Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2205
Views
10
Helpful
6
Replies

Missing Something Obvious for 802.1x?

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-23-2015 01:58 PM - edited ‎03-10-2019 11:10 PM

Could I get a second pair of eyes on this switch configuration?

I'm setting up a 2960X (WS-C2960XR-48LPD-I) with IOS image c2960x-universalk9-mz.152-3.E2 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 1.4) is reachable and RADIUS shared secret is verified at both ends. A RADIUS server test from the cli returns successful results. EAPOL test of the supplicant returns success as well.

I get no 802.1x action on the port though. Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.

 

#sh authentication sessions int gi1/0/36 det
No sessions match supplied criteria.
#sh int gi1/0/36 status

Port      Name               Status       Vlan       Duplex  Speed Type 
Gi1/0/36  ISE Test - Jack #B connected    1          a-full a-1000 10/100/1000BaseTX
#

#dot1x test eapol-capable int gi1/0/36
#
014057: Oct 23 16:49:49 EDT: %DOT1X-6-INFO_EAPOL_PING_RESPONSE: The interface Gi1/0/36 has an 802.1x capable client with MAC 28d2.4492.bc6f
#

 

#sh run | i system-auth
dot1x system-auth-control
#

#sh run | sec radius server
radius server <redacted>
 address ipv4 <redacted> auth-port 1812 acct-port 1813
 automate-tester username isetest
 key 7 <redacted>
#sh run | sec aaa          
aaa new-model
aaa group server radius ISE
 server name <redacted>
aaa authentication enable default enable
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
 client <redacted> server-key 7 <redacted>
aaa session-id common
#
#sh run int gi1/0/36
Current configuration : 636 bytes
!
interface GigabitEthernet1/0/36
 description ISE Test - Jack #B7 in Workroom
 switchport mode access
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 53
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end
Labels:
0 Helpful
6 Replies 6

jan.nielsen
Level 7
Level 7

‎10-23-2015 04:59 PM

Seems fine to me, did you try a simple debug aaa authentication/authorization? or debug radius if that gives you no output?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jan.nielsen

‎10-23-2015 05:25 PM

Thanks Jan - I think I figured it out. I was turning it over in my head on the drive home.

This particular customer has a lot of ports in VLAN 1 (yes I know - not a best practice but it's a brownfield and I'm not at liberty to change everything just yet). So those ports (including the one I was testing with) did not have

switchport access vlan 1

...as they default to VLAN 1

Lack of that command causes the RADIUS authentication sequence to never kick off - which is why I saw nothing at all when I had turned on the debugs. (I tried both aaa auth and radius debugs.)

I went in remotely just now and put the same commands I was using on my test port plus I hard set the VLAN 1 on a port that had a printer connected. I checked the authentication session for that port (and the radius debug) and - voila - we have a session.

It's a hard habit to break to set "switchport access vlan 1"; but I guess the couple hours I spent banging my head on this one will reinforce the lesson. :)

Weekend - time for a break!

 

phosawyer
Level 1
Level 1
In response to Marvin Rhoads

‎11-06-2015 05:00 AM

I was going to suggest something similar.

Had a customer whose switch was doing something similar. Turned out the 2960 (I dont remember which iOS version, 12.2 possibly) needed the switchport command and then authentications were fine.

I missed the fact there was no switchport access vlan command on your snippet!

0 Helpful

dario.didio
Level 4
Level 4
In response to Marvin Rhoads

‎06-11-2018 04:52 AM

Hi Marvin,

 

Could you elaborate why, when the command 'switchport access vlan 1' is missing from a switchport, RADIUS authentication never starts? Why is it required to have a port explicitly in a VLAN?

Thanks for the info.

 

Br,

Dario

0 Helpful

lionwala012
Level 1
Level 1

‎03-15-2022 02:56 AM

Thank you for sharing with us, and we sincerely hope you will continue to update or post other articles.

 

0 Helpful

saadqazi3452837
Level 1
Level 1

‎03-16-2022 08:09 AM - edited ‎03-18-2022 06:32 AM

Some of our Windows 10 workstations have been having authentication issues since the 1903 upgrade. Do you know of any more sources of information on this topic? https://support.microsoft.com/en-gb/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents