Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2776
Views
0
Helpful
5
Replies

Radius configuration(dot1x) problem with ios version 15

Aret Avedis SET
Level 1
Level 1

‎04-28-2015 06:02 AM - edited ‎03-10-2019 10:41 PM

Hello all,

I upgrade one 3750x from version 12.2 55 to 15.0(2)SE7 and i see that some configuration must be changed

 Warning: The CLI will be deprecated soon
 'radius-server host xxxxxxxx auth-port 1645 acct-port 1646 test username name key 7 sharedsecret
 Please move to 'radius server <name>' CLI.

I try to adapt the configuration but the 802.1x fails :

radius server RADIUS-SRV
 address ipv4 xxxxxxxxxx auth-port 1645 acct-port 1646
 timeout 15
 retransmit 3
 automate-tester username name (username created in global configuration mode)
 key 7 sharedsecret

aaa group server radius RADIUS-SRV
 server-private xxxxxxxxxx key 7 sharedsecret
 ip radius source-interface VlanX

aaa authentication dot1x default group RADIUS-SRV
aaa authorization network default group RADIUS-SRV 

Here's the configuration for the interface with an IP phone connected :

 authentication event fail action authorize vlan 1
 authentication event server dead action authorize vlan 1
 authentication event no-response action authorize vlan 1
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation protect
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5

On the logs, i have the server-dead result (not the message that the switch can't reach the radius server):

Apr 28 12:33:45.075: %AUTHMGR-5-START: Starting 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
Apr 28 12:34:05.191: %DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
Apr 28 12:34:05.191: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D

When i put the old fashion config, the IP phone is authenticated without problems, see capture from the ACS server (attached file 802.1x-OK)

With the new configuration, see attached file 802.1x-NOK ; i don't have the same field in the ACS (username field) and i have the message 11036 The Message-Authenticator RADIUS attribute is invalid

Why the authentication doesn't "come" to the ACS like before with this new configuration? What i'm missing?

Thank you

 

1 person had this problem
Labels:
Preview file
58 KB
Preview file
63 KB
0 Helpful
5 Replies 5

Bikash Shaw
Level 1
Level 1

‎04-29-2015 05:11 AM

Hi avedis,

 

Can you please check the connectivity between switch vlan to ACS server and Shared secret key. Please let me know.

 

Regards

Bikash 

0 Helpful

Aret Avedis SET
Level 1
Level 1
In response to Bikash Shaw

‎04-29-2015 05:42 AM

Hello,

Thank you for your reply. The password is correct in both sides 

Also when i put the old fashion config, the dot1x is working correctly = password is correct

Regards

0 Helpful

Aret Avedis SET
Level 1
Level 1
In response to Aret Avedis SET

‎05-05-2015 03:44 AM

Hello all,

I modify the configuration and now it's working :

aaa group server radius RADIUS-SRV
 server-private xxxxxxxxxxxx timeout 15 retransmit 3 test username xxxxxxxxx key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ip radius source-interface xxxxx
!
!
radius server RADIUS-SRV
 address ipv4 xxxxxx auth-port 1645 acct-port 1646
 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
aaa authentication dot1x default group RADIUS-SRV
aaa authorization network default group RADIUS-SRV


Regards

0 Helpful

marco.merlo
Level 1
Level 1
In response to Aret Avedis SET

‎06-10-2015 07:52 AM

Hi,

I see you are using

automate-tester

 

command.

I did some test sand registered this behaviour.

If a radius server has been marked alive the switch wait for the configured deadtime interval and then for the

idle-time
 
to expire before sending the probe.
So if confgured dead time is 10 minutes and idle-time is 2 minutes  the dead server is marked alive after 12 minutes even if it has been re-activated in 5 minutes.
Is this the expected behaviour?
 
Regards
MM
0 Helpful

Aret Avedis SET
Level 1
Level 1
In response to marco.merlo

‎06-10-2015 11:35 AM

Hello,

The time out is in seconds not in minutes. When i put "timeout 15 retransmit 3" it says that if the radius service is unavailable it will timeout after 15seconds * 3 times= 45sec

sh aaa dead-criteria radius xxxxxxxxxxxxxxxxx
RADIUS: No server group specified. Using radius
RADIUS Server Dead Critieria:
=============================
Server Details: 
    Address   : xxxxxxxxxxxxxxxx
    Auth Port : 1645
    Acct Port : 1646
Server Group  : radius
Dead Criteria Details:
    Configured Retransmits   : 3
    Configured Timeout       : 5
    Estimated Outstanding Transactions: 0
    Dead Detect Time         : 15s
    Computed Retransmit Tries: 3

Regards

0 Helpful
Customers Also Viewed These Support Documents