cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3761
Views
10
Helpful
11
Replies

IBNS 2 with Microsoft NPS

jon101
Level 1
Level 1

Hi,

Been attempting to setup Dot1x auth with Microsoft NPS server and have had a really hard time finding documentation for this because everything out there is IBNS 2 with ISE, which I don't have ISE and we aren't planning on getting it at this time. 

I'm trying to configure based on the below guide using single host mode. I'm looking to have a very basic setup to start building my confidence in this setup.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-x-series-switches/207193-Configure-IBNS-2-0-for-Single-Host-and-M.html#anc0

 

I've contact TAC and they say my switch config is correct but then send me to https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top for the NPS configuration which is not helpful.

 

To describe what happens at this point, i do the configurations, plug in my laptop to test auth and it just connects me right to the port without prompting for credentials.  This doesn't seem to be correct.

 

Any tips or guidance would be appreciated.

 

Jon

11 Replies 11

hi,

 

have you enabled dot1x authentication on the wired auto config and what is the configuration settings?

 

on the switch

show authentication session <interface> detail --> to show if its dot1x or mab authentication which is happen?

Here is my output:

Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/5 a401.a051.4c0f dot1x UNKNOWN Unauth 0705000A0000001194AE5DAB

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
11 5 dot1xSup
2 5 dot1x
12 10 webauth
1 15 mab

thomas
Cisco Employee
Cisco Employee

You have not provided any useful information about the endpoint's 802.1X supplicant configuration nor the switch.

Please see How to Ask The Community for Help.

The Windows wired supplicant is disabled by default and it is unclear if you have enabled it and what behavior you configured.

image.pngimage.pngimage.png

Hi,

 

https://integratingit.wordpress.com/2011/11/17/configuring-cisco-switch-dot1x-authentication-with-windows-nps-radius/

 

For the wired see this basic configuration.

 

https://www.youtube.com/watch?v=ftC3NLPDgDo --> there is two part video you can go through the configuration how he has done the same.

Hi Nitesh,
Thanks for your post. I've reviewed both your posts and the first isn't using the IBNS 2.0. The second is using certificates to authenticate, which i'm looking wanting it to prompt for a password.

Hi,

 

Understand the concept the switch from certificate to username and password is the selection of Peap instead of using Certficate and the ISE policy where you say using PEAP as protocol and domain machine in the authorization to do the authentication.

Here is all of the configuration that i've done up to this point:

 

Switch configuration that is relevant:

aaa new-model
aaa group server radius NPS_SERVERS
server name NDC
aaa authentication login default local
aaa authentication enable default none
aaa authentication dot1x default group NPS_SERVERS
aaa authorization network default group NPS_SERVERS
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group NPS_SERVERS
aaa server radius dynamic-author
client 192.168.0.10 server-key 7 password
aaa session-id common
match result-type aaa-timeout

!
policy-map type control subscriber TEST
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10

!

interface GigabitEthernet1/0/5
switchport access vlan 3
switchport mode access
access-session host-mode single-host
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber TEST

!

!
radius-server dead-criteria time 10 tries 3
!
radius server NDC
address ipv4 192.168.0.10 auth-port 1812 acct-port 1813
key 7 password

!

NPS Configuration

NPS_Config_LI.jpg

 

Endpoint NIC Conifg

NicConfig.PNG

 

The config looks ok. what happens when you connect to the laptop to the port?

 

is it still showing unknown?

 

try to run a debug aaa dot1x to see where it fails.

Debug aaa dot1x doesn't work on my switch.  Here is the debug dot1x all.   I've also included debug aaa authentication & debug aaa authorization at the bottom.

 

Jun 11 14:33:24 MST: dot1x-ev:[Gi1/0/36] Interface state changed to UP
Jun 11 14:33:24 MST: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/36
Jun 11 14:33:24 MST: dot1x_auth Gi1/0/36: initial state auth_initialize has enter
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: initialising
Jun 11 14:33:24 MST: dot1x_auth Gi1/0/36: during state auth_initialize, got event 0(cfg_auto)
Jun 11 14:33:24 MST: @@@ dot1x_auth Gi1/0/36: auth_initialize -> auth_disconnected
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: disconnected
Jun 11 14:33:24 MST: dot1x_auth Gi1/0/36: idle during state auth_disconnected
Jun 11 14:33:24 MST: @@@ dot1x_auth Gi1/0/36: auth_disconnected -> auth_restart
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: entering restart
Jun 11 14:33:24 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Sending create new context event to EAP for 0x0E000023 (54e1.adad.2b35)
Jun 11 14:33:24 MST: dot1x_auth_bend Gi1/0/36: initial state auth_bend_initialize has enter
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: entering init state
Jun 11 14:33:24 MST: dot1x_auth_bend Gi1/0/36: initial state auth_bend_initialize has idle
Jun 11 14:33:24 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_initialize, got event 16383(idle)
Jun 11 14:33:24 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_initialize -> auth_bend_idle
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering idle state
Jun 11 14:33:24 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Created a client entry (0x0E000023)
Jun 11 14:33:24 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Dot1x authentication started for 0x0E000023 (54e1.adad.2b35)
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting !EAP_RESTART on Client 0x0E000023
Jun 11 14:33:24 MST: dot1x_auth Gi1/0/36: during state auth_restart, got event 6(no_eapRestart)
Jun 11 14:33:24 MST: @@@ dot1x_auth Gi1/0/36: auth_restart -> auth_connecting
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:enter connecting state
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: restart connecting
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting RX_REQ on Client 0x0E000023
Jun 11 14:33:24 MST: dot1x_auth Gi1/0/36: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
Jun 11 14:33:24 MST: @@@ dot1x_auth Gi1/0/36: auth_connecting -> auth_authenticating
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: authenticating state entered
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:connecting authenticating action
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting AUTH_START for 0x0E000023
Jun 11 14:33:24 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_idle, got event 4(eapReq_authStart)
Jun 11 14:33:24 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_idle -> auth_bend_request
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:24 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:24 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:24 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:24 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:24 MST: dot1x-packet: length: 0x0005
Jun 11 14:33:24 MST: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Jun 11 14:33:24 MST: dot1x-packet: type: 0x1
Jun 11 14:33:24 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:idle request action
Jun 11 14:33:24 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:24 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:24 MST: dot1x-packet: length: 0x000F
Jun 11 14:33:24 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 1,LEN= 15

Jun 11 14:33:24 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000f
Jun 11 14:33:24 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:24 MST: dot1x-packet: length: 0x000F
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:24 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:24 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:24 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:24 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0006
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x2 length: 0x0006
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x00A6
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 166

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.00a6
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x00A6
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x05D8
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x3 length: 0x05D8
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0006
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 6

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0006
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0200
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x4 length: 0x0200
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x00AF
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 175

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.00af
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x00AF
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x003D
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x5 length: 0x003D
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0006
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 6

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0006
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0024
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x6 length: 0x0024
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x002E
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 46

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.002e
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x002E
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0033
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x7 length: 0x0033
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0033
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 51

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0033
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0033
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x003C
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x8 length: 0x003C
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0064
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 100

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0064
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0064
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0052
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0x9 length: 0x0052
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0025
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 37

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0025
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0025
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_REQ for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 7(eapReq)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_request
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering request state
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x006A
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x1 id: 0xB length: 0x006A
Jun 11 14:33:25 MST: dot1x-packet: type: 0x19
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response request action
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Queuing an EAPOL pkt on Authenticator Q
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x006A
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Dequeued pkt: Int Gi1/0/36 CODE= 2,TYPE= 25,LEN= 106

Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Received pkt saddr =54e1.adad.2b35 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.006a
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x006A
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAPOL_EAP for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_request, got event 6(eapolEap)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_request -> auth_bend_response
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering response state
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Response sent to the server from 0x0E000023
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:request response action
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Received an EAP Fail
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting EAP_FAIL for 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: during state auth_bend_response, got event 10(eapFail)
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_response -> auth_bend_fail
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting response state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering fail state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:response fail action
Jun 11 14:33:25 MST: dot1x_auth_bend Gi1/0/36: idle during state auth_bend_fail
Jun 11 14:33:25 MST: @@@ dot1x_auth_bend Gi1/0/36: auth_bend_fail -> auth_bend_idle
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering idle state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting AUTH_FAIL on Client 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth Gi1/0/36: during state auth_authenticating, got event 15(authFail)
Jun 11 14:33:25 MST: @@@ dot1x_auth Gi1/0/36: auth_authenticating -> auth_authc_result
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:exiting authenticating state
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023:entering authc result state
Jun 11 14:33:25 MST: %DOT1X-5-FAIL: Authentication failed for client (54e1.adad.2b35) on Interface Gi1/0/36 AuditSessionID C0A800030000 00499A041BF9
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Added username in dot1x
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] Dot1x did not receive any key data
Jun 11 14:33:25 MST: dot1x-ev:[54e1.adad.2b35, Gi1/0/36] Received Authz fail (result: 3) for the client 0x0E000023 (54e1.adad.2b35)
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] Posting_AUTHZ_FAIL on Client 0x0E000023
Jun 11 14:33:25 MST: dot1x_auth Gi1/0/36: during state auth_authc_result, got event 22(authzFail)
Jun 11 14:33:25 MST: @@@ dot1x_auth Gi1/0/36: auth_authc_result -> auth_held
Jun 11 14:33:25 MST: dot1x-sm:[54e1.adad.2b35, Gi1/0/36] 0x0E000023: held
Jun 11 14:33:25 MST: dot1x-ev:[0180.c200.0003, Gi1/0/36] Sending EAPOL packet to group PAE address
Jun 11 14:33:25 MST: dot1x-registry:registry:dot1x_ether_macaddr called
Jun 11 14:33:25 MST: dot1x-ev:[Gi1/0/36] Sending out EAPOL packet to MAC 0180.c200.0003
Jun 11 14:33:25 MST: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Jun 11 14:33:25 MST: dot1x-packet: length: 0x0004
Jun 11 14:33:25 MST: dot1x-packet:EAP code: 0x4 id: 0xB length: 0x0004
Jun 11 14:33:25 MST: dot1x-packet:[54e1.adad.2b35, Gi1/0/36] EAPOL packet sent to client 0x0E000023
Jun 11 14:33:26 MST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/36, changed state to up
Jun 11 14:33:27 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/36, changed state to up

 

Does this help at all? My expectation is that when i plug in the ethernet cable that it will prompt me credentials.  Am i correct in my assumption?

 

Jon

thomas
Cisco Employee
Cisco Employee

It depends on your endpoint supplicant configuration.

One of the options should be for it to automatically provide the user's login credentials:

image.png

If you have this checked it will NOT prompt for the username/password!

Hi Thomas,

 

Thanks so much for replying. I've unchecked that hoping that it will prompt for a username and password and it still doesn't.

 

Do you have any other thoughts. Have you seen IBNS 2.0 work with Microsoft NPS server before?  I literally can only find configurations with ISE or using non IBNS 2.0 configurations.

 

Thanks,

 

Jon