PC user cannot get response from ISE

eigrpy · ‎02-20-2021

Hello, The below is configuration on switch3560 and its port for 802.1x. The PC adapter is configured with authentication and enable IEEE 802.1x, but when the PC plugged into the switch port, the PC cannot get any response to promote to enter any credential . Anyone can give some suggestion? Thank you

aaa group server radius Name-dot1x_auth
server 10.0.10.21 auth-port 1645 acct-port 1646
!
aaa authentication dot1x default group Name-dot1x_auth
aaa authorization network default group Name-dot1x_auth
aaa accounting update newinfo
aaa accounting dot1x default start-stop group Name-dot1x_auth
!
!
aaa server radius dynamic-author
client 10.0.10.21 server-key Cisco123
!
aaa session-id common
system mtu routing 1500
mab request format attribute 32 vlan access-vlan
!

interface FastEthernet0/3
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria tries 2
radius-server host 10.0.10.21 auth-port 1645 acct-port 1646
radius-server key Cisco123
radius-server vsa send accounting
radius-server vsa send authentication

balaji.bandi · ‎02-20-2021

the config is missed here - Look at ISE LiveLogs what you see there ? on the switch, is the Port come up ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

eigrpy · ‎02-20-2021

Thank you for your reply. no logs message over there.

Going to Operations----> Radius or Tacacs -----> Live Logs or Live Sessions

Is this a good way to check?

balaji.bandi · ‎02-20-2021

ISE side that is the place to look -

check the config :

auth-port 1812 acct-port 1813

http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎02-20-2021

@eigrpy

Is it just one user on this switch or all users?

Is the switch defined as a NAD in ISE? and with the correct shared secret? This might explain why you see nothing in the logs.

When you say the computer isn't prompting for credentials, what is your supplicant configuration? (provide screenshots). Normally if the computer was joined to AD, you'd pass through the user/computer credentials so you'd never be prompted.

You can use tcpdump on ISE to determine whether the switch is even attempting to communicate with ISE.

HTH

MHM Cisco World · ‎02-20-2021

switchport access vlan 10

switchport mode access

authentication event fail action next-method<-NO NEED

authentication event server dead action authorize vlan 10

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order mab dot1x<- NO NEED

authentication priority dot1x<-NO NEED

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 3
switch port voice vlan <-need this

this misconfig
there are two different method
1-mab which is make SW fallback to mac when there is no EAPoL
2-mab 802.1x order when there you want to next method when first method failed.

eigrpy · ‎02-20-2021

@Rob Ingram

Is it just one user on this switch or all users?

----- there is only one users on the switch(lab)

Is the switch defined as a NAD in ISE? and with the correct shared secret? This might explain why you see nothing in the logs

----- the switch is defined as NAD in the ISE

tcpdump on ISE

----- Did not find the switch ip address in this tcpdump file, and the PC have not joined the domain yet

When you say the computer isn't prompting for credentials, what is your supplicant configuration?

----- Please see the below:

Damien Miller · ‎02-20-2021

Have you considered doing a pcap on the port and validating you are seeing EAPOL messages?

MHM Cisco World · ‎02-20-2021

Do you make change as i suggest above

show auth session interface

share the output to see what we get

eigrpy · ‎02-20-2021

Switch#sh authentication sessions interface fastEthernet 0/5
No Auth Manager contexts currently exist
Switch#
Switch#sh authentication sessions interface fastEthernet 0/3
No Auth Manager contexts currently exist
Switch#
Switch#sh authentication sessions interface fastEthernet 0/2
No Auth Manager contexts currently exist

------------------

interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3

MHM Cisco World · ‎02-20-2021

dot1x system-auth-control <- this need
aaa new model <- this need