12-03-2013 12:42 PM - edited 03-10-2019 09:09 PM
Hi All,
i am testing a lab enviroment to deploy NAP using Windows server 2008 with NAP Role enabled and RADIUS refering to a 3560 Access switch
i can get authorized on my port:
interface FastEthernet0/11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
spanning-tree portfast
end
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa nas port extended
no radius-server attribute nas-port
radius-server host 10.40.10.10 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 094F471A1A0A3743595F
radius-server vsa send accounting
radius-server vsa send authentication
!
and this is the network policy i have configured on the NPS server:
and for vendor specific:
i am asking what is exactly the vlaue reqiured to be written in this box?
i typed many values (9, 1, Cisco and finally Cisco-NAS-Port)
i am getting a debug messeges:
ot1x_vlan_assign_authz_fail on interface FastEthernet
dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC
dot1x-ev:dot1x_vlan_assign_authz_fail on interface FastEthernet
dot1x-ev:No reply attributes received from AAA for 001c.2318.7971
Dec 3 22:29:50: dot1x-ev:Sending create new context event to EAP for 001c.2318.7971
.Dec 3 22:29:50: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
.Dec 3 22:29:50: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
.Dec 3 22:29:50: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
.Dec 3 22:29:50: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/11
.Dec 3 22:29:50: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/11
.Dec 3 22:29:50: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC 001c.2318.7971 on interface FastEthernet0/11
.Dec 3 22:29:50: dot1x-ev:dot1x_vlan_assign_client_deleted for 001c.2318.7971 on interface FastEthernet0/11
.Dec 3 22:29:50: dot1x-ev:dot1x_vlan_assign_client_deleted: Ignoring client 001c.2318.7971 on FastEthernet0/11, domain is data
.Dec 3 22:29:50: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
.Dec 3 22:29:50: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
.Dec 3 22:29:50: dot1x-ev:Created a default authenticator instance on FastEthernet0/11
actaully i am working on this task for 6 days and canot get authenticated, can anyone giude me through this task ?
#show radius st
Auth. Acct. Both
Maximum inQ length: NA NA 1
Maximum waitQ length: NA NA 2
Maximum doneQ length: NA NA 1
Total responses seen: 572 0 572
Packets with responses: 572 0 572
Packets without responses: 2 0 2
Average response delay(ms): 15 0 15
Maximum response delay(ms): 1082 0 1082
Number of Radius timeouts: 8 0 8
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 680 0 680
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/152
1646/0
aadi1-SW-4-24#show dot1x int fa0/11 d
Dot1x Info for FastEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 001c.2318.7971
Auth SM State = HELD
Auth BEND SM State = IDLE
Port Status = UNAUTHORIZED
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 0
Authentication Method = Dot1x
BR,
Mahmoud Abd El-Wahed
12-04-2013 01:10 AM
sorry for not uploading the images:
12-07-2013 06:47 PM
Hi Mahmoud,
These are your VLAN assignment attributes that you have to use.
They are not vendor specific, they can be found part of the default IETF dictionary.
Regards
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide