cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
704
Views
0
Helpful
4
Replies

Need some help with dot1x please

Mariusz Kuriata
Level 1
Level 1

Cisco 2950, ACS 5.3

ACS tested, I created a local account on the ACS and enabled authentication on the 2950. All working.

Dot1x - not working

Configuration on the switch:

Switch#sh run | i dot1x

aaa authentication dot1x default group tacacs+

aaa authorization network default group tacacs+

tacacs-server host 172.16.1.175

dot1x system-auth-control

Switch#sh run int f0/2

Building configuration...

Current configuration : 107 b

!

interface FastEthernet0/2

switchport mode access

dot1x port-control auto

spanning-tree portfast

Switch#sh dot1x int f0/2

Supplicant MAC <Not Applicable>

AuthSM State          = CONNECTING

BendSM State          = IDLE

Posture               = N/A

PortStatus            = UNAUTHORIZED

MaxReq                = 2

MaxAuthReq            = 2

HostMode              = Single

Port Control          = Auto

ControlDirection      = Both

QuietPeriod           = 60 Seconds

Re-authentication     = Disabled

ReAuthPeriod          = 3600 Seconds

ServerTimeout         = 30 Seconds

SuppTimeout           = 30 Seconds

TxPeriod              = 30 Seconds

Guest-Vlan            = 0

AuthFail-Vlan         = 0

AuthFail-Max-Attempts = 3

And it stays like that

Debug

01:59:21: dot1x-ev:Received QUEUE EVENT in response to AAA Request

01:59:21: dot1x-ev:Dot1x matching request-response id 4294967283 found

01:59:21: dot1x-ev:Length of recv eap packet from radius = 4

01:59:21: dot1x-ev:Received VLAN Id -1

01:59:22: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up

FastEthernet0/2

02:00:38: dot1x-ev:dot1x_post_message_to_auth_sm: removing supplicant 0015.60c3

8613 SM

02:00:38: dot1x-ev:destroy supplicant block for 0015.60c3.8613

02:00:38: dot1x-ev:Enter function dot1x_aaa_acct_end

02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613

02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613

I would expect my Windows7 client to ask me for a username/pass (dot1x enabled on my NIC card)

4 Replies 4

Mariusz Kuriata
Level 1
Level 1

On ACS I can see

13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets

Which is not true as I can telnet to this switch using a Tacacs account

I also added a username/pass to my NIC settings. Windows says: 'authentication failed'

You need to configure RADIUS for dot1x.

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server timeout 3

radius-server key blabla
!

Naveen Kumar
Level 4
Level 4

Please have a look on a very good docs for 802.1x authentication, configuration and verification commands:

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116506-configure-acs-00.html