Solved: Re: Wired 802.1x Switch doesn't respond with EAP message

wushuming · ‎01-21-2019

Hi,

I encounter problem in wired 802.1x. The setup is PC -- Switch -- NPS.
The switch receives EAPOL packet from windows 10 PC, but it never reply with EAP message as per my monitor capture.

The switch model is 4507R+E, with IOS "cat4500e-universalk9.SPA.03.08.06.E.152-4.E6.bin".

If I configure the same on 3560G switch, it works well.

The dot1x configuration of switch:
=================================================================
(config)# aaa authentication dot1x default group radius
(config)# dot1x system-auth-control

(config)# aaa group server radius RMS01
(config-sg-radius)# server name RMS01
(config-sg-radius)# ip radius source-interface Vlan30

(config)# radius server RMS01
(config-radius-server)# address ipv4 10.x.x.x auth-port 1645 acct-port 1646
(config-radius-server)# key 7 047055512312323434645634

(config-if)# switchport access vlan 10
(config-if)# switchport mode access
(config-if)# access-session port-control auto
(config-if)# dot1x pae authenticator

=================================================================

Debug output:
====================================================================

004347: Jan 22 03:23:23.212: dot1x-ev:[Gi6/5] Interface state changed to UP
004348: Jan 22 03:23:23.221: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet6/5
Switch#
004349: Jan 22 03:23:27.483: dot1x-packet:[2047.47b8.3782, Gi6/5] queuing an EAPOL pkt on Auth Q
004350: Jan 22 03:23:27.483: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
004351: Jan 22 03:23:27.483: dot1x-packet: length: 0x0000
004352: Jan 22 03:23:27.483: dot1x-ev:[Gi6/5] Dequeued pkt: Int Gi6/5 CODE= 0,TYPE= 0,LEN= 0

004353: Jan 22 03:23:27.483: dot1x-ev:[Gi6/5] Received pkt saddr =2047.47b8.3782 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
004354: Jan 22 03:23:27.483: dot1x-ev:[Gi6/5] Couldn't find the supplicant in the list
004355: Jan 22 03:23:27.483: dot1x-ev:[2047.47b8.3782, Gi6/5] New client detected, sending session start event for 2047.47b8.3782
Switch#
004356: Jan 22 03:23:32.483: dot1x-packet:[2047.47b8.3782, Gi6/5] queuing an EAPOL pkt on Auth Q
004357: Jan 22 03:23:32.483: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
004358: Jan 22 03:23:32.483: dot1x-packet: length: 0x0000
004359: Jan 22 03:23:32.483: dot1x-ev:[Gi6/5] Dequeued pkt: Int Gi6/5 CODE= 0,TYPE= 0,LEN= 0

004360: Jan 22 03:23:32.483: dot1x-ev:[Gi6/5] Received pkt saddr =2047.47b8.3782 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
004361: Jan 22 03:23:32.483: dot1x-ev:[Gi6/5] Couldn't find the supplicant in the list
004362: Jan 22 03:23:32.483: dot1x-ev:[2047.47b8.3782, Gi6/5] New client detected, sending session start event for 2047.47b8.3782

================================================================================================

Switch#show dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet6/5
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Switch#show dot1x statistics
Dot1x Global Statistics for
--------------------------------------------
RxStart = 0 RxLogoff = 0 RxResp = 0 RxRespID = 0
RxReq = 0 RxInvalid = 0 RxLenErr = 0
RxTotal = 535

TxStart = 0 TxLogoff = 0 TxResp = 0
TxReq = 0 ReTxReq = 0 ReTxReqFail = 0
TxReqID = 0 ReTxReqID = 0 ReTxReqIDFail = 0
TxTotal = 0

Please kindly advise, Thanks!

Nidhi · ‎01-22-2019

Please refer the Secure wired access deployment guide for all the necessary configurations

Thanks,

Nidhi

View solution in original post

Sheraz.Salim · ‎01-22-2019

your switch port config need to be configured in this way.

dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet6/5

also make sure your pc is running eap (dot1x)

interface gig1/0/x

switchport mode access

switchport host

authentication order mab dot1x

authentication prio dot1x mab

authentication port-control auto

authentication event fail next-method

authentication port-control auto

authentication host-mode mult-auth

dot1x pae auth

shut/no shut

please do not forget to rate.

wushuming · ‎01-23-2019

Hi, Sheraz.

Thanks for the reply.

Yeah, my PC is running 802.1x and it works well with 3560 switch.

However, I only use 802.1x for authentication but not mab. If PC fails on 802.1x, PC should not gain any access to network.

And I just realize that I need to use CPL to configure 802.1x on IOS XE.

So I add some configuration and it now looks like this:

============================================================================

(config)# aaa authentication dot1x default group radius
(config)# dot1x system-auth-control

(config)# aaa group server radius RMS01
(config-sg-radius)# server name RMS01
(config-sg-radius)# ip radius source-interface Vlan30

(config)# radius server RMS01
(config-radius-server)# address ipv4 10.x.x.x auth-port 1645 acct-port 1646
(config-radius-server)# key 7 047055512312323434645634

class-map type control subscriber match-any DOT1X
match session-type wired

policy-map type control subscriber dot1x_TEST
event session-started match-all
1 class DOT1X do-all
1 authenticate using dot1x

(config-if)# switchport access vlan 10
(config-if)# switchport mode access
(config-if)# switchport host
(config-if)# authentication host-mode mult-auth
(config-if)# access-session port-control auto
(config-if)# dot1x pae authenticator
(config-if)# service-policy type control subscriber dot1x_TEST

===========================================================================================

Now my PC is able to get identity request from switch and send back response message. But now new problem occurs: as per debug log, switch did send RADIUS request to server:

dot1x-ev:[ecf4.bb6b.3da6, Gi6/5] Response sent to the server from 0x4B000011

But in monitor capture, there was no packet sent to server. Server receives nothing from switch.

I am new to CPL and not sure if my configuration is correct. I have tried many times to tune the CPL but not able to solve this problem.

Do you have any idea on this?

Thanks!

Nidhi · ‎01-22-2019

Please refer the Secure wired access deployment guide for all the necessary configurations

Thanks,

Nidhi