NAC not working

KayChan · ‎12-12-2019

Hi All,

I have deployed the following setting on this switch.

However, the switch log mention it fails to connect the NAC.

Do someone have any ideas?

Thanks,

Kay

----------------------------------------------------------------------------------------

aaa new-model
!
!
aaa group server radius NACSvr
server name HKGNAC0001
!
aaa authentication dot1x default group NACSvr
aaa authorization network default group NACSvr
aaa accounting dot1x default start-stop group NACSvr
aaa accounting system default start-stop group NACSvr
!
!
!
aaa server radius dynamic-author
client 192.168.97.100 server-key 7 03055908575D72

!
!
!
aaa session-id common

authentication mac-move permit

dot1x system-auth-control

interface GigabitEthernet2/0/11
description MeetingRm1-D55
switchport access vlan 150
switchport mode access
authentication event fail retry 4 action authorize vlan 300
authentication event server dead action authorize vlan 150
authentication event no-response action authorize vlan 300
authentication order mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
spanning-tree portfast

ip radius source-interface Vlan150

radius server HKGNAC0001
address ipv4 192.168.97.100 auth-port 1812 acct-port 1813
key 7 094D4C0A485744

==================================================================================
LOG
==================================================================================

Log Buffer (4096 bytes):
c 13 02:05:02.618: AUTH-SYNC: [00e0.4cf0.d72f, Gi2/0/11] Added addr attribute data
Dec 13 02:05:02.618: AUTH-SYNC: [Gi2/0/11] Adjust length before sending MPM from 4012 to 44
Dec 13 02:05:02.618: AUTH-SYNC: [00e0.4cf0.d72f, Gi2/0/11] Synced add/update addr for 0xB2000028 (single-value key)
Dec 13 02:05:02.622: AUTH-EVENT: [00e0.4cf0.d72f, Gi2/0/11] Single update event is posted from Session Mgr IPDT Shim
Dec 13 02:05:02.622: AUTH-EVENT: [00e0.4cf0.d72f, Gi2/0/11] Received internal event SINGLE_ID_UPDATE (handle 0xB2000028)
Dec 13 02:05:02.622: AUTH-SYNC: [Gi2/0/11] Add sync event feature 0 tag 14, size 8
Dec 13 02:05:02.622: AUTH-SYNC: [Gi2/0/11] Add sync event feature 0 tag 15, size 8 + 12 (MPM)
Dec 13 02:05:02.622: AUTH-SYNC: [00e0.4cf0.d72f, Gi2/0/11] Added addr attribute data
Dec 13 02:05:02.622: AUTH-SYNC: [Gi2/0/11] Adjust length before sending MPM from 4012 to 44
Dec 13 02:05:02.622: AUTH-SYNC: [00e0.4cf0.d72f, Gi2/0/11] Synced add/update addr for 0xB2000028 (single-value key)
Dec 13 02:05:04.453: RADIUS(00000000): Request timed out!
Dec 13 02:05:04.453: RADIUS: acct-timeout for 1ECAFFA8 now 15, acct-jitter 0, acct-delay-time (at 1ECB009D) now 15
Dec 13 02:05:04.453: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1646/243
Dec 13 02:05:04.457: RADIUS(00000000): Started 5 sec timeout
Dec 13 02:05:09.494: RADIUS(00000000): Request timed out!
Dec 13 02:05:09.494: RADIUS: acct-timeout for 1ECAFFA8 now 20, acct-jitter 0, acct-delay-time (at 1ECB009D) now 20
Dec 13 02:05:09.494: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.97.100:1812,1813 is not responding.
Dec 13 02:05:09.494: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.97.100:1812,1813 is being marked alive.
Dec 13 02:05:09.497: RADIUS: No response from (192.168.97.100:1812,1813) for id 1646/243
Dec 13 02:05:09.497: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00000037 failed to receive Accounting Response.
Dec 13 02:05:09.497: AUTH-EVENT: Raising ext evt AAA Available (5) on session 0xB2000028, client (unknown) (0), hdl 0x00000000, attr_list 0x00000000
Dec 13 02:05:09.497: AUTH-EVENT: [00e0.4cf0.d72f, Gi2/0/11] Handling external PRE event AAA Available for context 0xB2000028.
Dec 13 02:05:09.501: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Dec 13 02:05:09.501: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Dec 13 02:05:09.501: AUTH-EVENT: Auth-mgr aaa_acct_reply
Dec 13 02:05:12.416: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.0702 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 02:05:14.817: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8100 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 02:05:14.869: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8103 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 02:05:18.333: AAA/AUTHOR: auth_need : user= 'aedas' ruser= 'BJSSTK0001'rem_addr= '192.168.98.82' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 13 02:05:29.025: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8100 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 02:05:29.493: AUTH-EVENT: [00e0.4cf0.d72f, Gi2/0/11] Single update event is posted from Session Mgr IPDT Shim
Dec 13 02:05:29.497: AUTH-EVENT: [00e0.4cf0.d72f, Gi2/0/11] Received internal event SINGLE_ID_UPDATE (handle 0xB2000028)
Dec 13 02:05:29.497: AUTH-SYNC: [Gi2/0/11] Add sync event feature 0 tag 14, size 8
Dec 13 02:05:29.497: AUTH-SYNC: [Gi2/0/11] Add sync event feature 0 tag 15, size 8 + 12 (MPM)
Dec 13 02:05:29.497: AUTH-SYNC: [00e0.4cf0.d72f, Gi2/0/11] Added addr attribute data
Dec 13 02:05:29.497: AUTH-SYNC: [Gi2/0/11] Adjust length before sending MPM from 4012 to 44
Dec 13 02:05:29.497: AUTH-SYNC: [00e0.4cf0.d72f, Gi2/0/11] Synced add/update addr for 0xB2000028 (single-value key)
Dec 13 02:05:32.548: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.8103 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
Dec 13 02:05:33.656: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.0702 in vlan 150 is flapping between port Gi1/0/41 and port Gi2/0/44
BJSSTK0001# ping 192.168.97.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.97.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/48/53 ms
BJSSTK0001#

KayChan · ‎12-12-2019

Dec 13 02:27:57.032: RADIUS(00000000): Config NAS IPv6: ::
Dec 13 02:27:57.032: RADIUS(00000000): sending
Dec 13 02:27:57.032: RADIUS(00000000): Send Access-Request to 192.168.97.100:1812 id 1645/42, len 267
Dec 13 02:27:57.032: RADIUS: authenticator 56 B5 18 F7 DC CC 9E 88 - E8 4D 44 32 D6 D4 74 96
Dec 13 02:27:57.032: RADIUS: User-Name [1] 14 "00e04cf0d72f"
Dec 13 02:27:57.032: RADIUS: User-Password [2] 18 *
Dec 13 02:27:57.032: RADIUS: Service-Type [6] 6 Call Check [10]
Dec 13 02:27:57.032: RADIUS: Vendor, Cisco [26] 31
Dec 13 02:27:57.032: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Dec 13 02:27:57.036: RADIUS: Framed-MTU [12] 6 1500
Dec 13 02:27:57.036: RADIUS: Called-Station-Id [30] 19 "00-56-2B-FE-01-0B"
Dec 13 02:27:57.036: RADIUS: Calling-Station-Id [31] 19 "00-E0-4C-F0-D7-2F"
Dec 13 02:27:57.036: RADIUS: Message-Authenticato[80] 18
Dec 13 02:27:57.036: RADIUS: 45 A9 9B DD 6B D6 55 05 25 87 8D 81 32 BA 2F D5 [ EkU?2/]
Dec 13 02:27:57.036: RADIUS: EAP-Key-Name [102] 2 *
Dec 13 02:27:57.036: RADIUS: Vendor, Cisco [26] 49
Dec 13 02:27:57.036: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A89602000000553B8D5AD9"
Dec 13 02:27:57.036: RADIUS: Vendor, Cisco [26] 18
Dec 13 02:27:57.036: RADIUS: Cisco AVpair [1] 12 "method=mab"
Dec 13 02:27:57.036: RADIUS: Framed-IP-Address [8] 6 192.168.150.151
Dec 13 02:27:57.036: RADIUS: NAS-IP-Address [4] 6 192.168.150.2
Dec 13 02:27:57.036: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet2/0/11"
Dec 13 02:27:57.036: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Dec 13 02:27:57.036: RADIUS: NAS-Port [5] 6 50211
Dec 13 02:27:57.036: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 13 02:27:57.036: RADIUS(00000000): Started 5 sec timeout
Dec 13 02:27:57.109: RADIUS(00000000): Request timed out!
Dec 13 02:27:57.109: RADIUS: acct-timeout for 1E00978C now 10, acct-jitter 0, acct-delay-time (at 1E0098A5) now 10
Dec 13 02:27:57.109: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1646/16
Dec 13 02:27:57.113: RADIUS(00000000): Started 5 sec timeout
Dec 13 02:27:58.815: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/11, changed state to up
Dec 13 02:27:59.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/11, changed state to up
Dec 13 02:28:02.076: RADIUS(00000000): Request timed out!
Dec 13 02:28:02.076: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/42
Dec 13 02:28:02.076: RADIUS(00000000): Started 5 sec timeout
Dec 13 02:28:02.149: RADIUS(00000000): Request timed out!
Dec 13 02:28:02.149: RADIUS: acct-timeout for 1E00978C now 15, acct-jitter 0, acct-delay-time (at 1E0098A5) now 15
Dec 13 02:28:02.149: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1646/17
Dec 13 02:28:02.153: RADIUS(00000000): Started 5 sec timeout
Dec 13 02:28:03.750: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d96.0702 in vlan 150 is flapping between port Gi2/0/44 and port Gi1/0/41
Dec 13 02:28:07.109: RADIUS(00000000): Request timed out!
Dec 13 02:28:07.109: RADIUS: Retransmit to (192.168.97.100:1812,1813) for id 1645/42
Dec 13 02:28:07.113: RADIUS(00000000): Started 5 sec timeout
Dec 13 02:28:07.190: RADIUS(00000000): Request timed out!
Dec 13 02:28:07.190: RADIUS: acct-timeout for 1E00978C now 20, acct-jitter 0, acct-delay-time (at 1E0098A5) now 20
Dec 13 02:28:07.193: RADIUS: No response from (192.168.97.100:1812,1813) for id 1646/17
Dec 13 02:28:07.193: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Stop for session 00000039 failed to receive Accounting Response.
Dec 13 02:28:07.193: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Dec 13 02:28:07.193: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Dec 13 02:28:07.193: AUTH-EVENT: Auth-mgr aaa_acct_reply