Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4379
Views
0
Helpful
12
Replies

ise aaa with Cisco Switch in EVE-NG

abdelmoulamarhabi1
Level 1
Level 1

‎04-29-2020 07:00 PM - last edited on ‎05-02-2020 09:55 PM by Cisco Employee

Hi,

 

I hope that u are doing good.

I installed  a windows 7  in vmware workstation and  i instaled a switch cisco in EVE-NG.

The purpose is to authenticate windows wired card with the cisco ise that also installed in vmware.

Result : Ping between windows 7 and switch  work correctly but when a activate 802.1x in wired card i dont receive any think in a switch console when a activate a debug command (like any information that send to switch).

Can u please help me to resolve that issue?

 

Labels:
0 Helpful
12 Replies 12

Francesco Molino
VIP Alumni
VIP Alumni

‎04-29-2020 07:58 PM

Hi

How did you configure your Windows supplicant?
What's the switch port configuration?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

abdelmoulamarhabi1
Level 1
Level 1
In response to Francesco Molino

‎04-30-2020 04:47 AM

Hi,

Thank u for your reply.

You’ll find attached   supplicant configuration.

 

Switch port configuration :

switchport mode access
duplex auto
authentication host-mode multi-auth
authentication port-control auto

mab
dot1x pae authenticator
spanning-tree portfast

 

Thank you.

Preview file
14 KB
Preview file
23 KB
Preview file
18 KB
0 Helpful

abdelmoulamarhabi1
Level 1
Level 1
In response to abdelmoulamarhabi1

‎04-30-2020 05:27 AM

hi,

 

I add the logs that i received in switch :

*Apr 30 12:26:10.759: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Et0/1 AuditSessionID 0A010202000000020030647C
*Apr 30 12:26:10.759: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Et0/1 AuditSessionID 0A010202000000020030647C
*Apr 30 12:26:10.759: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Et0/1 AuditSessionID 0A010202000000020030647C
*Apr 30 12:26:10.759: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Et0/1 AuditSessionID 0A010202000000020030647C
Switch(config-if)#
*Apr 30 12:26:10.759: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Et0/1 AuditSessionID 0A010202000000020030647C

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to abdelmoulamarhabi1

‎04-30-2020 06:27 AM

Is your end goal to do user, computer, or both for authentication? I see you have the native supplicant set to user auth. If trying to just do comp then switch that to computer auth only. Also, are you trying to perform mab, dot1x, or enable both? If both try setting up dot1x order and priority. Ex:
#authentication order mab dot1x
#authentication priority dot1x mab
Test with the tweaked settings. Good luck & HTH!
0 Helpful

abdelmoulamarhabi1
Level 1
Level 1
In response to Mike.Cifelli

‎04-30-2020 12:07 PM

thank's for your answer.

However i tested with tweak  setting but i had the same behavior(don't work).

My end goal is to authenticate user and computer.

 

I tried to test with network card just to assume that all work correctly.

 

Thank's

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to abdelmoulamarhabi1

‎04-30-2020 07:26 PM

What switch model are you using and which ios are you running?

When the pc is connected on the switch and these logs are shown, if you run check on the port, do you see the mac address learned?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎04-30-2020 07:31 PM

Kindly provide the "sh tech" output from the switch.
0 Helpful

abdelmoulamarhabi1
Level 1
Level 1
In response to Francesco Molino

‎04-30-2020 07:43 PM

Hi,

 

Thank u to find attached show version and show tech.

 

When i delete radius configuration in the port switch and i ping switch from pc it can learn mac address.But when i configure radius in port i can't ping switch,  i can't autenticate PC and i can't learn mac adresse.

 

Thank you.

 

Preview file
7 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to abdelmoulamarhabi1

‎04-30-2020 08:24 PM

You're running the IOL image, I missed that part.
The best way would be to create a windows pc image within EVE and not outside to make sure the mac address is forwarded to your virtual switch

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

poongarg
Cisco Employee
Cisco Employee
In response to abdelmoulamarhabi1

‎04-30-2020 08:38 PM

Please take a packet capture on your PC, it looks like the PC is not responding for any EAPoL:EAP Request-identity frame or not receiving any.
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to poongarg

‎04-30-2020 08:44 PM

I'm not sure the vmware workstation will be able to pass it on an another virtual environment that is running a virtual switch. That's why I asked to try building a eve-ng windows host. This use case will work.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Osman Salah
Level 1
Level 1

‎11-08-2020 01:18 AM

  Try To Remove check under Verify servers to validate the  EAP certificate if you are not using certificate-based authentication.

 

 

 

Please Rate if it helpful for you 

 

 

DOT.PNG

0 Helpful
Customers Also Viewed These Support Documents