ā04-13-2016 07:26 AM
I've copied and pasted a dot1x and RADIUS config form another switch(WS-C3560-48PS-E) of ours that is known to be working to a new switch(WS-C3750-48PS-E). Both are running 12.2(55)SE7 . The issue seems to be that the AUTH-MGR is not passing the request to RADIUS, since I never see it the request on our RADIUS server. I've verified there is a path from the Authenticator's Loopback to the Authentication Server.
SW-NEW#ping 10.23.0.11 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.0.11, timeout is 2 seconds:
Packet sent with a source address of 10.44.1.199
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Switch Config:
aaa new-model
aaa group server radius RADIUS-DOT1X
server 10.23.0.11 auth-port 1645 acct-port 1646
load-balance method least-outstanding
!
aaa authentication dot1x default group RADIUS-DOT1X
aaa authorization network default group radius
!
authentication mac-move permit
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
ip radius source-interface Loopback0
!
!
radius-server host 10.23.0.11 auth-port 1645 acct-port 1646 key 7 {omitted}
radius-server vsa send accounting
radius-server vsa send authentication
Interface Config:
interface FastEthernet3/0/31
switchport access vlan 21
switchport mode access
switchport voice vlan 121
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
authentication event fail action next-method
authentication order dot1x
authentication port-control auto
authentication periodic
authentication violation protect
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
end
Terminal logs:
Apr 13 10:10:21.432 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:10:21.432 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:10:21.440 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:10:21.440 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:10:22.430 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:10:23.437 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:10:41.238 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to up
Apr 13 10:10:42.245 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to up
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:11:03.342 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:11:04.341 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:11:04.550 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:11:06.522 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to up
Apr 13 10:11:07.528 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to up
Apr 13 10:11:31.092 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:11:31.092 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:11:31.092 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:11:31.092 EDT: EAPOL pak dump rx
Apr 13 10:11:31.092 EDT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 13 10:11:31.092 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0
Apr 13 10:11:31.092 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:11:31.092 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 13 10:11:31.092 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:11:31.092 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:11:31.092 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Apr 13 10:12:01.149 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:12:01.149 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:12:01.149 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:12:01.158 EDT: EAPOL pak dump rx
Apr 13 10:12:01.158 EDT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 13 10:12:01.158 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0
Apr 13 10:12:01.158 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:12:01.158 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 13 10:12:01.158 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:12:01.158 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:12:01.158 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:13:40.061 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:13:41.068 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:13:56.839 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:13:56.839 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:13:56.839 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:13:58.827 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to up
Apr 13 10:13:59.834 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to up
Apr 13 10:14:19.967 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:14:19.967 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:14:19.984 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:14:19.984 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:14:20.965 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:14:21.972 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) host access set to 1 on FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:14:22.307 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:14:48.740 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:14:48.740 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:14:48.740 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:14:48.749 EDT: EAPOL pak dump rx
Apr 13 10:14:48.749 EDT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 13 10:14:48.749 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0
Apr 13 10:14:48.749 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:14:48.749 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 13 10:14:48.749 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:14:48.749 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:14:48.749 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Apr 13 10:15:18.806 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:15:18.806 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:15:18.806 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:15:18.806 EDT: EAPOL pak dump rx
Apr 13 10:15:18.806 EDT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Apr 13 10:15:18.806 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0
Apr 13 10:15:18.806 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:15:18.806 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Apr 13 10:15:18.806 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:15:18.806 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:15:18.806 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Solved! Go to Solution.
ā05-10-2016 06:24 AM
Hi Neno,
Thank you for your help. I figured out that I was forgetting to add the dot1x pae authenticator interface command. It must have been cut off when I copied and pasted.
ā04-15-2016 09:21 AM
A couple of questions:
1) What is your RADIUS server
2) Have you confirmed that the RADIUS server has the switch listed as a trusted NAD
3) Confirm that the RADIUS packets are being sourced from the correct IP/Interface
4) What does the switch show from the command "show aaa servers"
5) I see that you have "next-method" listed under the interface but I don't see any other methods defined (For example MAB)
Thank you for rating helpful posts!
ā05-10-2016 06:24 AM
Hi Neno,
Thank you for your help. I figured out that I was forgetting to add the dot1x pae authenticator interface command. It must have been cut off when I copied and pasted.
ā05-10-2016 10:39 AM
Good job on solving your own problem! Also, thank you for taking the time to come back and update the thread! (+5 from me)! There are so many commands assosiated with 802.1x that it is easy to miss one such as the dot1x pae authenticator.
If you are using ISE as your RADIUS server, you can utilize a little tool called "Evaluate Configuration Validator" and can be found under: Diagnostic Tools > General Tools > Evaluate Configuration Validator.
It is not 100% accurate but it helps you check the config and see if you are missing some commands.
Now, since your problem was resolved you should mark the thread as "answered" :)
Thank you for rating helpful posts!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: