02-12-2014 07:57 AM - edited 03-10-2019 09:23 PM
Cisco 2950, ACS 5.3
ACS tested, I created a local account on the ACS and enabled authentication on the 2950. All working.
Dot1x - not working
Configuration on the switch:
Switch#sh run | i dot1x
aaa authentication dot1x default group tacacs+
aaa authorization network default group tacacs+
tacacs-server host 172.16.1.175
dot1x system-auth-control
Switch#sh run int f0/2
Building configuration...
Current configuration : 107 b
!
interface FastEthernet0/2
switchport mode access
dot1x port-control auto
spanning-tree portfast
Switch#sh dot1x int f0/2
Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
Posture = N/A
PortStatus = UNAUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3
And it stays like that
Debug
01:59:21: dot1x-ev:Received QUEUE EVENT in response to AAA Request
01:59:21: dot1x-ev:Dot1x matching request-response id 4294967283 found
01:59:21: dot1x-ev:Length of recv eap packet from radius = 4
01:59:21: dot1x-ev:Received VLAN Id -1
01:59:22: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
FastEthernet0/2
02:00:38: dot1x-ev:dot1x_post_message_to_auth_sm: removing supplicant 0015.60c3
8613 SM
02:00:38: dot1x-ev:destroy supplicant block for 0015.60c3.8613
02:00:38: dot1x-ev:Enter function dot1x_aaa_acct_end
02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613
02:00:38: dot1x-ev:Couldn't find a supplicant block for mac 0015.60c3.8613
I would expect my Windows7 client to ask me for a username/pass (dot1x enabled on my NIC card)
02-12-2014 07:59 AM
On ACS I can see
13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets
Which is not true as I can telnet to this switch using a Tacacs account
I also added a username/pass to my NIC settings. Windows says: 'authentication failed'
02-13-2014 01:36 AM
You need to configure RADIUS for dot1x.
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server timeout 3
radius-server key blabla
!
02-13-2014 11:52 PM
Please have a look on a very good docs for 802.1x authentication, configuration and verification commands:
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116506-configure-acs-00.html
02-20-2014 03:14 AM
Please go through the link below may help you to get verified.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide