Could I get a second pair of eyes on this switch configuration?
I'm setting up a 2960X (WS-C2960XR-48LPD-I) with IOS image c2960x-universalk9-mz.152-3.E2 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 1.4) is reachable and RADIUS shared secret is verified at both ends. A RADIUS server test from the cli returns successful results. EAPOL test of the supplicant returns success as well.
I get no 802.1x action on the port though. Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.
#sh authentication sessions int gi1/0/36 det No sessions match supplied criteria. #sh int gi1/0/36 status Port Name Status Vlan Duplex Speed Type Gi1/0/36 ISE Test - Jack #B connected 1 a-full a-1000 10/100/1000BaseTX # #dot1x test eapol-capable int gi1/0/36 # 014057: Oct 23 16:49:49 EDT: %DOT1X-6-INFO_EAPOL_PING_RESPONSE: The interface Gi1/0/36 has an 802.1x capable client with MAC 28d2.4492.bc6f #
#sh run | i system-auth dot1x system-auth-control # #sh run | sec radius server radius server <redacted> address ipv4 <redacted> auth-port 1812 acct-port 1813 automate-tester username isetest key 7 <redacted> #sh run | sec aaa aaa new-model aaa group server radius ISE server name <redacted> aaa authentication enable default enable aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa accounting dot1x default start-stop group ISE aaa server radius dynamic-author client <redacted> server-key 7 <redacted> aaa session-id common # #sh run int gi1/0/36 Current configuration : 636 bytes ! interface GigabitEthernet1/0/36 description ISE Test - Jack #B7 in Workroom switchport mode access ip access-group ACL-ALLOW in authentication event fail action next-method authentication event server dead action reinitialize vlan 53 authentication event server dead action authorize voice authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast spanning-tree bpduguard enable end
Thanks Jan - I think I figured it out. I was turning it over in my head on the drive home.
This particular customer has a lot of ports in VLAN 1 (yes I know - not a best practice but it's a brownfield and I'm not at liberty to change everything just yet). So those ports (including the one I was testing with) did not have
switchport access vlan 1
...as they default to VLAN 1
Lack of that command causes the RADIUS authentication sequence to never kick off - which is why I saw nothing at all when I had turned on the debugs. (I tried both aaa auth and radius debugs.)
I went in remotely just now and put the same commands I was using on my test port plus I hard set the VLAN 1 on a port that had a printer connected. I checked the authentication session for that port (and the radius debug) and - voila - we have a session.
It's a hard habit to break to set "switchport access vlan 1"; but I guess the couple hours I spent banging my head on this one will reinforce the lesson. :)
Weekend - time for a break!
I was going to suggest something similar.
Had a customer whose switch was doing something similar. Turned out the 2960 (I dont remember which iOS version, 12.2 possibly) needed the switchport command and then authentications were fine.
I missed the fact there was no switchport access vlan command on your snippet!
Some of our Windows 10 workstations have been having authentication issues since the 1903 upgrade. Do you know of any more sources of information on this topic? https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment?