10-23-2015 01:58 PM - edited 03-10-2019 11:10 PM
Could I get a second pair of eyes on this switch configuration?
I'm setting up a 2960X (WS-C2960XR-48LPD-I) with IOS image c2960x-universalk9-mz.152-3.E2 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 1.4) is reachable and RADIUS shared secret is verified at both ends. A RADIUS server test from the cli returns successful results. EAPOL test of the supplicant returns success as well.
I get no 802.1x action on the port though. Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.
#sh authentication sessions int gi1/0/36 det No sessions match supplied criteria. #sh int gi1/0/36 status Port Name Status Vlan Duplex Speed Type Gi1/0/36 ISE Test - Jack #B connected 1 a-full a-1000 10/100/1000BaseTX # #dot1x test eapol-capable int gi1/0/36 # 014057: Oct 23 16:49:49 EDT: %DOT1X-6-INFO_EAPOL_PING_RESPONSE: The interface Gi1/0/36 has an 802.1x capable client with MAC 28d2.4492.bc6f #
#sh run | i system-auth dot1x system-auth-control # #sh run | sec radius server radius server <redacted> address ipv4 <redacted> auth-port 1812 acct-port 1813 automate-tester username isetest key 7 <redacted> #sh run | sec aaa aaa new-model aaa group server radius ISE server name <redacted> aaa authentication enable default enable aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa accounting dot1x default start-stop group ISE aaa server radius dynamic-author client <redacted> server-key 7 <redacted> aaa session-id common # #sh run int gi1/0/36 Current configuration : 636 bytes ! interface GigabitEthernet1/0/36 description ISE Test - Jack #B7 in Workroom switchport mode access ip access-group ACL-ALLOW in authentication event fail action next-method authentication event server dead action reinitialize vlan 53 authentication event server dead action authorize voice authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast spanning-tree bpduguard enable end
10-23-2015 04:59 PM
Seems fine to me, did you try a simple debug aaa authentication/authorization? or debug radius if that gives you no output?
10-23-2015 05:25 PM
Thanks Jan - I think I figured it out. I was turning it over in my head on the drive home.
This particular customer has a lot of ports in VLAN 1 (yes I know - not a best practice but it's a brownfield and I'm not at liberty to change everything just yet). So those ports (including the one I was testing with) did not have
switchport access vlan 1
...as they default to VLAN 1
Lack of that command causes the RADIUS authentication sequence to never kick off - which is why I saw nothing at all when I had turned on the debugs. (I tried both aaa auth and radius debugs.)
I went in remotely just now and put the same commands I was using on my test port plus I hard set the VLAN 1 on a port that had a printer connected. I checked the authentication session for that port (and the radius debug) and - voila - we have a session.
It's a hard habit to break to set "switchport access vlan 1"; but I guess the couple hours I spent banging my head on this one will reinforce the lesson. :)
Weekend - time for a break!
11-06-2015 05:00 AM
I was going to suggest something similar.
Had a customer whose switch was doing something similar. Turned out the 2960 (I dont remember which iOS version, 12.2 possibly) needed the switchport command and then authentications were fine.
I missed the fact there was no switchport access vlan command on your snippet!
06-11-2018 04:52 AM
Hi Marvin,
Could you elaborate why, when the command 'switchport access vlan 1' is missing from a switchport, RADIUS authentication never starts? Why is it required to have a port explicitly in a VLAN?
Thanks for the info.
Br,
Dario
03-15-2022 02:56 AM
Thank you for sharing with us, and we sincerely hope you will continue to update or post other articles.
03-16-2022 08:09 AM - edited 03-18-2022 06:32 AM
Some of our Windows 10 workstations have been having authentication issues since the 1903 upgrade. Do you know of any more sources of information on this topic? https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide