02-11-2019 03:57 PM
Can someone help pointing why the PC DATA authorization failed.
show session auth, interface config and debug dox1x included.
SWITCH#sho authentication sessions
Interface    MACAddress    Method          Domain        Status                     Session ID
Gi1/0/2 c4b9.cdb5.325e    mab             VOICE          Authz Success          0A16640A0000001A002704FF
Gi1/0/3 d4be.d95c.a825   N/A               DATA           Authz Failed               0A16640A00000014001E9424
SWITCH#sh run int g1/0/3
Building configuration...
Current configuration : 408 bytes
!
interface GigabitEthernet1/0/3
 switchport access vlan 120
 switchport mode access
 switchport voice vlan 150
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end
SWITCH(config-if)#no shut
SWITCH#
 dot1x-ev(Gi1/0/3): Interface state changed to UP
 dot1x_auth Gi1/0/3: initial state auth_initialize has enter
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_initialize_enter called
 dot1x_auth Gi1/0/3: during state auth_initialize, got event 0(cfg_auto)
 @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_disconnected
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_disconnected_enter called
 dot1x_auth Gi1/0/3: idle during state auth_disconnected
 @@@ dot1x_auth Gi1/0/3: auth_disconnected -> auth_restart
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_enter called
 dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x3A000022 (0000.0000.0000)
 dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_initialize_enter called
 dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle
 dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_enter called
 dot1x-ev(Gi1/0/3): Created a client entry (0x3A000022)
 dot1x-ev(Gi1/0/3): Dot1x authentication started for 0x3A000022 (0000.0000.0000)
 dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3
 dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart)
 @@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_enter called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_connecting_action called
 dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
 @@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_enter called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_authenticating_action called
 dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x3A000022
 dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_enter called
 dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-registry:registry:dot1x_ether_macaddr called
 dot1x-ev(Gi1/0/3): Sending out EAPOL packet
 EAPOL pak dump Tx
 EAPOL Version: 0x3 type: 0x0 length: 0x0005
 EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
 dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x3A000022 (0000.0000.0000)
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_request_action called
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
 dot1x-ev:Enqueued the eapol packet to the global authenticator queue
 dot1x-ev(Gi1/0/3): New client notification from AuthMgr for 0x3A000022 - d4be.d95c.a825
 %AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
 dot1x-packet(Gi1/0/3): Received an EAPOL frame
 dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
 dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_authenticating, got event 4(eapolStart)
 @@@ dot1x_auth Gi1/0/3: auth_authenticating -> auth_aborting
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_exit called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_aborting_enter called
 dot1x-sm(Gi1/0/3): Posting RESTART on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_aborting, got event 13(restart)
 @@@ dot1x_auth Gi1/0/3: auth_aborting -> auth_restart
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_aborting_exit called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_enter called
 dot1x-ev(Gi1/0/3): Resetting the client 0x3A000022 (d4be.d95c.a825)
 dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x3A000022 (d4be.d95c.a825)
 dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart)
 @@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_enter called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_restart_connecting_action called
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-packet(Gi1/0/3): Queuing an EAPOL pkt on Authenticator Q
 dot1x-ev:Enqueued the eapol packet to the global authenticator queue
 dot1x-sm(Gi1/0/3): Posting AUTH_ABORT for 0x3A000022
 dot1x_auth_bend Gi1/0/3: during state auth_bend_request, got event 1(authAbort)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_request -> auth_bend_initialize
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_initialize_enter called
 dot1x_auth_bend Gi1/0/3: idle during state auth_bend_initialize
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_enter called
 %SYS-5-CONFIG_I: Configured from console by console
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x0 length: 0x000C
 dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 2,TYPE= 1,LEN= 12
 dot1x-packet(Gi1/0/3): Received an EAPOL frame
 dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000c
 dot1x-packet(Gi1/0/3): Received an EAP packet
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x0 length: 0x000C
 dot1x-packet(Gi1/0/3): Received an EAP packet from d4be.d95c.a825
 dot1x-packet(Gi1/0/3): Received an unexpected EAP packet from d4be.d95c.a825
 dot1x-sm(Gi1/0/3): Posting !AUTH_ABORT on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_connecting, got event 20(no_eapolLogoff_no_authAbort) (ignored)
 dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
 @@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_enter called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_connecting_authenticating_action called
 dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x3A000022
 dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_enter called
 dot1x-ev(Gi1/0/3): Sending EAPOL packet to d4be.d95c.a825
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-registry:registry:dot1x_ether_macaddr called
 dot1x-ev(Gi1/0/3): Sending out EAPOL packet
 EAPOL pak dump Tx
 EAPOL Version: 0x3 type: 0x0 length: 0x0005
 EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
 dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x3A000022 (d4be.d95c.a825)
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_request_action called
 dot1x-ev(Gi1/0/3): Role determination notrequired
 dot1x-packet(Gi1/0/3): Queuing an EAPOL pkt on Authenticator Q
 dot1x-ev:Enqueued the eapol packet to the global authenticator queue
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x0 length: 0x000C
 dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 2,TYPE= 1,LEN= 12
 dot1x-packet(Gi1/0/3): Received an EAPOL frame
 dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000c
 dot1x-packet(Gi1/0/3): Received an EAP packet
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x0 length: 0x000C
 dot1x-packet(Gi1/0/3): Received an EAP packet from d4be.d95c.a825
 dot1x-sm(Gi1/0/3): Posting EAPOL_EAP for 0x3A000022
 dot1x_auth_bend Gi1/0/3: during state auth_bend_request, got event 6(eapolEap)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_request -> auth_bend_response
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_enter called
 dot1x-ev(Gi1/0/3): dot1x_sendRespToServer: Response sent to the server from 0x3A000022 (d4be.d95c.a825)
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_response_action called
 dot1x-ev(Gi1/0/3): Received an EAP Fail
 dot1x-sm(Gi1/0/3): Posting EAP_FAIL for 0x3A000022
 dot1x_auth_bend Gi1/0/3: during state auth_bend_response, got event 10(eapFail)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_response -> auth_bend_fail
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_exit called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_fail_enter called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_fail_action called
 dot1x_auth_bend Gi1/0/3: idle during state auth_bend_fail
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_fail -> auth_bend_idle
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_idle_enter called
 dot1x-sm(Gi1/0/3): Posting AUTH_FAIL on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_authenticating, got event 15(authFail)
 @@@ dot1x_auth Gi1/0/3: auth_authenticating -> auth_authc_result
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_authenticating_exit called
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_authc_result_enter called
 %DOT1X-5-FAIL: Authentication failed for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
 dot1x-ev(Gi1/0/3): Sending event (2) to Auth Mgr for d4be.d95c.a825
 %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
 %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d4be.d95c.a825) on Interface Gi1/0/3 AuditSessionID 0A16640A0000001B002E60B2
 dot1x-redundancy: State for client d4be.d95c.a825 successfully retrieved
 dot1x-ev(Gi1/0/3): Received Authz fail for the client 0x3A000022 (d4be.d95c.a825)
 dot1x-sm(Gi1/0/3): Posting_AUTHZ_FAIL on Client0x3A000022
 dot1x_auth Gi1/0/3: during state auth_authc_result, got event 22(authzFail)
 @@@ dot1x_auth Gi1/0/3: auth_authc_result -> auth_held
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_held_enter called
 dot1x-ev(Gi1/0/3): Sending EAPOL packet to d4be.d95c.a825
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-registry:registry:dot1x_ether_macaddr called
 dot1x-ev(Gi1/0/3): Sending out EAPOL packet
 EAPOL pak dump Tx
 EAPOL Version: 0x3 type: 0x0 length: 0x0004
 EAP code: 0x4 id: 0x1 length: 0x0004
 dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x3A000022 (d4be.d95c.a825)
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
 dot1x-ev:Enqueued the eapol packet to the global authenticator queue
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
 dot1x-packet(Gi1/0/3): Received an EAPOL frame
 dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
 dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_held, got event 4(eapolStart) (ignored)
 %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
 %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
 dot1x-ev:Enqueued the eapol packet to the global authenticator queue
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
 dot1x-packet(Gi1/0/3): Received an EAPOL frame
 dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
 dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_held, got event 4(eapolStart) (ignored)
 dot1x-ev(Gi1/0/3): Role determination not required
 dot1x-packet(Gi1/0/3): queuing an EAPOL pkt on Auth Q
 dot1x-ev:Enqueued the eapol packet to the global authenticator queue
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-ev:dot1x_auth_queue_event: Int Gi1/0/3 CODE= 0,TYPE= 0,LEN= 0
 dot1x-packet(Gi1/0/3): Received an EAPOL frame
 dot1x-ev(Gi1/0/3): Received pkt saddr =d4be.d95c.a825 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
 dot1x-packet(Gi1/0/3): Received an EAPOL-Start packet
 EAPOL pak dump rx
 EAPOL Version: 0x1 type: 0x1 length: 0x0000
 dot1x-sm(Gi1/0/3): Posting EAPOL_START on Client 0x3A000022
 dot1x_auth Gi1/0/3: during state auth_he
SWITCH#ld, got event 4(eapolStart) (ignored)
Solved! Go to Solution.
02-12-2019 10:00 AM
Sometimes small details in the config can taking away from the actual problem. I redid the config on my switch and found out that I was missing one command. Radius-server dead-criteria time 10 tries 3 :-)
Thanks to all who tries to help.
Bigk
02-11-2019 04:54 PM
02-11-2019 07:27 PM
Please see attached live log
 
