cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1714
Views
10
Helpful
6
Replies

Missing Something Obvious for 802.1x?

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Could I get a second pair of eyes on this switch configuration?

I'm setting up a 2960X (WS-C2960XR-48LPD-I) with IOS image c2960x-universalk9-mz.152-3.E2 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 1.4) is reachable and RADIUS shared secret is verified at both ends. A RADIUS server test from the cli returns successful results. EAPOL test of the supplicant returns success as well.

I get no 802.1x action on the port though. Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.

 

#sh authentication sessions int gi1/0/36 det
No sessions match supplied criteria.
#sh int gi1/0/36 status

Port      Name               Status       Vlan       Duplex  Speed Type 
Gi1/0/36  ISE Test - Jack #B connected    1          a-full a-1000 10/100/1000BaseTX
#

#dot1x test eapol-capable int gi1/0/36
#
014057: Oct 23 16:49:49 EDT: %DOT1X-6-INFO_EAPOL_PING_RESPONSE: The interface Gi1/0/36 has an 802.1x capable client with MAC 28d2.4492.bc6f
#

 

#sh run | i system-auth
dot1x system-auth-control
#

#sh run | sec radius server
radius server <redacted>
 address ipv4 <redacted> auth-port 1812 acct-port 1813
 automate-tester username isetest
 key 7 <redacted>
#sh run | sec aaa          
aaa new-model
aaa group server radius ISE
 server name <redacted>
aaa authentication enable default enable
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
 client <redacted> server-key 7 <redacted>
aaa session-id common
#
#sh run int gi1/0/36
Current configuration : 636 bytes
!
interface GigabitEthernet1/0/36
 description ISE Test - Jack #B7 in Workroom
 switchport mode access
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 53
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end
6 Replies 6

jan.nielsen
Rising star
Rising star

Seems fine to me, did you try a simple debug aaa authentication/authorization? or debug radius if that gives you no output?

Thanks Jan - I think I figured it out. I was turning it over in my head on the drive home.

This particular customer has a lot of ports in VLAN 1 (yes I know - not a best practice but it's a brownfield and I'm not at liberty to change everything just yet). So those ports (including the one I was testing with) did not have

switchport access vlan 1

...as they default to VLAN 1

Lack of that command causes the RADIUS authentication sequence to never kick off - which is why I saw nothing at all when I had turned on the debugs. (I tried both aaa auth and radius debugs.)

I went in remotely just now and put the same commands I was using on my test port plus I hard set the VLAN 1 on a port that had a printer connected. I checked the authentication session for that port (and the radius debug) and - voila - we have a session.

It's a hard habit to break to set "switchport access vlan 1"; but I guess the couple hours I spent banging my head on this one will reinforce the lesson. :)

Weekend - time for a break!

 

I was going to suggest something similar.

Had a customer whose switch was doing something similar. Turned out the 2960 (I dont remember which iOS version, 12.2 possibly) needed the switchport command and then authentications were fine.

I missed the fact there was no switchport access vlan command on your snippet!

Hi Marvin,

 

Could you elaborate why, when the command 'switchport access vlan 1' is missing from a switchport, RADIUS authentication never starts? Why is it required to have a port explicitly in a VLAN?

Thanks for the info.

 

Br,

Dario

lionwala012
Beginner
Beginner

Thank you for sharing with us, and we sincerely hope you will continue to update or post other articles.

 

saadqazi3452837
Beginner
Beginner

Some of our Windows 10 workstations have been having authentication issues since the 1903 upgrade. Do you know of any more sources of information on this topic? https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers