I'm trying to configure MAC Auth against ACS. All documentation I found says it works..however EAPOL must be disabled so the switch can consider it as agentless host, and initiates the MAC authentication bypass process.
However, I can't seem to be able to disable EAPOL on WinXP..therefore can't get MAC bypass to work.
dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/34
EAPOL pak dump Tx
EAPOL Version: 0x2 type: 0x0 length: 0x0004
EAP code: 0x3 id: 0x1 length: 0x0004
dot1x-packet:dot1x_auth_txCannedSuccess: EAPOL packet sent out for the default authenticator
I'm using a different PC and it doesn't even have the Auth tab...
I also disabled Wireless Zero Configuration service...and nothing..the PC still sending EAPOL packets and it doesn't even talk to ACS at all...
SH DOTIX DEBUG:
14:05:21: dot1x-registry:dot1x_switch_port_linkcomingup invoked on interface Fa1/0/34
14:05:21: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet1/0/34 has changed to UP
14:05:21: dot1x_auth Fa1: initial state auth_initialize has enter
14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_initialize_enter called
14:05:21: dot1x_auth Fa1: during state auth_initialize, got event 1(cfg_force_auth)
14:05:21: @@@ dot1x_auth Fa1: auth_initialize -> auth_force_auth
14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_force_auth_enter called
14:05:21: dot1x-ev:Couldn't find a supplicant with mac 0000.0000.0000
14:05:21: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x3 id: 0x1 length: 0x0004 type: 0x0 data:
14:05:21: dot1x-ev:FastEthernet1/0/34:Sending EAPOL packet to group PAE address
14:05:21: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/34.
14:05:21: dot1x-registry:registry:dot1x_ether_macaddr called
14:05:21: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/34
14:05:21: EAPOL pak dump Tx
14:05:21: EAPOL Version: 0x2 type: 0x0 length: 0x0004
14:05:21: EAP code: 0x3 id: 0x1 length: 0x0004
14:05:21: dot1x-packet:dot1x_auth_txCannedSuccess: EAPOL packet sent out for the default authenticator
14:05:21: dot1x_auth_bend Fa1: initial state auth_bend_initialize has enter
14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_bend_initialize_enter called
14:05:21: dot1x_auth_bend Fa1: initial state auth_bend_initialize has idle
14:05:21: dot1x_auth_bend Fa1: during state auth_bend_initialize, got event 16383(idle)
14:05:21: @@@ dot1x_auth_bend Fa1: auth_bend_initialize -> auth_bend_idle
14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_bend_idle_enter called
14:05:21: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
14:05:21: dot1x-ev:Created a default authenticator instance on FastEthernet1/0/34
14:05:21: dot1x-registry:** dot1x_switch_vp_statechange:
14:05:21: dot1x-ev:vlan 1 vp is added on the interface FastEthernet1/0/34
14:05:21: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa1/0/34
14:05:23: %LINK-3-UPDOWN: Interface FastEthernet1/0/34, changed state to up
14:05:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/34, changed state to up
aaa authentication dot1x dot1x group radius
switchport mode access
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
radius-server host 10.10.10.20 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco
I see no evidence of 1X on the PC from the debug. Actually, you're enabled for 1X, but also in a force-authorized mode. You'll need to add "dot1x port-control auto" for it to work correctly, and deny access until you authenticate.
Which service pack do you have installed?
Have you checked the following registry keys?
AuthMode has the following values:
0 - Computer authentication mode. If computer authentication is successful, no user authentication is attempted. If the user logon is successful before computer authentication, user authentication is performed. This is the default setting for Windows XP (prior to Service Pack 1).
1 - Computer authentication with re-authentication. If computer authentication is successful, a subsequent user logon results in a re-authentication with user credentials. The user logon has to complete in 60 seconds or the existing network connectivity is terminated. The user credentials are used for subsequent authentication or re-authentication. Computer authentication is not attempted again until the user logs off the computer. This is the default setting for Windows XP Service Pack 1 (SP1) and Windows Server 2003.
2 - Computer authentication only. When a user logs on, it has no effect on the connection. Only computer authentication is performed. The exception to this behavior is when a user successfully logs on, and then roams between wireless APs. In that case, user authentication is performed. For changes to this setting to take effect, restart the Wireless Zero Configuration service for Windows XP or Windows Server 2003.
SupplicantMode has the following values:
1 - Do not transmit. Specifies that EAPOL-Start messages are not sent.
2 - Transmit. Determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.
3 - Transmit per 802.1x. Sends an EAPOL-Start message upon association to initiate the 802.1X authentication process.