Dear colleagues,

I built a setup in my lab to check the funtionality of dot1x. The scheme looks like this:

supplicant (win7) - (port gi1/0/1) cisco 2960x - ISE (virtual PAN + PSN) - MS AD (as external identity source).

At this moment dot1x does not work, supplicant fails to authenticate.

So I took tcpdump on supplicat side, I see, that it has EAP requests from the switch and responses from the supplicant. So I suppose on this part everything works ok. On the 2960x in logs I see 

Feb 16 11:27:30.722: %DOT1X-5-FAIL: Authentication failed for client (f0de.f1cc.ae56) on Interface Gi1/0/1 AuditSessionID 0A00BF060000002B1446C0C8
Feb 16 11:28:43.126: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.0.191.240:1812,1813 is not responding.
Feb 16 11:28:43.126: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.0.191.240:1812,1813 is being marked alive.

The messages about DEAD\LIVE Radius appears, when supplicant sends EAP responce.

So I took tcpdump on the ISE.

I see there, that 2960x sends radius requests, but ISE responds with ICMP unreachable messages "Destination unreachable (3), port unreachable(3)". I tried to use 1812 and 1645 ports on the 2960x side, but the behaviour is still the same.

The ip connectivity between ISE and 2960x is OK, I can ping in both directions.

I attached printscreens of the tcpdump.

IP addresses are

2960x - 10.0.191.6

ISE - 10.0.191.240

supplicant PC - 10.0.191.243 

What could be the problem here?

Could the lack of the configuration on the ISE be the cause?

Update  - I was mistaken with the IP address of the PSN on the switch, I specified PAN instead.