Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
0
Helpful
1
Replies

Network Policy Server shows username "UNRESPONSIVE" in dot1x RADIUS request

epancer-fhlbc
Level 1
Level 1

‎04-18-2016 09:36 AM - edited ‎03-10-2019 11:41 PM

We're seeing the username "UNRESPONSIVE" sent to the Network Policy Server (which we're using as our RADIUS server). MAB works without issue, and we've configured the WYSE thin clients to use PEAP/EAP-MSCHAPv2. 

Any idea why the RADIUS server would not be receiving the correct username (in this case, it should be "wyseclient").

Here is the event log from NPS:

<Event>
 <Timestamp data_type="4">04/18/2016 11:11:28.789</Timestamp>
 <Computer-Name data_type="1">DC2</Computer-Name>
 <Event-Source data_type="1">IAS</Event-Source>
 <Acct-Session-Id data_type="1">00000218</Acct-Session-Id>
 <Acct-Authentic data_type="0">2</Acct-Authentic>
 <User-Name data_type="1">UNRESPONSIVE</User-Name>
 <Acct-Status-Type data_type="0">1</Acct-Status-Type>
 <NAS-Port-Type data_type="0">15</NAS-Port-Type>
 <NAS-Port data_type="0">50435</NAS-Port>
 <NAS-Port-Id data_type="1">GigabitEthernet4/35</NAS-Port-Id>
 <Called-Station-Id data_type="1">000F23197212</Called-Station-Id>
 <Service-Type data_type="0">2</Service-Type>
 <NAS-IP-Address data_type="3">10.57.254.33</NAS-IP-Address>
 <Acct-Delay-Time data_type="0">0</Acct-Delay-Time>
 <Client-IP-Address data_type="3">10.57.254.33</Client-IP-Address>
 <Client-Vendor data_type="0">0</Client-Vendor>
 <Client-Friendly-Name data_type="1">FL2-SW1-CO1.SITE</Client-Friendly-Name>
 <Cisco-AV-Pair data_type="1">audit-session-id=0A113FB2000000533B96CFF1</Cisco-AV-Pair>
 <Cisco-AV-Pair data_type="1">connect-progress=Call Up</Cisco-AV-Pair>
 <Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
 <Packet-Type data_type="0">4</Packet-Type>
 <Reason-Code data_type="0">0</Reason-Code>
</Event>

The switch is configured as follows...

interface Loopback0
 ip address 10.57.254.33 255.255.255.255
!
radius-server host 10.50.137.24 key cisco
radius-server timeout 3
radius-server deadtime 1
!
aaa group server radius RADIUS_SERVERS_B
 server 10.50.137.24 auth-port 1645 acct-port 1646
 ip radius source-interface Loopback0
!
aaa authentication dot1x default group RADIUS_SERVERS_B
aaa authorization network default group RADIUS_SERVERS_B
aaa accounting dot1x default start-stop group RADIUS_SERVERS_B
aaa accounting network default start-stop group RADIUS_SERVERS_B
!
ip device tracking
dot1x system-auth-control
dot1x guest-vlan supplicant
!
interface GigabitEthernet4/35
 description voice+data port requiring authentication
 switchport access vlan 112
 switchport mode access
 authentication control-direction in 
 authentication event fail action authorize vlan 168
 authentication event no-response action authorize vlan 168
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 60
 authentication timer reauthenticate 2700
 authentication timer inactivity 300
 authentication violation replace
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 5
 dot1x max-req 1
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎04-22-2016 05:53 AM

Sound like your wyse terminal is not responding to the dot1x packets the switch sends out. Also, don't change dot1x timers unless you are very sure what it solves for you, it can have unforseen consequences, i usually only mess with tx-period set to 5 as you have done. I realize you have probably done this to get mab to work faster, but this will also impact your dot1x authentication. Try defaulting a port and only put these commands on it :

interface GigabitEthernet4/35
 description voice+data port requiring authentication
 switchport access vlan 112
 switchport mode access
 authentication control-direction in 
 authentication event fail action authorize vlan 168
 authentication event no-response action authorize vlan 168
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation replace
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
end
0 Helpful
Customers Also Viewed These Support Documents