Solved: Re: I do not receive the EAP-Request/Identity response from my catalyst 9300 aaa configured

amalitol81 · ‎11-14-2018

Guys,

I have a laptop domain managed and I'm deploying Cisco ISE 2.4 on the network. The laptop is connected to a Catalyst 9300 switch. I'm running Wireshark instance on the laptop.

I noticed the laptop send the EAPOL-Start packet three times with no response (EAP-Request/Identity from SW) I've followed steps from different admin guides, which are almost the same but it don't work.

Any suggestion ?

#### C9300 Config ###

aaa new-model
!
!
aaa group server radius psns
server name ccpanpsn1
server name ccpanpsn2
ip radius source-interface Vlan201
!
aaa authentication login default local
aaa authentication dot1x default group psns

aaa authorization network default group psns

aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
client 10.20.202.101 server-key T1ns$ciscoise
client 10.20.202.102 server-key T1ns$ciscoise
!
aaa session-id common
clock timezone EST 5 0
clock summer-time EDT recurring
switch 1 provision c9300-48p
!
!
...
!...
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor accounting
device-sensor notify all-changes
authentication mac-move permit
access-session acl default passthrough
cpp system-default
device-tracking policy NOTRACKUDP
no protocol udp
tracking enable
!
!
...
!
dot1x system-auth-control
dot1x critical eapol
!
username admin privilege 15 secret 5 $1$/iTY$suJbP9rh.8JEnMPZn1apQ.
username test-user password 0 test-pass
!
!
....
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server ccpanpsn1
address ipv4 10.20.202.101 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key T1ns$ciscoise
!
radius server ccpanpsn2
address ipv4 10.20.202.102 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key T1ns$ciscoise
!
!

interface GigabitEthernet1/0/2
description ** dot1x-test-port **
switchport access vlan 70
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication event no-response action authorize vlan 70
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
!

mnagired · ‎11-15-2018

Can you please enable the below debugs on the switch and take a look at the logs..

Exec mode

set platform software trace smd switch active R0 aaa-authen debug

set platform software trace smd switch active R0 radius debug

Then use the below command to check the logs..

show platform software trace message smd switch active R0

View solution in original post

amalitol81 · ‎11-16-2018

Did you apply profile and posture policies?
Well, it seems the problem was o the nic card. I replace the laptop and now the interface on the SW is working perfectly.

View solution in original post

mnagired · ‎11-14-2018

Configurations looks good..

Can you confirm below

1.show aaa servers - hope the server status are up..

2. Use the "Test aaa group radius test-user test-password new-code" command with verify the connectivity,UN and PWD..

3. Hope the authentication and authorization profiles are set right on the ISE side for user authentication..

Also, refer to the steps in this guide.. incase you havent..

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1058815263

amalitol81 · ‎11-14-2018

First, thank you for your response.

I have ran those commands and everything seems to be good. I also used the steps that are in the article you share to me. But for some reason it didn't works.

Now I'm wondering if it is a license issue? Because when I run the command 'test aaa group radius test-user test-password new-code' I never saw the AAA/SG/TEST details.

AAA/SG/TEST Platform: Testing Status

AAA/SG/TEST: Authen Requests to Send : 1

AAA/SG/TEST: Authen Requests Processed : 1

AAA/SG/TEST: Authen Requests Sent : 1

AAA/SG/TEST: Authen Requests Replied : 1

AAA/SG/TEST: Authen Requests Successful : 0

ccisetest#sh aaa servers
RADIUS: id 1, priority 1, host 10.20.202.101, auth-port 1812, acct-port 1813
     State: current UP, duration 1304s, previous duration 900s
     Dead: total time 900s, count 0
     Platform State from SMD: current UP, duration 2143s, previous duration 60s
     SMD Platform Dead: total time 60s, count 0
     Platform State from WNCD: current UP, duration 0s, previous duration 0s
     Platform Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 2, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 2, challenge 0
.......

ccisetest#test aaa group psns username ****** new-code
User successfully authenticated

USER ATTRIBUTES

username             0   "username"
ccisetest#

amalitol81 · ‎11-15-2018

Now this is really weird.

I also ran the command:

#dot1x test eapol-capable interface gigabitethernet1/0/2

#

and nothing happen. It seems that 802.1x is not enabled on the interface or it is not supported... but all the commands to enble 802.1x on that interface are running....

Jason Kunst · ‎11-15-2018

Would recommend you reach out to switching team community

mnagired · ‎11-15-2018

Can we do a webex? i have sent you a private message, please do reply back with your email address and we can take a look..

Jason Kunst · ‎11-15-2018

This is a switching issue and not ISE. you can move this or post new to Switching community for experts SME advice. If needing support to troubleshoot please reach out to TAC

amalitol81 · ‎11-15-2018

I think so, I'm going to move this post to another community. Thank you

mnagired · ‎11-15-2018