Hi,

MAB is working.

Dot1x doesn't work.

Q- Type of Radius used
A- Windows 2008 R2 NPS

Q- How is the Windows supplicant configured (EAP-TLS, PEAP, etc)
A- EAP-TLS

------------------ Version ------------------

Cisco IOS Software, s2t54 Software (s2t54-ADVENTERPRISEK9-M), Version 15.1(2)SY3, RELEASE SOFTWARE (fc4)

------------------ RADIUS-config ------------------

aaa group server radius rad_admin
 server name nps01
 server name nps02
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
 ip vrf forwarding management
 ip radius source-interface Loopback0
 load-balance method least-outstanding
!
aaa group server radius rad_eap
 server name nps01
 server name nps02
 ip vrf forwarding management
 ip radius source-interface Loopback0
 load-balance method least-outstanding
!
aaa group server radius rad_acct
 server name nps01
 server name nps02
 ip vrf forwarding management
 ip radius source-interface Loopback0
 load-balance method least-outstanding
!
aaa authentication login default cache rad_admin group rad_admin local
aaa authentication dot1x default group rad_eap
aaa authorization exec default cache rad_admin group rad_admin local
aaa authorization network default group rad_eap
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group rad_acct
aaa accounting network default start-stop group rad_acct
aaa cache profile admin_cache
 all
aaa session-id common

radius-server attribute 32 include-in-access-req format %h
radius-server retry method reorder
radius server nps01
 address ipv4 192.168.0.15 auth-port 1645 acct-port 1646
 automate-tester username cs1-vi1 idle-time 5
 key 7 <removed>
radius server nps02
 address ipv4 192.168.0.16 auth-port 1645 acct-port 1646
 automate-tester username cs1-vi1 idle-time 5
 key 7 <removed>

------------------IA6800 Port-config ------------------

!
interface GigabitEthernet121/1/0/9
 switchport
 switchport trunk allowed vlan none
 switchport mode access
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 storm-control broadcast level 0.05
 flowcontrol receive on
!

THX

Can you:

1. Post the debug output from "Debug radius authentcation" You can use a "condition" for the interface that you are working with so you limit the logs

2. Add the following commands to the switchport you are working with:

 spanning-tree portfast
 spanning-tree bpduguard enable
 authentication control-direction both
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab

Thank you for rating helpful posts!

Hi,

her is the Output.

Thanks for the output. I have a few more questions:

- What is the switch make/model? I am guessing Cisco 6500 but just making sure

- Did you try enabling the commands that I suggested above

- Do you happen to have any unmanged switches/hubs that would sit between the Cisco 6500 switch and the end station

Thank you for rating helpful posts!

Q - What is the switch make/model? I am guessing Cisco 6500 but just making sure
A - Yes, 6500-E / Sup2T and ia6800.

Q - Did you try enabling the commands that I suggested above
A - Yes, the commands not working.
      (On a WS-X6848-GE-TX Port it works)
     

Q - Do you happen to have any unmanged switches/hubs that would sit between the Cisco 6500 switch and the end station
A - No

----------------

Extender Model: C6800IA-48FPD

FEX version: 15.0(2)EX6

Supervisor Engine 2T

Version 15.1(2)SY3

Hmm, I am out of ideas here. I wonder if you are running into some bug because the commands that I listed are mandatory for some 802.1x functionality. I would suggest you open a case with TAC. Let us know how it goes!

Thank you for rating helpful posts!

Vern, please read my previous comments and provide answers to the same questions 🙂

Thank you for rating helpful posts!