cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5155
Views
15
Helpful
11
Replies

I do not receive the EAP-Request/Identity response from my catalyst 9300 aaa configured

amalitol81
Level 1
Level 1

Guys,

I have a laptop domain managed and I'm deploying Cisco ISE 2.4 on the network. The laptop is connected to a Catalyst 9300 switch. I'm running Wireshark instance on the laptop.

I noticed the laptop send the EAPOL-Start packet three times with no response (EAP-Request/Identity from SW) I've followed steps from different admin guides, which are almost the same but it don't work.

Any suggestion ?

 

#### C9300 Config  ###

aaa new-model
!
!
aaa group server radius psns
 server name ccpanpsn1
 server name ccpanpsn2
 ip radius source-interface Vlan201
!
aaa authentication login default local
aaa authentication dot1x default group psns

aaa authorization network default group psns

aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
 client 10.20.202.101 server-key T1ns$ciscoise
 client 10.20.202.102 server-key T1ns$ciscoise
!
aaa session-id common
clock timezone EST 5 0
clock summer-time EDT recurring
switch 1 provision c9300-48p
!
!
...
!...
device-sensor filter-list dhcp list DHCP-LIST
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor accounting
device-sensor notify all-changes
authentication mac-move permit
access-session acl default passthrough
cpp system-default
device-tracking policy NOTRACKUDP
 no protocol udp
 tracking enable
!
!
...
!
dot1x system-auth-control
dot1x critical eapol
!
username admin privilege 15 secret 5 $1$/iTY$suJbP9rh.8JEnMPZn1apQ.
username test-user password 0 test-pass
!
!
....
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server ccpanpsn1
 address ipv4 10.20.202.101 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key T1ns$ciscoise
!
radius server ccpanpsn2
 address ipv4 10.20.202.102 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key T1ns$ciscoise
!
!




interface GigabitEthernet1/0/2
 description ** dot1x-test-port **
 switchport access vlan 70
 switchport mode access
 authentication host-mode multi-auth
 authentication open                                         
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server                  
 authentication timer inactivity server dynamic                
authentication event no-response action authorize vlan 70
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast
!



 

 

 

 

 

2 Accepted Solutions

Accepted Solutions

Can you please enable the below debugs on the switch and take a look at the logs..

Exec mode

set platform software trace smd switch active R0 aaa-authen debug

set platform software trace smd switch active R0 radius debug

 

Then use the below command to check the logs..

show platform software trace message smd switch active R0

 

View solution in original post

Did you apply profile and posture policies?
Well, it seems the problem was o the nic card. I replace the laptop and now the interface on the SW is working perfectly.

View solution in original post

11 Replies 11

mnagired
Cisco Employee
Cisco Employee

Configurations looks good..

 

Can you confirm below

1.show aaa servers  - hope the server status are up..

2. Use the "Test aaa group radius test-user test-password new-code" command with verify the connectivity,UN and PWD..

3. Hope the authentication and authorization profiles are set right on the ISE side for user authentication..

 

Also, refer to the steps in this guide.. incase you havent..

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1058815263

First, thank you for your response.

I have ran those commands and everything seems to be good. I also used the steps that are in the article you share to me. But for some reason it didn't works.

Now I'm wondering if it is a license issue? Because when I run the command 'test aaa group radius test-user test-password new-code' I never saw the AAA/SG/TEST details.

 

AAA/SG/TEST Platform: Testing Status

AAA/SG/TEST:      Authen Requests to Send    : 1

AAA/SG/TEST:      Authen Requests Processed  : 1

AAA/SG/TEST:      Authen Requests Sent       : 1

AAA/SG/TEST:      Authen Requests Replied    : 1

AAA/SG/TEST:      Authen Requests Successful : 0


ccisetest#sh aaa servers
RADIUS: id 1, priority 1, host 10.20.202.101, auth-port 1812, acct-port 1813
     State: current UP, duration 1304s, previous duration 900s
     Dead: total time 900s, count 0
     Platform State from SMD: current UP, duration 2143s, previous duration 60s
     SMD Platform Dead: total time 60s, count 0
     Platform State from WNCD: current UP, duration 0s, previous duration 0s
     Platform Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 2, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 2, challenge 0
.......

ccisetest#test aaa group psns username ****** new-code
User successfully authenticated

USER ATTRIBUTES

username             0   "username"
ccisetest#




 

 

 

Now this is really weird.

I also ran the command:

#dot1x test eapol-capable interface gigabitethernet1/0/2

#

and nothing happen. It seems that 802.1x is not enabled on the interface or it is not supported... but all the commands to enble 802.1x on that interface are running....

 

 

 

Would recommend you reach out to switching team community

Can we do a webex? i have sent you a private message, please do reply back with your email address and we can take a look..

This is a switching issue and not ISE. you can move this or post new to Switching community for experts SME advice. If needing support to troubleshoot please reach out to TAC

I think so, I'm going to move this post to another community. Thank you

Can you please enable the below debugs on the switch and take a look at the logs..

Exec mode

set platform software trace smd switch active R0 aaa-authen debug

set platform software trace smd switch active R0 radius debug

 

Then use the below command to check the logs..

show platform software trace message smd switch active R0

 

Thank you for your response.
Well, it seems the problem was o the nic card. I replace the laptop and now the interface on the SW is working perfectly.

Damien Miller
VIP Alumni
VIP Alumni

From a software perspective, I have dot1x working fine with 16.6.4a on the 9300.

Did you apply profile and posture policies?
Well, it seems the problem was o the nic card. I replace the laptop and now the interface on the SW is working perfectly.