03-25-2018 08:13 AM
I am not able to authenticate PC using dot1x.
PC has been configured with dot1x with PEAP
Switch: 2960-x Configuration
interface GigabitEthernet1/0/1
switchport access vlan 117
switchport mode access
switchport voice vlan 114
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication order dot1x mab
authentication priority dot1x mab
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
================================================
Switch log:
TEST-sw#sh authentication se
TEST-sw#sh authentication sessions int gi1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: b86b.2376.211a
IP Address: Unknown
User-Name: b86b2376211a
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A75010000001B0058F8F7
Acct Session ID: 0x00000020
Handle: 0xE600001C
Runnable methods list:
Method State
mab Failed over
Mar 25 12:16:53.638: %AUTHMGR-5-START: Starting 'mab' for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF
Mar 25 12:16:53.642: %MAB-5-FAIL: Authentication failed for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF
Mar 25 12:16:53.645: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF
Mar 25 12:16:53.645: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF
Mar 25 12:16:53.645: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (b86b.2376.211a) on Interface Gi1/0/1 AuditSessionID 0A0A75010000002B00E7D9CF
===============================================
ISE is configured for MAB and dot1x but always falling to MAB authentication.
PC not hitting the DOt1x policy in ISE with the default condition of Wired 802.11x.
Is there any problem on my config? thanks
Solved! Go to Solution.
03-25-2018 11:38 AM
[Edited] Do you have the dot1x system-auth-control command configured globally on the switch?
Please share the AAA and RADIUS server configurations on the switch too.
~Hari
03-25-2018 11:38 AM
[Edited] Do you have the dot1x system-auth-control command configured globally on the switch?
Please share the AAA and RADIUS server configurations on the switch too.
~Hari
03-25-2018 01:24 PM
AAA;
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ST-RADIUS
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network default group ST-RADIUS
aaa authorization auth-proxy default group ST-RADIUS
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ST-RADIUS
aaa accounting dot1x default start-stop group ST-RADIUS
RADIUS
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria tries 3
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ST-ISE
address ipv4 <ip> auth-port 1812 acct-port 1813
key C1sc0234
!
!
Not sure if i already set dot1x system-authentication control globally. Will double check.
No problem with MAB devices (AP, IP Phones) its authenticating.
Its just the domain computers are not hitting the right policy.
03-25-2018 03:48 PM
In addition to the dot1x system-auth-control setting referenced by Hari, I would suggest scanning through the following document to verify you have applied all of the recommended configurations to the switch.
Depending on the IOS version, some settings might now be enabled by default so you would need to use the command show run all to verify any default settings.
03-26-2018 01:45 AM
I add the command globally and now hitting my policy!
Thanks Hariprasad Holla ! Its now working!
Thank you grgibbs for the additonal information!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide