04-30-2018 08:10 AM - edited 02-21-2020 10:54 AM
I am attempting to deploy 802.1x to my VPN sites, my NPS has the ports allowed on both inbound and outbound rules.
I am using 1812 for Authentication and 1813 for accounting (although 1645, 1646 are also allows on the NPS ports)
On a Cisco 3850-48P (139.139.210.18) on interface G1/0/21 I have a machine and a phone.
If I configure 802.1x here at my campus (a network which is directly connected to RADIUS I can authenticate no problems. So it is not a server issue.
The phone is only authenticating since i have the "trust device cisco-phone" command enabled.
Interface info:
description USER_DOT1X
switchport access vlan 120
switchport mode access
switchport voice vlan 3120
trust device cisco-phone
authentication control-direction in
authentication event fail retry 3 action authorize vlan 65
authentication event server dead action authorize vlan 120
authentication event no-response action authorize vlan 67
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication timer restart 65535
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
I can ping my server (147.36.34.164), and I quadruple checked that the shared-secrets were identical.
Once 802.1x is enabled, the debugging capture authenticates the phone due to it being a "trusted device" but still says "Check network" the machine does not authenticate. Here is my output: **I have omitted irrelevant lines**
See attached for the full notepad log and other commands.
05-01-2018 12:52 AM
Your switch logs say access-reject received from RADIUS server; what do the logs in your RADIUS server say?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide