02-19-2023 09:48 AM
I'm setting up a lab environment and having issue getting my test workstation to authenticate using 802.1x. When I used the native Windows supplicant EAP-TLS., I hit the correct policies and auth profile on the first attempt. However, after some time the authentication on the Ethernet in the Windows settings changes to "authorization failed" and the live logs stop. I recently downloaded AnyConnect to the machine and set it up to use EAP-FAST with certs (I have a Windows server with AD and CA set up and confirmed the workstation has a user and machine cert). Now the machine is not sending any EAP requests to the switch at all and I'm seeing nothing in the live logs. Here is my switch config. Since the native supplicant works initially, the ISE policies and configuration should be correct. The issue could possibly be with the supplicant machine or CA server but I can't find any relevant Windows events that help me troubleshoot. Please let me know if you need any other information.
SW-1#show run aaa
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting update newinfo periodic 2880
username admin password 0 Passw0rd
username radius-test secret 5 $1$JYWP$eXOEEfumPqK0GcKUrENNa/
!
!
!
!
aaa server radius dynamic-author
client ise ip server-key Passw0rd
auth-type any
!
!
radius server ISE-1
address ipv4 ise ip auth-port 1812 acct-port 1813
timeout 3
key Passw0rd
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
!
aaa group server radius ISE
server name ISE-1
ip radius source-interface Vlan1
!
!
!
aaa new-model
aaa session-id common
!
interface GigabitEthernet1/0/35
switchport access vlan 10
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
end
02-19-2023 11:00 AM
i would start with the basic config on the port (build advanced level once all working as expected) - what is the content of ACL-ALLOW ?
Also, enable debug on the switch (if you do not see logs in PC or ISE)
below example help you :
02-19-2023 11:34 AM - edited 02-19-2023 11:46 AM
Extended IP access list ACL-ALLOW
10 permit ip any any
Here is the debug for dot1x and authentication
SW-1#
Feb 19 19:44:00.784: dot1x-ev:AAA auth ready returns Unknown error 0, result = TRUE
Feb 19 19:44:00.784: dot1x_auth Gi1/0/35: initial state auth_initialize has enter
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104: initialising
Feb 19 19:44:00.784: dot1x_auth Gi1/0/35: during state auth_initialize, got event 0(cfg_auto)
Feb 19 19:44:00.784: @@@ dot1x_auth Gi1/0/35: auth_initialize -> auth_disconnected
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104: disconnected
Feb 19 19:44:00.784: dot1x_auth Gi1/0/35: idle during state auth_disconnected
Feb 19 19:44:00.784: @@@ dot1x_auth Gi1/0/35: auth_disconnected -> auth_restart
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104: entering restart
Feb 19 19:44:00.784: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending create new context event to EAP for 0x90000104 (00d8.6162.4665)
Feb 19 19:44:00.784: dot1x_auth_bend Gi1/0/35: initial state auth_bend_initialize has enter
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104: entering init state
Feb 19 19:44:00.784: dot1x_auth_bend Gi1/0/35: initial state auth_bend_initialize has idle
Feb 19 19:44:00.784: dot1x_auth_bend Gi1/0/35: during state auth_bend_initialize, got event 16383(idle)
Feb 19 19:44:00.784: @@@ dot1x_auth_bend Gi1/0/35: auth_bend_initialize -> auth_bend_idle
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering idle state
Feb 19 19:44:00.784: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Created a client entry (0x90000104)
Feb 19 19:44:00.784: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Dot1x authentication started for 0x90000104 (00d8.6162.4665)
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting !EAP_RESTART on Client 0x90000104
Feb 19 19:44:00.784: dot1x_auth Gi1/0/35: during state auth_restart, got event 6(no_eapRestart)
Feb 19 19:44:00.784: @@@ dot1x_auth Gi1/0/35: auth_restart -> auth_connecting
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:enter connecting state
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104: restart connecting
Feb 19 19:44:00.784: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting RX_REQ on Client 0x90000104
Feb 19 19:44:00.792: dot1x_auth Gi1/0/35: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
Feb 19 19:44:00.792: @@@ dot1x_auth Gi1/0/35: auth_connecting -> auth_authenticating
Feb 19 19:44:00.792: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104: authenticating state entered
Feb 19 19:44:00.792: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:connecting authenticating action
Feb 19 19:44:00.792: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting AUTH_START for 0x90000104
Feb 19 19:44:00.792: dot1x_auth_bend Gi1/0/35: during state auth_bend_idle, got event 4(eapReq_authStart)
Feb 19 19:44:00.792: @@@ dot1x_auth_bend Gi1/0/35: auth_bend_idle -> auth_bend_request
Feb 19 19:44:00.792: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering request state
Feb 19 19:44:00.792: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending EAPOL packet
Feb 19 19:44:00.792: dot1x-registry:registry:dot1x_ether_macaddr called
Feb 19 19:44:00.792: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending out EAPOL packet to MAC 00d8.6162.4665
SW-1#
Feb 19 19:44:00.792: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Feb 19 19:44:00.792: dot1x-packet: length: 0x0005
Feb 19 19:44:00.792: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Feb 19 19:44:00.792: dot1x-packet: type: 0x1
Feb 19 19:44:00.792: dot1x-packet:[00d8.6162.4665, Gi1/0/35] EAPOL packet sent to client 0x90000104
Feb 19 19:44:00.792: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:idle request action
SW-1#
