02-20-2021 12:57 PM - edited 02-20-2021 01:00 PM
Hello, The below is configuration on switch3560 and its port for 802.1x. The PC adapter is configured with authentication and enable IEEE 802.1x, but when the PC plugged into the switch port, the PC cannot get any response to promote to enter any credential . Anyone can give some suggestion? Thank you
aaa group server radius Name-dot1x_auth
server 10.0.10.21 auth-port 1645 acct-port 1646
!
aaa authentication dot1x default group Name-dot1x_auth
aaa authorization network default group Name-dot1x_auth
aaa accounting update newinfo
aaa accounting dot1x default start-stop group Name-dot1x_auth
!
!
aaa server radius dynamic-author
client 10.0.10.21 server-key Cisco123
!
aaa session-id common
system mtu routing 1500
mab request format attribute 32 vlan access-vlan
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria tries 2
radius-server host 10.0.10.21 auth-port 1645 acct-port 1646
radius-server key Cisco123
radius-server vsa send accounting
radius-server vsa send authentication
02-20-2021 01:00 PM
the config is missed here - Look at ISE LiveLogs what you see there ? on the switch, is the Port come up ?
02-20-2021 01:15 PM
Thank you for your reply. no logs message over there.
Going to Operations----> Radius or Tacacs -----> Live Logs or Live Sessions
Is this a good way to check?
02-20-2021 01:33 PM
ISE side that is the place to look -
check the config :
auth-port 1812 acct-port 1813
http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x
02-20-2021 01:33 PM - edited 02-20-2021 02:25 PM
Is it just one user on this switch or all users?
Is the switch defined as a NAD in ISE? and with the correct shared secret? This might explain why you see nothing in the logs.
When you say the computer isn't prompting for credentials, what is your supplicant configuration? (provide screenshots). Normally if the computer was joined to AD, you'd pass through the user/computer credentials so you'd never be prompted.
You can use tcpdump on ISE to determine whether the switch is even attempting to communicate with ISE.
HTH
02-20-2021 02:40 PM - edited 02-20-2021 02:59 PM
switchport access vlan 10
switchport mode access
authentication event fail action next-method<-NO NEED
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x<- NO NEED
authentication priority dot1x<-NO NEED
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
switch port voice vlan <-need this
this misconfig
there are two different method
1-mab which is make SW fallback to mac when there is no EAPoL
2-mab 802.1x order when there you want to next method when first method failed.
02-20-2021 03:35 PM - edited 02-20-2021 03:37 PM
Is it just one user on this switch or all users?
----- there is only one users on the switch(lab)
Is the switch defined as a NAD in ISE? and with the correct shared secret? This might explain why you see nothing in the logs
----- the switch is defined as NAD in the ISE
tcpdump on ISE
----- Did not find the switch ip address in this tcpdump file, and the PC have not joined the domain yet
When you say the computer isn't prompting for credentials, what is your supplicant configuration?
----- Please see the below:
02-20-2021 03:42 PM
Have you considered doing a pcap on the port and validating you are seeing EAPOL messages?
02-20-2021 03:56 PM - edited 02-20-2021 04:14 PM
Do you make change as i suggest above
show auth session interface
share the output to see what we get
02-20-2021 05:18 PM - edited 02-20-2021 05:18 PM
Switch#sh authentication sessions interface fastEthernet 0/5
No Auth Manager contexts currently exist
Switch#
Switch#sh authentication sessions interface fastEthernet 0/3
No Auth Manager contexts currently exist
Switch#
Switch#sh authentication sessions interface fastEthernet 0/2
No Auth Manager contexts currently exist
------------------
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
02-20-2021 07:45 PM
dot1x system-auth-control <- this need
aaa new model <- this need
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide