Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2888
Views
4
Helpful
4
Replies

Not hitting the Dot1x authentication/policy in ISE

Go to solution
ecejhe-old
Level 1
Level 1

‎03-25-2018 08:13 AM

I am not able to authenticate PC using dot1x.

PC has been configured with dot1x with PEAP

Switch: 2960-x Configuration

interface GigabitEthernet1/0/1

switchport access vlan 117

switchport mode access

switchport voice vlan 114

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication port-control auto

authentication order dot1x mab

authentication priority dot1x mab

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 2

spanning-tree portfast

================================================

Switch log:

TEST-sw#sh authentication  se

TEST-sw#sh authentication  sessions int gi1/0/1

            Interface:  GigabitEthernet1/0/1

          MAC Address:  b86b.2376.211a

           IP Address:  Unknown

            User-Name:  b86b2376211a

               Status:  Authz Failed

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A0A75010000001B0058F8F7

      Acct Session ID:  0x00000020

               Handle:  0xE600001C

Runnable methods list:

       Method   State

       mab      Failed over

Mar 25 12:16:53.638: %AUTHMGR-5-START: Starting 'mab' for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF

Mar 25 12:16:53.642: %MAB-5-FAIL: Authentication failed for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF

Mar 25 12:16:53.645: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF

Mar 25 12:16:53.645: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF

Mar 25 12:16:53.645: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF

===============================================

ISE is configured for MAB and dot1x but always falling to MAB authentication.

PC not hitting the DOt1x policy in ISE with the default condition of Wired  802.11x.

Is there any problem on  my config? thanks

1 Accepted Solution

Accepted Solutions

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎03-25-2018 11:38 AM

[Edited] Do you have the dot1x system-auth-control command configured globally on the switch?

Please share the AAA and RADIUS server configurations on the switch too.

~Hari

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎03-25-2018 11:38 AM

[Edited] Do you have the dot1x system-auth-control command configured globally on the switch?

Please share the AAA and RADIUS server configurations on the switch too.

~Hari

0 Helpful

Go to solution
ecejhe-old
Level 1
Level 1
In response to hariholla

‎03-25-2018 01:24 PM

AAA;

aaa authentication login console local

aaa authentication login vty local

aaa authentication enable default enable

aaa authentication dot1x default group ST-RADIUS

aaa authorization exec default local

aaa authorization exec vty local

aaa authorization network default group ST-RADIUS

aaa authorization auth-proxy default group ST-RADIUS

aaa accounting update periodic 5

aaa accounting auth-proxy default start-stop group ST-RADIUS

aaa accounting dot1x default start-stop group ST-RADIUS

RADIUS

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria tries 3

radius-server deadtime 30

radius-server vsa send accounting

radius-server vsa send authentication

!

radius server ST-ISE

address ipv4 <ip> auth-port 1812 acct-port 1813

key C1sc0234

!

!

Not sure if i already set dot1x system-authentication control globally. Will double check.

No problem with MAB devices (AP, IP Phones) its authenticating.

Its just the domain computers are not hitting the right policy.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to ecejhe-old

‎03-25-2018 03:48 PM

In addition to the dot1x system-auth-control setting referenced by Hari, I would suggest scanning through the following document to verify you have applied all of the recommended configurations to the switch.

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Switch and Wireless LAN Controller Configuration Requ…

Depending on the IOS version, some settings might now be enabled by default so you would need to use the command show run all to verify any default settings.

Go to solution
ecejhe-old
Level 1
Level 1
In response to hariholla

‎03-26-2018 01:45 AM

I add the command globally and now hitting my policy!

Thanks Hariprasad Holla ! Its now working!

Thank you grgibbs for the additonal information!

Customers Also Viewed These Support Documents