cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2257
Views
0
Helpful
3
Replies

802.1x port never passes request to RADIUS

Jim Araujo
Level 1
Level 1

I've copied and pasted a dot1x and RADIUS config form another switch(WS-C3560-48PS-E) of ours that is known to be working to a new switch(WS-C3750-48PS-E). Both are running  12.2(55)SE7 . The issue seems to be that the AUTH-MGR is not passing the request to RADIUS, since I never see it the request on our RADIUS server. I've verified there is a path from the Authenticator's Loopback to the Authentication Server.

SW-NEW#ping 10.23.0.11 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.0.11, timeout is 2 seconds:
Packet sent with a source address of 10.44.1.199
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

Switch Config:

aaa new-model
aaa group server radius RADIUS-DOT1X
 server 10.23.0.11 auth-port 1645 acct-port 1646
 load-balance method least-outstanding
!
aaa authentication dot1x default group RADIUS-DOT1X
aaa authorization network default group radius
!
authentication mac-move permit
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
ip radius source-interface Loopback0
!
!
radius-server host 10.23.0.11 auth-port 1645 acct-port 1646 key 7 {omitted}
radius-server vsa send accounting
radius-server vsa send authentication

Interface Config:

interface FastEthernet3/0/31
 switchport access vlan 21
 switchport mode access
 switchport voice vlan 121
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape 10 0 0 0
 authentication event fail action next-method
 authentication order dot1x
 authentication port-control auto
 authentication periodic
 authentication violation protect
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
end

Terminal logs:

Apr 13 10:10:21.432 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:10:21.432 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:10:21.440 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:10:21.440 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:10:22.430 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:10:23.437 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:10:39.250 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:10:39.258 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:10:41.238 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to up
Apr 13 10:10:42.245 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to up
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:11:02.344 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:11:03.342 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:11:04.341 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:11:04.550 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:11:04.559 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:11:06.522 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to up
Apr 13 10:11:07.528 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to up
Apr 13 10:11:31.092 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:11:31.092 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:11:31.092 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:11:31.092 EDT: EAPOL pak dump rx
Apr 13 10:11:31.092 EDT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
Apr 13 10:11:31.092 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0

Apr 13 10:11:31.092 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:11:31.092 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0101.0000
Apr 13 10:11:31.092 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:11:31.092 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:11:31.092 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Apr 13 10:12:01.149 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:12:01.149 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:12:01.149 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:12:01.158 EDT: EAPOL pak dump rx
Apr 13 10:12:01.158 EDT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
Apr 13 10:12:01.158 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0

Apr 13 10:12:01.158 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:12:01.158 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0101.0000
Apr 13 10:12:01.158 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:12:01.158 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:12:01.158 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:13:39.071 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:13:40.061 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:13:41.068 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:13:56.839 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:13:56.839 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:13:56.839 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:13:56.847 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:13:58.827 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to up
Apr 13 10:13:59.834 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to up
Apr 13 10:14:19.967 EDT: AUTH-EVENT (Fa3/0/31) Client delete *ALL* from platform (2)
Apr 13 10:14:19.967 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:14:19.984 EDT: AUTH-EVENT (Fa3/0/31) Link DOWN
Apr 13 10:14:19.984 EDT: AUTH-EVENT (Fa3/0/31) Ignoring delete *ALL* - ctx list empty
Apr 13 10:14:20.965 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/31, changed state to down
Apr 13 10:14:21.972 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/31, changed state to down
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 121, data VLAN 21
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) Enabling dot1x in switch shim
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) Host access set to ask on unauthorized port since featur
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31)  host access set to 1 on FastEthernet3/0/31
Apr 13 10:14:22.299 EDT: AUTH-EVENT (Fa3/0/31) dot1x_is_mab_interested_in_mac: Still waiting for a MAC on port FastEthernet3/0/31
Apr 13 10:14:22.307 EDT: AUTH-EVENT (Fa3/0/31) Link UP
Apr 13 10:14:48.740 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:14:48.740 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:14:48.740 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:14:48.749 EDT: EAPOL pak dump rx
Apr 13 10:14:48.749 EDT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
Apr 13 10:14:48.749 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0

Apr 13 10:14:48.749 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:14:48.749 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0101.0000
Apr 13 10:14:48.749 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:14:48.749 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:14:48.749 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
Apr 13 10:15:18.806 EDT: dot1x-ev(Fa3/0/31): Role determination not required
Apr 13 10:15:18.806 EDT: dot1x-packet(Fa3/0/31): queuing an EAPOL pkt on Auth Q
Apr 13 10:15:18.806 EDT: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 13 10:15:18.806 EDT: EAPOL pak dump rx
Apr 13 10:15:18.806 EDT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
Apr 13 10:15:18.806 EDT: dot1x-ev:
dot1x_auth_queue_event: Int Fa3/0/31 CODE= 0,TYPE= 0,LEN= 0

Apr 13 10:15:18.806 EDT: dot1x-packet(Fa3/0/31): Received an EAPOL frame
Apr 13 10:15:18.806 EDT: dot1x-ev(Fa3/0/31): Received pkt saddr =6cf3.7fc0.3311 , daddr = 0180.c200.0003,
                    pae-ether-type = 888e.0101.0000
Apr 13 10:15:18.806 EDT: dot1x-ev(Fa3/0/31): New client detected, issuing Start Request to AuthMgr
Apr 13 10:15:18.806 EDT: AUTH-EVENT (Fa3/0/31) Received START_REQUEST from dot1x (handle 0x00000003)
Apr 13 10:15:18.806 EDT: AUTH-EVENT (Fa3/0/31) Start request by method "dot1x" for 6cf3.7fc0.3311
1 Accepted Solution

Accepted Solutions

Hi Neno,

Thank you for your help. I figured out that I was forgetting to add the dot1x pae authenticator interface command. It must have been cut off when I copied and pasted.

View solution in original post

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

A couple of questions:

1) What is your RADIUS server

2) Have you confirmed that the RADIUS server has the switch listed as a trusted NAD

3) Confirm that the RADIUS packets are being sourced from the correct IP/Interface

4) What does the switch show from the command "show aaa servers"

5) I see that you have "next-method" listed under the interface but I don't see any other methods defined (For example MAB)

Thank you for rating helpful posts!

Hi Neno,

Thank you for your help. I figured out that I was forgetting to add the dot1x pae authenticator interface command. It must have been cut off when I copied and pasted.

Good job on solving your own problem! Also, thank you for taking the time to come back and update the thread! (+5 from me)! There are so many commands assosiated with 802.1x that it is easy to miss one such as the  dot1x pae authenticator. 

If you are using ISE as your RADIUS server, you can utilize a little tool called "Evaluate Configuration Validator" and can be found under: Diagnostic Tools > General Tools > Evaluate Configuration Validator. 

It is not 100% accurate but it helps you check the config and see if you are missing some commands. 

Now, since your problem was resolved you should mark the thread as "answered" :)

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: