802.1x Cisco witch NPS - How to Block Computer outside Domain

ricardo.pedrosa · ‎08-17-2017

Hello Guys, i have a trouble about how to configure a 802.1x in my Job.

The project scope is Blocking computers outside the company domain using switch CISCO and NPS (Maybe)..

How i can do this?

Bellow the configuration that's i put in the switch cisco 2960.

aaa new-model

aaa authentication dot1x default group radius

Interface

interface FastEthernet0/1
switchport access vlan 216
switchport mode access
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3

radius-server host x.x.x.x key TESTE
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key TESTE
radius-server key TESTE

Attached to NPS topology and prints

Please help me .

ricardo.pedrosa · ‎08-17-2017

SWBHEJPA55#sh authentication sessions interface fastEthernet 0/1
Interface: FastEthernet0/1
MAC Address: 5cff.3508.f16d
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Failed
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1D00370000008606628B5C
Acct Session ID: 0x000000A2
Handle: 0xA5000087

Runnable methods list:
Method State
dot1x Failed over

SWBHEJPA55#
Aug 17 17:59:07 BRA: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Aug 17 17:59:08 BRA: %SYS-5-CONFIG_I: Configured from console by TESTE on vty0 (172.29.2.4)
1d05h: dot1x-ev(Fa0/1): Interface state changed to UP
1d05h: dot1x_auth Fa0/1: initial state auth_initialize has enter
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_initialize_enter called
1d05h: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
1d05h: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_disconnected_enter called
1d05h: dot1x_auth Fa0/1: idle during state auth_disconnected
1d05h: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_enter called
1d05h: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x65000152 (0000.0000.0000)
1d05h: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_initialize_enter called
1d05h: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_enter called
1d05h: dot1x-ev(Fa0/1): Created a client entry (0x65000152)
1d05h: dot1x-ev(Fa0/1): Dot1x authentication started for 0x65000152 (0000.0000.0000)
1d05h: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
1d05h: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x65000152
1d05h: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
1d05h: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_enter called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_connecting_action called
1d05h: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x65000152
1d05h: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
1d05h: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_enter called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_authenticating_action called
1d05h: dot1x-sm(Fa0/1): Posting AUTH_START for 0x65000152
1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_enter called
1d05h: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
1d05h: dot1x-ev(Fa0/1): Role determination not required
1d05h: dot1x-registry:registry:dot1x_ether_macaddr called
1d05h: dot1x-ev(Fa0/1): Sending out EAPOL packet
1d05h: EAPOL pak dump Tx
1d05h: EAPOL Version: 0x3 type: 0x0 length: 0x0005
1d05h: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
1d05h: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x65000152 (0000.0000.0000)
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_request_action called
1d05h: dot1x-ev(Fa0/1): New client notification from AuthMgr for 0x65000152 - 5cff.3508.f16d
Aug 17 17:59:09 BRA: %AUTHMGR-5-START: Starting 'dot1x' for client (5cff.3508.f16d) on Interface Fa0/1 AuditSessionID AC1D003700000089066797ED
1d05h: dot1x-sm(Fa0/1): Posting RESTART on Client 0x65000152
1d05h: dot1x_auth Fa0/1: during state auth_authenticating, got event 13(restart)
1d05h: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_aborting
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_exit called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_aborting_enter called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_aborting_action called
1d05h: dot1x-sm(Fa0/1): Posting AUTH_ABORT for 0x65000152
1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 1(authAbort)
1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_initialize
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_initialize_enter called
1d05h: dot1x_auth_bend Fa0/1: idle during state auth_bend_initialize
1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_enter called
1d05h: dot1x-sm(Fa0/1): Posting !AUTH_ABORT on Client 0x65000152
1d05h: dot1x_auth Fa0/1: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
1d05h: @@@ dot1x_auth Fa0/1: auth_aborting -> auth_restart
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_aborting_exit called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_enter called
1d05h: dot1x-ev(Fa0/1): Resetting the client 0x65000152 (5cff.3508.f16d)
1d05h: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x65000152 (5cff.3508.f16d)
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_aborting_restart_action called
1d05h: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x65000152
1d05h: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
1d05h: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_enter called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_connecting_action called
1d05h: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x65000152
1d05h: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
1d05h: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_enter called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_authenticating_action called
1d05h: dot1x-sm(Fa0/1): Posting AUTH_START for 0x65000152
1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_enter called
1d05h: dot1x-ev(Fa0/1): Sending EAPOL packet to 5cff.3508.f16d
1d05h: dot1x-ev(Fa0/1): Role determination not required
1d05h: dot1x-registry:registry:dot1x_ether_macaddr called
1d05h: dot1x-ev(Fa0/1): Sending out EAPOL packet
1d05h: EAPOL pak dump Tx
1d05h: EAPOL Version: 0x3 type: 0x0 length: 0x0005
1d05h: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
1d05h: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x65000152 (5cff.3508.f16d)
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_request_action called
Aug 17 17:59:10 BRA: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
1d05h: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x65000152
1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_request_action called
1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_enter called
1d05h: dot1x-ev(Fa0/1): Sending EAPOL packet to 5cff.3508.f16d
1d05h: dot1x-ev(Fa0/1): Role determination not required
1d05h: dot1x-registry:registry:dot1x_ether_macaddr called
1d05h: dot1x-ev(Fa0/1): Sending out EAPOL packet
1d05h: EAPOL pak dump Tx
1d05h: EAPOL Version: 0x3 type: 0x0 length: 0x0005
1d05h: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
1d05h: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x65000152 (5cff.3508.f16d)