10-18-2011 06:06 AM - edited 03-10-2019 06:29 PM
Hi there
Situation
I configured dot1x with ACS 5.2 on a WS-C3750X-24P (12.2(58)SE1). I configured EAP-TLS and MAB for a port with the following configurations. It looks like this: access port -> ip phone -> client
General Configuration
switchport access vlan 1421
switchport mode access
authentication event fail action authorize vlan 2329
authentication event server dead action authorize vlan 2329
authentication event no-response action authorize vlan 2329
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
Port Configuration
switchport access vlan x
switchport mode access
authentication event fail action authorize vlan 2329
authentication event server dead action authorize vlan 2329
authentication event no-response action authorize vlan 2329
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
Problem
If there is a know client (either client certificates installed or MAC address configured on ACS 5.2), everything works fine. As soon as a unknown client connects, the radius servers are marked as dead. As soon as this happens, the know clients fail to connect too:
Oct 18 14:52:57.013 METDST: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx
Oct 18 14:52:57.013 METDST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx
Oct 18 14:52:57.013 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID xxx
Oct 18 14:52:58.044 METDST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx
Oct 18 14:52:58.044 METDST: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (Unknown MAC) on Interface Gi1/0/3 AuditSessionID xxx
Oct 18 14:52:57.633 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)
Oct 18 14:52:57.642 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)
Oct 18 14:52:57.709 METDST: %AUTHMGR-5-VLANASSIGN: VLAN 2329 assigned to Interface Gi1/0/3 AuditSessionID Unassigned (xxx)
Oct 18 14:52:58.967 METDST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
Oct 18 14:52:59.974 METDST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
Oct 18 14:53:04.218 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID 0A00050B0000001E19DB9EE8
Oct 18 14:53:04.218 METDST: %DOT1X-5-FAIL: Authentication failed for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx
Oct 18 14:53:04.218 METDST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (0023.7d10.9a6f) on Interface Gi4/0/3 AuditSessionID xxx
Oct 18 14:53:05.250 METDST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx
Oct 18 14:53:05.250 METDST: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (xxxx.yyyy.zzzz) on Interface Gi4/0/3 AuditSessionID xxx
Does anybody know if I configured something wrong (see config above) or if there is a bug?
Thanks a lot and best regards
Dominic
10-26-2011 01:46 AM
I found the problem, the ACS configuration was wrong, I wrongly configured "If user not found" to Drop instead of Reject.
Best regards
Dominic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide