06-10-2013 08:45 AM - edited 02-21-2020 04:54 AM
Hi all,
i have a trouble with cisco ise trying to authenticate an Active directory user, in the first time all things seem to be running succesfully but the user doesn't get the specified vlan and after a moment the dot1x fail. this is the port's config
-------------------------------------------------------------------------------
Building configuration...
Current configuration : 463 bytes
!
interface FastEthernet0/17
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 40
authentication event no-response action authorize vlan 40
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
Switch#
----------------------------------------------------------------------------------------
And here the switch logs:
3d07h: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4dd8.bb74) on Interfa
ce Fa0/17
3d07h: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
3d07h: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4dd8.bb74) o
n Interface Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for clien
t (001a.4dd8.bb74) on Interface Fa0/17
3d07h: %AUTHMGR-5-FAIL: Authorization failed for client (001a.4dd8.bb74) on Inte
rface Fa0/17
3d07h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17, changed
state to up
3d07h: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4dd8.bb74) o
n Interface Fa0/17
3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter
face Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for clien
t (001a.4dd8.bb74) on Interface Fa0/17
3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter
face Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for clien
t (001a.4dd8.bb74) on Interface Fa0/17
3d07h: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4dd8.bb74) on Interfa
ce Fa0/17
3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter
face Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for c
lient (001a.4dd8.bb74) on Interface Fa0/17
3d07h: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001a.4dd8.bb74
) on Interface Fa0/17
3d07h: %AUTHMGR-5-START: Starting 'mab' for client (001a.4dd8.bb74) on Interface
Fa0/17
3d07h: %MAB-5-SUCCESS: Authentication successful for client (001a.4dd8.bb74) on
Interface Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(001a.4dd8.bb74) on Interface Fa0/17
3d07h: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/24 has no ip address
3d07h: %AUTHMGR-5-FAIL: Authorization failed for client (001a.4dd8.bb74) on Inte
rface Fa0/17
3d07h: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4dd8.bb74) o
n Interface Fa0/17
3d07h: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4dd8.bb74) on Interfa
ce Fa0/17
3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter
face Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for c
lient (001a.4dd8.bb74) on Interface Fa0/17
3d07h: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001a.4dd8.bb74
) on Interface Fa0/17
3d07h: %AUTHMGR-5-START: Starting 'mab' for client (001a.4dd8.bb74) on Interface
Fa0/17
3d07h: %MAB-5-SUCCESS: Authentication successful for client (001a.4dd8.bb74) on
Interface Fa0/17
3d07h: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(001a.4dd8.bb74) on Interface Fa0/17
3d07h: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/24 has no ip address
3d07h: %AUTHMGR-5-FAIL: Authorization failed for client (001a.4dd8.bb74) on Inte
rface Fa0/17
3d07h: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4dd8.bb74) o
n Interface Fa0/17
Any ideas...
please i neeed help
06-13-2013 05:36 PM
Im using Cisco ACS for 802.1x with mab, and Im having the same issue. I cant even move to another port as it fails to authenticate. My logs are looks similar to yours.
Sent from Cisco Technical Support iPhone App
06-18-2013 01:33 AM
While running into the above issue, could you please get the following outputs:
show auth session interface fa0/17
show mac address-table int fa0/17
show dot1x interface fa0/17
mac address of phone and PC
I don't see data and voice vlan configured on the interface. Are you pushing dynamic vlans from the radius server? Please let me know how you have configured dynamic vlans on radius (screen should would work).
Can you show the aaa config using:
show run | in aaa
Jatin Katyal
- Do rate helpful posts -
06-18-2013 08:30 AM
With SINGLE RADIUS-SERVER GROUP configured, dot1x computer authenticates only once (if lucky), and then switch reload is needed.
global config
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authentication network default group radius
aaa accounting network default start-stop group radius
radius-server host 192.168.128.123 auth-port 1812 acct-port 1646 key radkey
radius-server host 192.168.128.121 auth-port 1645 acct-port 1646 key radkey
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
interface config:
sw mode access
sw access vlan ID
sw voice vlan ID
auth host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 3
span portfast
span bpduguard enable
I reconfigured the switch with TWO RADIUS SERVER GROUPS, now port-security is triggered.
global config for TWO radius server-group:
aaa group server radius RADIUS-PRI
server 192.168.128.123 auth-port 1812 acct-port 1646
aaa group server radius RADIUS-SEC
server 192.168.128.121
aaa authentication dot1x default group RADIUS-PRI group RADIUS-SEC
aaa authorization network default group RADIUS-PRI group RADIUS-SEC
aaa accounting dot1x default start-start group RADIUS-PRI group RADIUS-SEC
Thank you,
A
Message was edited by: Adam Andersen, logs uploaded.
06-21-2013 02:03 AM
Hi,
i´ve got the same issue. NON Cisco Phone with a connected Windows PC. After reloading the switch, the PC gets authenticated first. Then for about 10 Minutes the Phone gets no access. Suddenly it is authenticated and in the VOICE
Domain.
.Jun 21 10:41:26.711 CEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.288 CEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.288 CEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.288 CEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.288 CEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.297 CEST: %MAB-5-SUCCESS: Authentication successful for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.297 CEST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0080.9f79.1de9) on Interface Fa0/1
.Jun 21 10:41:47.297 CEST: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/1, new MAC address (0080.9f79.1de9) is seen.
Jun 21 10:51:46.192 CEST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9f79.1de9) on Interface Fa0/1
Interface MAC Address Method Domain Status Session ID
Fa0/1 60eb.699e.4299 mab DATA Authz Success 0A871ECC0000000400019E27
Fa0/1 0080.9f79.1de9 dot1x VOICE Authz Success 0A871ECC0000000C000B8793
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict <-- so the interface do not get error-disabled
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
end
maybe this brings us a bit closer to a solution
06-21-2013 03:03 AM
Salamo Alaykom,
I was able to pass the authentication avoiding DACL Allow_All_Traffic even if it contains only 'permit any any' (strange problem) now active directory users are authenticated by Dot1x (and still be) and take the specified Vlan.
Here is a snapshot of the authentication session:
And here the aaa config:
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!
I remember i succeded MAB on IPphone and PC on the same link (i'm not in the LAB to test this now), and i configure the vlan from Plicy>Autorization>Policy element> Results and the specified authorization
Hope this will help !
07-25-2013 04:21 PM
Currently it seems this is an ISE 1.1.x bug, you can use as a workaround in the ALL the dot1x authorization profiles (Compliant and Not Compliant as well) this magic Cisco AV-Pair
termination-action-modifier=1
this force the ISE to use the last authentication, DOT1X, while keeping the original port authentication order syntax
authentication order mab dot1x
authentication priority dot1x mab
that worked before cisco 1.1.x flawless. Does not work now.
This is (not very) well documented at this URL, last note in the bottom of the page
hope this will help ALL.
This "feature" wasted about 2 day (and this night) of my life.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide