09-03-2014 03:16 PM - edited 03-10-2019 09:59 PM
When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address. Could this be causing the problem?
Here is the config of the port that I'm testing on:
interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 4
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
Solved! Go to Solution.
09-21-2014 02:57 PM
Whatever IP address you entered in ISE when adding this switch, must match the IP address of the interface configured under your "ip radius source-interface" command. In your first post you said that you are using an SVI for this but in your later post I can see that your Radius packets are being sourced from "interface TenGigabitEthernet1/0/1" Doublecheck this and make sure things match.
If you do have Loopback interface configured then it is highly recommended that you use it to source such services from it (Radius, TACACS+, SNMP, Syslog, etc).
Thank you for rating helpful posts!
09-03-2014 06:58 PM
A few troubleshooting questions..
Is that vlan accessable/reachable by ISE?
Can you ping it?
Are you allowing ISE to speak snmp and RADIUS to the NAD?
Do the snmp passswords match?
09-04-2014 09:52 AM
I can ping both the vlan and the endpoint from the ISE. As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
aaa new-model
aaa authentication dot1x default group radius
aaa authentication dot1x defualt group radius
aaa authentication dot1x group group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common
ip radius source-interface TenGigabitEthernet1/0/1
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
authentication order dot1x mab
authentication priority dot1x mab
dot1x pae authenticator
dot1x timeout tx-period 10
09-21-2014 02:57 PM
Whatever IP address you entered in ISE when adding this switch, must match the IP address of the interface configured under your "ip radius source-interface" command. In your first post you said that you are using an SVI for this but in your later post I can see that your Radius packets are being sourced from "interface TenGigabitEthernet1/0/1" Doublecheck this and make sure things match.
If you do have Loopback interface configured then it is highly recommended that you use it to source such services from it (Radius, TACACS+, SNMP, Syslog, etc).
Thank you for rating helpful posts!
09-18-2014 07:32 PM
This happens when there is mismatch between device ip and NAS ip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide