1

I tried

(config-if)#dot1x pae authenticator

and 2960 started to send Access-Request packets to RADIUS. See Peng Gu reply at https://supportforums.cisco.com/thread/2024849.

That is correct however, this is not the issue in this case. The issue is with the eap-response being sent back from the client...it is empty...

Tarik Admani
*Please rate helpful posts*