					
				
		
02-11-2019 07:30 PM
For testing please remove below setting and check again.
02-11-2019 07:36 PM
I changed the interface to be 1/0/2 still same issue
Interface: GigabitEthernet1/0/2
 MAC Address: d4be.d95c.a825
 IP Address: Unknown
 User-Name: NWADMIN
 Status: Authz Failed
 Domain: DATA
 Security Policy: Should Secure
 Security Status: Unsecure
 Oper host mode: multi-domain
 Oper control dir: both
 Session timeout: N/A
 Idle timeout: N/A
Common Session ID: 0A16640A000000A90108A454
 Acct Session ID: 0x000000B2
 Handle: 0xED0000AA
Runnable methods list:
 Method State
 dot1x Authc Failed
 mab Not run
 
					
				
		
02-11-2019 07:38 PM
Did you change the setting on ISE?
02-11-2019 07:41 PM
I just did -- and then I cleared authentication session. waiting to see what happened
02-11-2019 07:43 PM
sho authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/2 c4b9.cdb5.325e mab VOICE Authz Success 0A16640A000000B0010E3758
Gi1/0/2 d4be.d95c.a825 dot1x DATA Running 0A16640A000000AE010DDE9C
02-11-2019 07:43 PM
sho authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/2 c4b9.cdb5.325e mab VOICE Authz Success 0A16640A000000B0010E3758
Gi1/0/2 d4be.d95c.a825 N/A DATA Authz Failed 0A16640A000000AE010DDE9C
 
					
				
		
02-11-2019 09:38 PM
ok so now what error do you see?
 
					
				
		
02-11-2019 06:57 PM
Some failure is received.
dot1x-packet(Gi1/0/3): Received an EAP packet from d4be.d95c.a825
 dot1x-sm(Gi1/0/3): Posting EAPOL_EAP for 0x3A000022
 dot1x_auth_bend Gi1/0/3: during state auth_bend_request, got event 6(eapolEap)
 @@@ dot1x_auth_bend Gi1/0/3: auth_bend_request -> auth_bend_response
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_response_enter called
 dot1x-ev(Gi1/0/3): dot1x_sendRespToServer: Response sent to the server from 0x3A000022 (d4be.d95c.a825)
 dot1x-sm(Gi1/0/3): 0x3A000022:auth_bend_request_response_action called
 dot1x-ev(Gi1/0/3): Received an EAP Fail
Is the MAC address hitting correct rule? What is the reason for failure show on radius server?
share the output of "show authen sess int <> detail"
02-11-2019 07:52 PM
Here is the issue
Event 5400 Authentication failed 
Failure Reason 15039 Rejected per authorization profile 
Resolution Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. 
Root cause Selected Authorization Profile contains ACCESS_REJECT attribute 
 
					
				
		
02-11-2019 10:35 PM
Ok, Now you need to see why the required authorization rule is not hitting.
What rule are you expecting to hit on ISE? Could you share?
02-12-2019 10:00 AM
Sometimes small details in the config can taking away from the actual problem. I redid the config on my switch and found out that I was missing one command. Radius-server dead-criteria time 10 tries 3 :-)
Thanks to all who tries to help.
Bigk
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide