Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1827
Views
0
Helpful
2
Replies

802.1x with 6509: authentication passed, authorization failed

Wes Schochet
Level 3
Level 3

‎09-20-2019 01:11 PM - edited ‎09-20-2019 01:16 PM

I have some closet with relatively old 6509s that I am trying to configure for 802.1x and MAB. 
For my test case, I am using a Cisco AP which is getting profiled from ISE and added to the MAB group. 
ISE shows the authentication passing and returns Access-Accept.  i am not sure what to add to the ISE response to make this work, or what else I may be missing.

 

The radius debug shows authentication passing, but authorization failing:
05:46:20: DOT1X-5-FAIL: Authentication failed for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-5-START: Starting 'mab' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AAA/AUTHEN/8021X (0000000C): Pick method list 'default'
05:46:20: RADIUS/ENCODE(0000000C):Orig. component type = DOT1X
05:46:20: RADIUS: AAA Unsupported Attr: audit-session-id [599] 24
05:46:20: RADIUS: 30 41 36 33 30 35 33 34 30 30 30 30 30 30 30 33 [0A63053400000003]
05:46:20: RADIUS: 30 31 33 37 39 43 [ 01379C]
05:46:20: RADIUS: AAA Unsupported Attr: interface [170] 19
05:46:20: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 32 [GigabitEthernet2]
05:46:20: RADIUS: 2F [ /]
05:46:20: RADIUS(0000000C): Config NAS IP: 10.99.5.52
05:46:20: RADIUS/ENCODE(0000000C): acct_session_id: 12
05:46:20: RADIUS(0000000C): sending
05:46:20: RADIUS(0000000C): Send Access-Request to 10.18.16.77:1812 id 1645/145, len 159
05:46:20: RADIUS: authenticator 6A 32 7F 9D AD 49 2B 27 - 51 64 C6 2A B4 2D 5B C5
05:46:20: RADIUS: User-Name [1] 14 "acf2c5a5357e"
05:46:20: RADIUS: User-Password [2] 18 *
05:46:20: RADIUS: Service-Type [6] 6 Call Check [10]
05:46:20: RADIUS: Framed-MTU [12] 6 1500
05:46:20: RADIUS: Called-Station-Id [30] 19 "00-06-F6-7F-47-DB"
05:46:20: RADIUS: Calling-Station-Id [31] 19 "AC-F2-C5-A5-35-7E"
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: 6F 23 BB DB 1D 0B AE FA 5C FC 85 13 F7 66 D9 8C [ o#\f]
05:46:20: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
05:46:20: RADIUS: NAS-Port [5] 6 50212
05:46:20: RADIUS: NAS-Port-Id [87] 21 "GigabitEthernet2/12"
05:46:20: RADIUS: NAS-IP-Address [4] 6 10.99.5.52
05:46:20: RADIUS(0000000C): Started 3 sec timeout
05:46:20: RADIUS: Received from id 1645/145 10.18.16.77:1812, Access-Accept, len 291
05:46:20: RADIUS: authenticator 0C 5F CE 59 C6 A2 C0 76 - 5B D9 19 46 D7 37 E0 57
05:46:20: RADIUS: User-Name [1] 19 "AC-F2-C5-A5-35-7E"
05:46:20: RADIUS: Class [25] 87
05:46:20: RADIUS: 43 41 43 53 3A 30 61 31 32 31 30 34 64 6F 5A 69 [CACS:0a12104doZi]
05:46:20: RADIUS: 51 35 53 6B 75 4D 4E 76 53 43 4E 56 44 59 5A 69 [Q5SkuMNvSCNVDYZi]
05:46:20: RADIUS: 43 42 77 78 59 2F 35 5A 37 56 62 47 63 6D 64 49 [CBwxY/5Z7VbGcmdI]
05:46:20: RADIUS: 36 31 39 6E 39 4C 69 4D 3A 76 63 70 69 73 65 70 [619n9LiM:vcpisep]
05:46:20: RADIUS: 73 6E 2F 33 35 35 31 32 34 36 32 39 2F 33 30 31 [sn/355124629/301]
05:46:20: RADIUS: 33 39 30 31 36 [ 39016]
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: ED A3 7B 3C 4B B5 D9 A2 45 1B A8 83 94 C9 DA 2E [ {<KE.]
05:46:20: RADIUS: Vendor, Cisco [26] 30
05:46:20: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
05:46:20: RADIUS: Vendor, Cisco [26] 75
05:46:20: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3"
05:46:20: RADIUS: Vendor, Cisco [26] 42
05:46:20: RADIUS: Cisco AVpair [1] 36 "profile-name=Cisco-AP-Aironet-3600"
05:46:20: RADIUS(0000000C): Received from id 1645/145
05:46:20: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
05:46:20: MAB-5-SUCCESS: Authentication successful for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: RADIUS/ENCODE(00000000):Orig. component type = INVALID
05:46:20: RADIUS(00000000): Config NAS IP: 10.99.5.52
05:46:20: RADIUS: AAA Unsupported Attr: service [333] 12
05:46:20: RADIUS: 69 70 5F 61 64 6D 69 73 73 69 [ ip_admissi]
05:46:20: RADIUS: AAA Unsupported Attr: event [334] 12
05:46:20: RADIUS: 61 63 6C 2D 64 6F 77 6E 6C 6F [ acl-downlo]
05:46:20: RADIUS(00000000): sending
05:46:20: RADIUS(00000000): Send Access-Request to 10.18.16.77:1812 id 1645/146, len 85
05:46:20: RADIUS: authenticator DF 3F E7 86 3D 71 46 0A - 0F 37 F1 2F 04 F9 BF A8
05:46:20: RADIUS: NAS-IP-Address [4] 6 10.99.5.52
05:46:20: RADIUS: User-Name [1] 41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3"
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: DE 98 C0 1F 6C B0 48 27 DF 90 A9 2A F1 2F 10 C1 [ lH'*/]
05:46:20: RADIUS(00000000): Started 3 sec timeout
05:46:20: RADIUS: Received from id 1645/146 10.18.16.77:1812, Access-Reject, len 38
05:46:20: RADIUS: authenticator C8 D2 7F 60 6F 90 37 7A - A3 28 A1 1B ED C7 E6 04
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: F1 17 89 6B DE BC 79 D1 94 2A FF 09 9A 75 CF 3E [ ky*u>]
05:46:20: RADIUS(00000000): Received from id 1645/146
05:46:20: AUTHMGR-5-FAIL: Authorization failed for client (acf2.c5a5.357e) on Interface Gi2/12
 
Thanks!
 
 
Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎09-21-2019 08:43 PM

Hi

Can you share the ise log please ans a screenshot of the authorization policy config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Wes Schochet
Level 3
Level 3
In response to Francesco Molino

‎09-23-2019 08:40 AM

Sep 23 10:29:40.294 cdt: %AUTHMGR-5-START: Starting 'mab' for client (acf2.c5a5.357e) on Interface Gi2/12
Sep 23 10:29:40.298 cdt: RADIUS/ENCODE(00000025):Orig. component type = DOT1X
Sep 23 10:29:40.298 cdt: RADIUS: AAA Unsupported Attr: audit-session-id [599] 24
Sep 23 10:29:40.298 cdt: RADIUS: 30 41 36 33 31 30 33 32 30 30 30 30 30 30 31 32 [0A63103200000012]
Sep 23 10:29:40.298 cdt: RADIUS: 30 34 42 45 32 36 [ 04BE26]
Sep 23 10:29:40.298 cdt: RADIUS: AAA Unsupported Attr: interface [170] 19
Sep 23 10:29:40.298 cdt: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 32 [GigabitEthernet2]
Sep 23 10:29:40.298 cdt: RADIUS: 2F [ /]
Sep 23 10:29:40.298 cdt: RADIUS(00000025): Config NAS IP: 10.99.5.52
Sep 23 10:29:40.298 cdt: RADIUS/ENCODE(00000025): acct_session_id: 34
Sep 23 10:29:40.298 cdt: RADIUS(00000025): sending
Sep 23 10:29:40.298 cdt: RADIUS(00000025): Send Access-Request to 10.18.16.77:1812 id 1645/131, len 159
Sep 23 10:29:40.298 cdt: RADIUS: authenticator 7C 35 F4 1E 6D 2D 75 81 - 45 B3 9D 80 F9 89 93 BF
Sep 23 10:29:40.298 cdt: RADIUS: User-Name [1] 14 "acf2c5a5357e"
Sep 23 10:29:40.298 cdt: RADIUS: User-Password [2] 18 *
Sep 23 10:29:40.298 cdt: RADIUS: Service-Type [6] 6 Call Check [10]
Sep 23 10:29:40.298 cdt: RADIUS: Framed-MTU [12] 6 1500
Sep 23 10:29:40.298 cdt: RADIUS: Called-Station-Id [30] 19 "00-06-F6-7F-47-DB"
Sep 23 10:29:40.298 cdt: RADIUS: Calling-Station-Id [31] 19 "AC-F2-C5-A5-35-7E"
Sep 23 10:29:40.298 cdt: RADIUS: Message-Authenticato[80] 18
Sep 23 10:29:40.298 cdt: RADIUS: 2E 9B 8D 42 59 46 63 0C 79 67 F6 88 53 92 68 47 [ .BYFcygShG]
Sep 23 10:29:40.298 cdt: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Sep 23 10:29:40.298 cdt: RADIUS: NAS-Port [5] 6 50212
Sep 23 10:29:40.298 cdt: RADIUS: NAS-Port-Id [87] 21 "GigabitEthernet2/12"
Sep 23 10:29:40.302 cdt: RADIUS: NAS-IP-Address [4] 6 10.99.5.52
Sep 23 10:29:40.302 cdt: RADIUS(00000025): Started 3 sec timeout
Sep 23 10:29:40.310 cdt: RADIUS: Received from id 1645/131 10.18.16.77:1812, Access-Accept, len 291
Sep 23 10:29:40.310 cdt: RADIUS: authenticator F7 B8 F1 DC 8C CF AE 32 - 82 78 8D 66 FE CB 21 B7
Sep 23 10:29:40.310 cdt: RADIUS: User-Name [1] 19 "AC-F2-C5-A5-35-7E"
Sep 23 10:29:40.310 cdt: RADIUS: Class [25] 87
Sep 23 10:29:40.310 cdt: RADIUS: 43 41 43 53 3A 30 61 31 32 31 30 34 64 62 47 36 [CACS:0a12104dbG6]
Sep 23 10:29:40.310 cdt: RADIUS: 46 43 5A 47 70 6F 7A 67 65 49 42 45 34 34 4F 73 [FCZGpozgeIBE44Os]
Sep 23 10:29:40.310 cdt: RADIUS: 75 58 68 52 64 77 6D 4F 6B 4A 79 63 6E 72 4F 61 [uXhRdwmOkJycnrOa]
Sep 23 10:29:40.310 cdt: RADIUS: 6C 68 4D 78 57 4D 33 45 3A 76 63 70 69 73 65 70 [lhMxWM3E:vcpisep]
Sep 23 10:29:40.310 cdt: RADIUS: 73 6E 2F 33 35 35 31 32 34 36 32 39 2F 33 32 33 [sn/355124629/323]
Sep 23 10:29:40.310 cdt: RADIUS: 32 30 36 35 37 [ 20657]
Sep 23 10:29:40.310 cdt: RADIUS: Message-Authenticato[80] 18
Sep 23 10:29:40.310 cdt: RADIUS: C6 A9 11 22 E8 6B B2 81 67 EF 9F 3D E7 80 C6 FF [ "kg=]
Sep 23 10:29:40.310 cdt: RADIUS: Vendor, Cisco [26] 30
Sep 23 10:29:40.310 cdt: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Sep 23 10:29:40.310 cdt: RADIUS: Vendor, Cisco [26] 75
Sep 23 10:29:40.310 cdt: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3"
Sep 23 10:29:40.314 cdt: RADIUS: Vendor, Cisco [26] 42
Sep 23 10:29:40.314 cdt: RADIUS: Cisco AVpair [1] 36 "profile-name=Cisco-AP-Aironet-3600"
Sep 23 10:29:40.314 cdt: RADIUS(00000025): Received from id 1645/131
Sep 23 10:29:40.314 cdt: AAA/ATTR: invalid attribute prefix: "ACS"
Sep 23 10:29:40.314 cdt: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
Sep 23 10:29:40.314 cdt: %MAB-5-SUCCESS: Authentication successful for client (acf2.c5a5.357e) on Interface Gi2/12
Sep 23 10:29:40.314 cdt: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (acf2.c5a5.357e) on Interface Gi2/12
Sep 23 10:29:40.314 cdt: AAA/AUTHOR (0x0): Pick method list 'default'
Sep 23 10:29:40.318 cdt: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 23 10:29:40.318 cdt: RADIUS(00000000): Config NAS IP: 10.99.5.52
Sep 23 10:29:40.318 cdt: RADIUS: AAA Unsupported Attr: service [333] 12
Sep 23 10:29:40.318 cdt: RADIUS: 69 70 5F 61 64 6D 69 73 73 69 [ ip_admissi]
Sep 23 10:29:40.318 cdt: RADIUS: AAA Unsupported Attr: event [334] 12
Sep 23 10:29:40.318 cdt: RADIUS: 61 63 6C 2D 64 6F 77 6E 6C 6F [ acl-downlo]
Sep 23 10:29:40.318 cdt: RADIUS(00000000): sending
Sep 23 10:29:40.318 cdt: RADIUS(00000000): Send Access-Request to 10.18.16.77:1812 id 1645/132, len 85
Sep 23 10:29:40.318 cdt: RADIUS: authenticator 14 02 0D 26 A0 4A 8B 14 - E6 1D 67 E1 CA 5E 80 A9
Sep 23 10:29:40.318 cdt: RADIUS: NAS-IP-Address [4] 6 10.99.5.52
Sep 23 10:29:40.318 cdt: RADIUS: User-Name [1] 41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3"
Sep 23 10:29:40.318 cdt: RADIUS: Message-Authenticato[80] 18
Sep 23 10:29:40.318 cdt: RADIUS: 93 52 8C 5E 8B 0E BF E7 CC D5 2E 8C F5 73 6D 7A [ R^.smz]
Sep 23 10:29:40.322 cdt: RADIUS(00000000): Started 3 sec timeout
Sep 23 10:29:40.326 cdt: RADIUS: Received from id 1645/132 10.18.16.77:1812, Access-Reject, len 38
Sep 23 10:29:40.326 cdt: RADIUS: authenticator 97 96 7E 80 3C 69 23 CF - 27 CA 72 78 6E D9 24 42
Sep 23 10:29:40.326 cdt: RADIUS: Message-Authenticato[80] 18
Sep 23 10:29:40.330 cdt: RADIUS: 1D 76 CF 14 F9 AC 66 C0 B3 2D 38 13 05 80 DB D8 [ vf-8]
Sep 23 10:29:40.334 cdt: RADIUS(00000000): Received from id 1645/132
Sep 23 10:29:40.334 cdt: %AUTHMGR-5-FAIL: Authorization failed for client (acf2.c5a5.357e) on Interface Gi2/12
0 Helpful
Customers Also Viewed These Support Documents