Feb 19 19:44:03.862: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting EAP_REQ for 0x90000104
Feb 19 19:44:03.862: dot1x_auth_bend Gi1/0/35: during state auth_bend_request, got event 7(eapReq)
Feb 19 19:44:03.862: @@@ dot1x_auth_bend Gi1/0/35: auth_bend_request -> auth_bend_request
Feb 19 19:44:03.862: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:request request action
Feb 19 19:44:03.862: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering request state
Feb 19 19:44:03.862: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending EAPOL packet
Feb 19 19:44:03.862: dot1x-registry:registry:dot1x_ether_macaddr called
SW-1#
Feb 19 19:44:03.862: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending out EAPOL packet to MAC 00d8.6162.4665
Feb 19 19:44:03.862: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Feb 19 19:44:03.862: dot1x-packet: length: 0x0005
Feb 19 19:44:03.862: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Feb 19 19:44:03.862: dot1x-packet: type: 0x1
Feb 19 19:44:03.862: dot1x-packet:[00d8.6162.4665, Gi1/0/35] EAPOL packet sent to client 0x90000104
SW-1#
Feb 19 19:44:06.958: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting EAP_REQ for 0x90000104
Feb 19 19:44:06.958: dot1x_auth_bend Gi1/0/35: during state auth_bend_request, got event 7(eapReq)
Feb 19 19:44:06.958: @@@ dot1x_auth_bend Gi1/0/35: auth_bend_request -> auth_bend_request
Feb 19 19:44:06.958: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:request request action
Feb 19 19:44:06.958: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering request state
Feb 19 19:44:06.958: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending EAPOL packet
Feb 19 19:44:06.958: dot1x-registry:registry:dot1x_ether_macaddr called
SW-1#
Feb 19 19:44:06.958: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending out EAPOL packet to MAC 00d8.6162.4665
Feb 19 19:44:06.958: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Feb 19 19:44:06.958: dot1x-packet: length: 0x0005
Feb 19 19:44:06.958: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Feb 19 19:44:06.958: dot1x-packet: type: 0x1
Feb 19 19:44:06.958: dot1x-packet:[00d8.6162.4665, Gi1/0/35] EAPOL packet sent to client 0x90000104
SW-1#
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Received an EAP Timeout
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting EAP_TIMEOUT for 0x90000104
Feb 19 19:44:10.044: dot1x_auth_bend Gi1/0/35: during state auth_bend_request, got event 12(eapTimeout)
Feb 19 19:44:10.044: @@@ dot1x_auth_bend Gi1/0/35: auth_bend_request -> auth_bend_timeout
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering timeout state
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:request timeout action
Feb 19 19:44:10.044: dot1x_auth_bend Gi1/0/35: idle during state auth_bend_timeout
Feb 19 19:44:10.044: @@@ dot1x_auth_bend Gi1/0/35: auth_bend_timeout -> auth_bend_idle
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering idle state
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting AUTH_TIMEOUT on Client 0x90000104
Feb 19 19:44:10.044: dot1x_auth Gi1/0/35: during state auth_authenticating, got event 14(authTimeout)
Feb 19 19:44:10.044: @@@ dot1x_auth Gi1/0/35: auth_authenticating -> auth_authc_result
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:exiting authenticating state
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] 0x90000104:entering authc result state
Feb 19 19:44:10.044: %DOT1X-5-FAIL: Authentication failed for client (00d8.6162.4665) on Interface Gi1/0/35 AuditSessionID C0A8010200000021007B0470
Feb 19 19:44:10.044: dot1x-packet:[00d8.6162.4665, Gi1/0/35] Dot1x did not receive any key data
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Processing client delete for hdl 0x90000104 sent by Auth Mgr
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] 00d8.6162.4665: sending canned failure due to method termination
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending EAPOL packet
Feb 19 19:44:10.044: dot1x-registry:registry:dot1x_ether_macaddr called
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Sending out EAPOL packet to MAC 00d8.6162.4665
Feb 19 19:44:10.044: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Feb 19 19:44:10.044: dot1x-packet: length: 0x0004
Feb 19 19:44:10.044: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Feb 19 19:44:10.044: dot1x-packet:[00d8.6162.4665, Gi1/0/35] EAPOL canned status packet sent to client 0x90000104
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Deleting client 0x90000104 (00d8.6162.4665)
Feb 19 19:44:10.053: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Delete auth client (0x90000104) message
Feb 19 19:44:10.053: dot1x-ev:Auth client ctx destroyed
Feb 19 19:44:10.053: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Feb 19 19:44:10.053: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
SW-1#
Feb 19 19:44:10.061: %MAB-5-FAIL: Authentication failed for client (00d8.6162.4665) on Interface Gi1/0/35 AuditSessionID C0A8010200000021007B0470
02-20-2023 01:20 AM
Hi, In the debug EAP is getting timed out and it looks supplicant has incorrect configuration or some other issue. May be you give a try with some other machine.
Feb 19 19:44:06.958: dot1x-packet:[00d8.6162.4665, Gi1/0/35] EAPOL packet sent to client 0x90000104
SW-1#
Feb 19 19:44:10.044: dot1x-ev:[00d8.6162.4665, Gi1/0/35] Received an EAP Timeout
Feb 19 19:44:10.044: dot1x-sm:[00d8.6162.4665, Gi1/0/35] Posting EAP_TIMEOUT for 0x90000104
But what about MAB ? This is defined next method on switchport and also failing. Have you enabled Host lookup in allowed protocols in ISE. Also remember log suppressing while doing troubleshooting which can be reason of not seeing logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide