Solved: Re: Endpoint authenticated but no access to network

kostasthedelegate · ‎08-03-2021

Hello,

I have ISE 2.6

In a c2960 I have several endpoints successfully authenticated and working.

But two of them do not have access to the network, while the show as authenticated in ISE and in the switch.

If I do an authentication open to the port it is working ,but when I remove the command it is the same again.

Any ideas?

Thanks and regards,

Konstantinos

Greg Gibbs · ‎08-12-2021

If the issue follows the switchports and the same endpoints work fine in other ports (with the exact same config), it's entirely possible there's problem with the switchport or ASIC. If the switch is under an active support contract, it would be best opening a TAC case.

View solution in original post

balaji.bandi · ‎08-03-2021

But two of them do not have access to the network

what about others ? what is the difference between these TWO vs other working ? need more information here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kostasthedelegate · ‎08-03-2021

There are no differences

They are pc's with ip phones

balaji.bandi · ‎08-03-2021

i go down the road see - port config and profiles ? - changing to different port still same issue ?

can you post working port vs not working port ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎08-03-2021

there are three mode of 802.1x
1-monitor mode "auth open" the vlan is assign according to what you config in "access vlan or voice vlan"
so if that is mode then the ISE will work only as monitor.
2-Other mode is closed mode which mean if the port pass auth then the vlan assign to it is control from the ISE which send the vlan-id to SW which assign it automatic.

thomas · ‎08-04-2021

You have not provided any helpful troubleshooting information.

Please see How to Ask The Community for Help

kostasthedelegate · ‎08-06-2021

Hello

I arranged to change the port and see how that goes

The config of the ports are all the same.

Any other test possible you can think of?

Regards,

Konstantinos

Mike.Cifelli · ‎08-06-2021

Please share port config + relevant debugs so the community can better assist.

debug aaa authentication

debug radius

debug dot1x all

kostasthedelegate · ‎08-07-2021

Thank you Mike,

Once I have the config I will post it

kostasthedelegate · ‎08-09-2021

Hello,

This is the port config

!
interface GigabitEthernet0/xx
switchport access vlan a
switchport mode access
switchport voice vlan b
authentication event fail action next-method
authentication event server dead action reinitialize vlan a
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast edge
!
interface GigabitEthernet0/vv
description NACOFS DUE TO PROBLEM
switchport access vlan a
switchport mode access
switchport voice vlan b
authentication event fail action next-method
authentication event server dead action reinitialize vlan a
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast edge
!

The first one works fine the second has the problem

MHM Cisco World · ‎08-11-2021

just try remove the command line mab from the config.
because you already config mab with order and priority.

kostasthedelegate · ‎08-11-2021

I took the debugs

The error I can see is that

Aug 10 14:15:06.826 EEDST: %DOT1X-5-FAIL: Authentication failed for client (001e.f727.7719) on Interface Gi0/26 AuditSessionID 00000000000005ED28137D77
Aug 10 14:15:06.826 EEDST: dot1x-packet:[001e.f727.7719, Gi0/26] Dot1x did not receive any key data
Aug 10 14:15:06.826 EEDST: dot1x-ev:[001e.f727.7719, Gi0/26] Processing client delete for hdl 0x0F0007FF sent by Auth Mgr
Aug 10 14:15:06.827 EEDST: dot1x-ev:[001e.f727.7719, Gi0/26] 001e.f727.7719: sending canned failure due to method termination
Aug 10 14:15:06.827 EEDST: dot1x-ev:[001e.f727.7719, Gi0/26] Sending EAPOL packet

What this "Dot1x did not receive any key data" means and why is it happening?

Greg Gibbs · ‎08-11-2021

This could mean that the endpoint is not responding to the EAPOL sent by the switch. The only way to confirm that would be to mirror the switchport and do a packet capture to see what communication is happening between the switch and endpoint.

If the endpoint is not responding to the EAPOL, you will need to investigate the endpoint.

What is the exact model of 2960 you have? If it is not one of the End of Support models, you would be best contacting TAC to help troubleshoot.

kostasthedelegate · ‎08-11-2021

Hello

I changed the port of the endpoint on the switch and it worked fine

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C2960L-48PS-LL 15.2(7)E0a C2960L-UNIVERSALK9-M

This is the switch

It makes me wonder because the issue is only with two ports of the switch the other work fine.

I have asked to test a pc in the faulty port to see what happens

Greg Gibbs · ‎08-12-2021

If the issue follows the switchports and the same endpoints work fine in other ports (with the exact same config), it's entirely possible there's problem with the switchport or ASIC. If the switch is under an active support contract, it would be best opening a TAC case.