Solved: Re: How to capture EAPoL packets

rob.alvarado@live.com · ‎09-06-2018

Good morning:

We are trying to solve an issue with a vendor however for them to move forward they as asking for a PCAP that shows EAPoL occur. I have taken multiple pcaps and unable to find this within the PCAP. I have read other blogs/posts that state using a HUB between the device and switch is probably the best approach but finding a hub these days in nearly impossible.

To give you some insight we are using ISE/Radius for Authentication Server --- WS-C3560CX-8PC-S Switch for the Authenticator and the end point/client.

Here is a snippet of the port config:

switchport access vlan X
switchport mode access
switchport voice vlan Y
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan X
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
auto qos trust
spanning-tree portfast edge
ip dhcp snooping information option allow-untrusted
end

Any help / direction is very much appreciated.

Ty,

-Rob

rob.alvarado@live.com · ‎09-06-2018

WOW. We got it and had to use a NON Company Laptop Asset. I wonder if there was some type of filtering unbeknownst to us...anyconnect?

Ha I don't know what prompted my colleague to use his own personal laptop but thank goodness he did.

I can clearly see the EAP packets.

We are good to go!

Thanks guys!

-Rob

View solution in original post

Rob Ingram · ‎09-06-2018

Hi Rob,
Where are you capturing the traffic? EAPOL is sent from client to switch, from switch to radius server it will be encapsulated in a radius packet so you'd not see it there. You can capture this from the access port the computer is plugged into, use a span port and mirror traffic to your laptop to capture the traffic. You can filter in wireshark using "eapol".

HTH

rob.alvarado@live.com · ‎09-06-2018

TY! I appreciate the reply!

So in this case we are capturing from the supplicant to the authenticator. So (at least in my mind) we would see the EAP success but understandly not see the 4 way handshake But yes we are doing exactly we you stated below with regards to capurting on the access port.

Rob Ingram · ‎09-06-2018

Well in the packet capture you should see and EAPOL Start, Request Identity, Response Identity, etc.....and lastly a EAP Success.

Do you have 802.1x enabled globally? - dot1x system-auth-control

rob.alvarado@live.com · ‎09-06-2018

I agree with you but we are not seeing that. And yes, that cmd is enabled globally.

Rob Ingram · ‎09-06-2018

Does the switch even recognise the client is attempting to run dot1x?
What supplicant are you using (e.g. Windows native, AnyConnect)?

When you plug in a device, what is the output of "show authentication session interface x"? Is should show at the bottom of the output whether dot1x has actual run

rob.alvarado@live.com · ‎09-06-2018

This is a phone. To make a long story short we are seeing somtimes the client fail dot1x authentication and we need to show them vendor happening in real time. They need a pcap showing EAPoL.

Yes and these clients authenticate and succeed dot1x authentiction.

(for protection i'm going to cover some stuff up)

S-ISE#sho auth sess int gi0/3 details
            Interface: GigabitEthernet0/3
          MAC Address:  aaaa.bbbb.cccc.dddd
         IPv6 Address: Unknown
         IPv4 Address:  x.x.x.
            User-Name:  xxxxx
               Status: Authorized
               Domain: VOICE
       Oper host mode: multi-domain
     Oper control dir: both
      Session timeout: N/A
      Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 102554s
       Session Uptime: 70285s
    Common Session ID: 0AC0015000000239D2A32386
      Acct Session ID: 0x00000D94
               Handle: 0x0200013D
       Current Policy: POLICY_Gi0/3

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy: Should Secure
      Security Status: Link Unsecure

Server Policies:

Method status list:
Method State

dot1x Authc Success

Joel · ‎09-06-2018

I would utilize port mirroring i.e SPAN. A basic SPAN, such as below relays all packets from the source to the destination where you would plug a device running TCPDUMP or wireshark.

monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/2

Have a read of the below as RSPAN and ERSPAN might be appropriate in addition to SPAN (local).

https://community.cisco.com/t5/network-architecture-documents/how-to-configure-port-monitoring-span-on-a-catalyst-2940-2950/ta-p/3132032

rob.alvarado@live.com · ‎09-06-2018

WOW. We got it and had to use a NON Company Laptop Asset. I wonder if there was some type of filtering unbeknownst to us...anyconnect?

Ha I don't know what prompted my colleague to use his own personal laptop but thank goodness he did.

I can clearly see the EAP packets.

We are good to go!

Thanks guys!

-Rob

dochilders · ‎07-25-2019

I had the same issue. once i removed the anyconnct mobility client from the laptop running wireshark I was able to see the EAP and EAPoL packets