cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13692
Views
0
Helpful
9
Replies

How to capture EAPoL packets

Good morning:

 

We are trying to solve an issue with a vendor however for them to move forward they as asking for a PCAP that shows EAPoL occur.  I have taken multiple pcaps and unable to find this within the PCAP.  I have read other blogs/posts that state using a HUB between the device and switch is probably the best approach but finding a hub these days in nearly impossible. 

 

To give you some insight we are using ISE/Radius for Authentication Server --- WS-C3560CX-8PC-S Switch for the Authenticator and the end point/client. 

 

Here is a snippet of the port config:

 

 switchport access vlan X
 switchport mode access
 switchport voice vlan Y
 no logging event link-status
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event fail action next-method
 authentication event server dead action authorize vlan X
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 no snmp trap link-status
 mls qos trust cos
 dot1x pae authenticator
 auto qos trust
 spanning-tree portfast edge
 ip dhcp snooping information option allow-untrusted
end

 

Any help / direction is very much appreciated. 

 

Ty,

-Rob

1 Accepted Solution

Accepted Solutions

WOW. We got it and had to use a NON Company Laptop Asset.  I wonder if there was some type of filtering unbeknownst to us...anyconnect?

 

Ha I don't know what prompted my colleague to use his own personal laptop but thank goodness he did.

 

I can clearly see the EAP packets. 

 

We are good to go!

 

Thanks guys!

-Rob

View solution in original post

9 Replies 9

Hi Rob,
Where are you capturing the traffic? EAPOL is sent from client to switch, from switch to radius server it will be encapsulated in a radius packet so you'd not see it there. You can capture this from the access port the computer is plugged into, use a span port and mirror traffic to your laptop to capture the traffic. You can filter in wireshark using "eapol".

HTH

TY! I appreciate the reply! 

 

So in this case we are capturing from the supplicant to the authenticator. So (at least in my mind) we would see the EAP success but understandly not see the 4 way handshake  But yes we are doing exactly we you stated below with regards to capurting on the access port. 

Well in the packet capture you should see and EAPOL Start, Request Identity, Response Identity, etc.....and lastly a EAP Success.

Do you have 802.1x enabled globally? - dot1x system-auth-control

I agree with you but we are not seeing that.  And yes, that cmd is enabled globally.

Does the switch even recognise the client is attempting to run dot1x?
What supplicant are you using (e.g. Windows native, AnyConnect)?

When you plug in a device, what is the output of "show authentication session interface x"? Is should show at the bottom of the output whether dot1x has actual run

This is a phone.  To make a long story short we are seeing somtimes the client fail dot1x authentication and we need to show them vendor happening in real time.  They need a pcap showing EAPoL.

 

Yes and these clients authenticate and succeed dot1x authentiction.

 

(for protection i'm going to cover some stuff up)

 

S-ISE#sho auth sess int gi0/3 details
            Interface:  GigabitEthernet0/3
          MAC Address:  aaaa.bbbb.cccc.dddd
         IPv6 Address:  Unknown
         IPv4 Address:  x.x.x.
            User-Name:  xxxxx
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 102554s
       Session Uptime:  70285s
    Common Session ID:  0AC0015000000239D2A32386
      Acct Session ID:  0x00000D94
               Handle:  0x0200013D
       Current Policy:  POLICY_Gi0/3

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Server Policies:

Method status list:
      Method            State

      dot1x              Authc Success

Joel
Level 1
Level 1

I would utilize port mirroring i.e SPAN. A basic SPAN, such as below relays all packets from the source to the destination where you would plug a device running TCPDUMP or wireshark.

 

monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/2

 

Have a read of the below as RSPAN and ERSPAN might be appropriate in addition to SPAN (local).

 

https://community.cisco.com/t5/network-architecture-documents/how-to-configure-port-monitoring-span-on-a-catalyst-2940-2950/ta-p/3132032

 

WOW. We got it and had to use a NON Company Laptop Asset.  I wonder if there was some type of filtering unbeknownst to us...anyconnect?

 

Ha I don't know what prompted my colleague to use his own personal laptop but thank goodness he did.

 

I can clearly see the EAP packets. 

 

We are good to go!

 

Thanks guys!

-Rob

I had the same issue. once i removed the anyconnct mobility client from the laptop running wireshark I was able to see the EAP and EAPoL packets