08-28-2012 08:24 AM - edited 03-10-2019 07:28 PM
I was trying to set up 802.1x port authentication with a FreeRADIUS back end and was having problems with authentication. I enter the username and password on my Linux laptop and it asks again after a time out. I enabled debugging on dot1x and it seems to stop after reporting "New client detected, issuing Start Request to AuthMgr". debug output on RADIUS or AAA authentication never reported any information.
08-28-2012 09:19 AM
Kevin,
Please post the the port configuration, switch model, along with the version information.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-28-2012 04:06 PM
Tarik,
Here is the information. I have had the same problem on both a 3560 and a 2960. I am also including some debug information.
Lab3560#
Aug 28 23:03:16.129: dot1x-ev(Fa0/2): Role determination not required
Aug 28 23:03:16.129: dot1x-packet(Fa0/2): queuing an EAPOL pkt on Auth Q
Aug 28 23:03:16.129: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Aug 28 23:03:16.129: EAPOL pak dump rx
Aug 28 23:03:16.129: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Aug 28 23:03:16.129: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 0,TYPE= 0,LEN= 0
Aug 28 23:03:16.129: dot1x-packet(Fa0/2): Received an EAPOL frame
Aug 28 23:03:16.129: dot1x-ev(Fa0/2): Received pkt saddr =001e.ecd0.062d , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Aug 28 23:03:16.129: dot1x-ev(Fa0/2):
Lab3560#New client detected, issuing Start Request to AuthMgr
Aug 28 23:03:16.129: AUTH-EVENT (Fa0/2) Received START_REQUEST from dot1x (handle 0x00000003)
Aug 28 23:03:16.129: AUTH-EVENT (Fa0/2) Start request by method "dot1x" for 001e.ecd0.062d
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 05-May-11 16:14 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Lab3560 uptime is 11 minutes
System returned to ROM by power-on
System restarted at 22:54:25 UTC Tue Aug 28 2012
System image file is "flash:c3560-ipservicesk9-mz.122-55.SE3.bin"
cisco WS-C3560-24PS (PowerPC405) processor (revision F0) with 131072K bytes of memory
Lab3560#sh run int fa 0/2
Building configuration...
Current configuration : 117 bytes
!
interface FastEthernet0/2
switchport access vlan 3
switchport mode access
authentication port-control auto
end
08-28-2012 05:51 PM
The codes that you are testing with now run dot1x version 3, there is some issues in the way that supplicants handle this value. This is a bug in the supplicant and wanted to know if you experience the same issue when a windows machine connects.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-29-2012 07:14 PM
I did some testing and it does appear to still be broke. I am using EAP-MD5 which wasn't enabled on my Windows system so it may not be a great test for bugs. However, when I moved the same computer over to a 3750 running 12.2(25) it did prompt for a username and password.
08-29-2012 07:44 PM
Yeah in the dot1x messages when you see the following:
Aug 28 23:03:16.129: EAPOL pak dump rx
Aug 28 23:03:16.129: EAPOL Version: 0x1 type: 0x1 length: 0x0000
We had a flood of these come into TAC when customers upgraded their switches, basically the conclusion was that the supplicants were freaking out when the eapol version 3 was being sent.
thanks,
Tarik Admani
*Please rate helpful posts*
08-30-2012 01:23 AM
I tried
(config-if)#dot1x pae authenticator
and 2960 started to send Access-Request packets to RADIUS. See Peng Gu reply at https://supportforums.cisco.com/thread/2024849.
08-30-2012 12:40 PM
That is correct however, this is not the issue in this case. The issue is with the eap-response being sent back from the client...it is empty...
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide