Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1960
Views
0
Helpful
1
Replies

"Network cable unplugged" when dot1x is configured on a port.

Mike Bowers
Level 1
Level 1

‎08-31-2015 06:57 PM - edited ‎03-10-2019 11:00 PM

We are going to implement dot1x authentication and I'm doing some tests right now.

 

I had it working before configuring some other ISE features, but now when I boot up when connected to a port, Operations > Authentication in ISE shows the authentication is successful and the DACL is passed down, but then the message stating the Session terminated occurs and the computer on the other end says "Network cable unplugged".

 

If I do a "no dot1x pae authenticator" on teh switch on the configured dot1x port, turns it off and the computer connects to the network and interenet without restriction.

 

If anyone has  an idea what it may be, I would really appreciate it!

 

I'm using ISE 1.2 and windows 7 workstations.

 

Below is my switch configuration since reading up says it may be the switch terminating the connection even though the Operation > Authentication page log says it authenticates and receives the DACL?

--------------------------------------

show run
Building configuration...

Current configuration : 5480 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SweetSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$1yeW$t6lWFNMNwFY0yMdAaBGAB1
!
username tspec privilege 15 secret 5 $1$EG0E$6UhO2qa3Ov7Z6oyRl6wN0/
username cisco privilege 15 secret 5 $1$BJnp$C4HSFMujgw.mmpdI3KBVZ0
!
!
aaa new-model
!
!
aaa group server radius ISE-group
 server 192.168.5.211 auth-port 1812 acct-port 1813
!
aaa authentication login default enable
aaa authentication login FREE none
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
 client 192.168.5.211 server-key cisco
!
aaa session-id common
clock timezone EST -5
system mtu routing 1500
ip domain-name cucm9.local
!
!
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-425773056
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-425773056
 revocation-check none
 rsakeypair TP-self-signed-425773056
!
!
crypto pki certificate chain TP-self-signed-425773056
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323537 37333035 36301E17 0D393330 33303130 30353230
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3432 35373733
  30353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B1EFC56D EC191EF7 EEA507B2 C378ADD1 2662C547 664C98B8 27E10D7E 22FC6BB8
  F9A453D9 D81049DB 90059452 FC03DE6B 235B684A 72B3AF31 1AB239A0 384E0594
  88A4AA26 586C038A 74E94052 58BDC695 7DE1ABDC B24FD6C0 6BE09BB7 3D03895C
  6CF66A88 679E8FD0 B9CD5EFC FD557DA4 A012312D 5E570EE7 FDBD016B BBFB21F1
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821753 77656574 53776974 63682E63 75636D39 2E6C6F63 616C301F
  0603551D 23041830 1680146F 34296DB9 45597BB6 AF1E11B4 248B4E6A 2C1C8B30
  1D060355 1D0E0416 04146F34 296DB945 597BB6AF 1E11B424 8B4E6A2C 1C8B300D
  06092A86 4886F70D 01010405 00038181 00AF8E67 5BC38052 6B6CB402 ACE44C00
  2E8D6A51 AB561C69 9A09B937 38A2A7F8 8C440E5E 4B56A4F6 795C65F6 5B9DD914
  C3381B9C 60F0A0B2 0965059D FBB6FD40 33678E67 269E6DED D733914E 18383948
  B3781C0C 5A86E53F 3C530078 C18173EF 02F92E04 DEB121D5 661564DB FA37DC7C
  4DB25B91 51A6DD6A FF52058C FA9BBD57 BC
  quit
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
 switchport mode access
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x webauth
 authentication priority dot1x mab webauth
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 spanning-tree portfast
!
interface FastEthernet0/33
!
interface FastEthernet0/34
!
interface FastEthernet0/35
!
interface FastEthernet0/36
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
 ip address 192.168.5.213 255.255.255.0
!
ip default-gateway 192.168.5.254
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended BLOCK200
 deny   icmp any host 192.168.5.200
 permit ip any any
ip access-list extended DEFAULT_ACL
 permit ip any host 192.168.5.211
 permit ip any host 192.168.5.200
 permit tcp any any eq domain
 permit udp any any eq domain
ip access-list extended REDIRECT
 permit tcp any any eq www
 permit tcp any any eq 443
ip access-list extended TEST
 permit ip any any
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host 192.168.5.211 auth-port 1812 acct-port 1813
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!
!
line con 0
line vty 0 4
 logging synchronous
line vty 5 15
 logging synchronous
!
end

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎09-01-2015 10:05 AM

Firstly, you are running in open mode, and you have some ACLs defined, but none of those are set on your interface (usually called a pre-auth acl), why not ?

If your switch is running older IOS software (can't remember specifically when this happened), you can't assign an ACL, if there isn't one applied already on the interface.

What does "show auth session int <pc port>" tell you, try issuing the command before, during and after authentication succeeds. If this doesn't give anything interesting, try debug aaa authorization and see what happens

0 Helpful
Customers Also Viewed These Support Documents