05-05-2010 12:09 PM - edited 03-10-2019 05:07 PM
I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
interface FastEthernet2/0/31
description A002 White
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable
012729: May 5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012730: May 5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
012731: May 5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
012732: May 5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
012733: May 5 14:51:33.727: dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
012734: May 5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
012735: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
012736: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: May 5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
012738: May 5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
012739: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
012740: May 5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
012741: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
012742: May 5 14:51:33.727: EAPOL pak dump Tx
012743: May 5 14:51:33.727: EAPOL Version: 0x2 type: 0x0 length: 0x0005
012744: May 5 14:51:33.727: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
012745: May 5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012746: May 5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: May 5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
012748: May 5 14:51:35.791: dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
012749: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
012750: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
012751: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
012752: May 5 14:51:35.791: dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
012753: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
012754: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: May 5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
012756: May 5 14:51:35.791: dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
012757: May 5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
012758: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
012759: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
012760: May 5 14:51:35.791: dot1x_auth_mab : initial state mab_initialize has enter
012761: May 5 14:51:35.791: dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
012762: May 5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
012763: May 5 14:53:08.831: dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)
HQ_1stFlr_3750#sh dot1x int fa2/0/31 det
Dot1x Info for FastEthernet2/0/31
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
Violation Mode = RESTRICT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled (EAP)
Inactivity Timeout = None
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
Solved! Go to Solution.
05-10-2010 08:23 AM
Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.
05-10-2010 08:23 AM
Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.
05-10-2010 08:25 AM
Hello,
TAC resolved this for me. Your thoughts are exactly what they told me. I changed control-direction to inbound "dot1x control-direction in", that let the MAB work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide