04-30-2012 08:41 AM - edited 03-12-2019 05:40 PM
Hello all.
I am trying to do dynamic vlan assignments with dot1x auth. I am using ACS5.3 and Cisco 3560.
I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
aaa group server radius nac_servers
server-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxx
aaa authentication dot1x default group nac_servers
aaa authorization network default group nac_servers
interface FastEthernet0/2
switchport mode access
switchport voice vlan 364
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event no-response action authorize vlan 303
authentication host-mode multi-domain
authentication port-control auto
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
When the user connects I get the following via debug:
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
Any idea what config I'm missing?
Thanks
Paul
05-01-2012 03:20 AM
Can you please post full logs not just this line.
thanks
05-01-2012 10:31 PM
Hello.
Here is whats left in the log.
Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.253: EAPOL pak dump rx
Apr 30 15:19:36.253: EAPOL Version: 0x1 type: 0x0 length: 0x007B
Apr 30 15:19:36.253: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.007b
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.278: EAPOL pak dump rx
Apr 30 15:19:36.278: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.278: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.294: EAPOL pak dump rx
Apr 30 15:19:36.294: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.294: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
Hope that helps
05-02-2012 12:24 AM
Please run "debug radius authentication" I would like to see the av-pairs that are sent back from the radius server.
When you issue a show vlan, does vlan 300 exist in the vlan database?
Thanks
Tarik Admani
05-02-2012 01:37 PM
I'll run the debug tomorrow if I get chance.
Yes VLAN 300 is being used on other ports. If I set the port to be on vlan 300 everything else about the 802.1x auth works fine.
05-03-2012 12:57 PM
I've changed the host mode to multi-host rather than domain. Although I will be going through a VoIP phone eventually I was not as the time and I can only assume that was the issue.
05-07-2012 12:37 AM
Hi Paul,
Can send us the ACS Configuration and Switch configuration , to see what went wrrong.
Thanks and Regards
Kiran Kumar CH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide