07-16-2012 05:41 AM - edited 03-10-2019 07:18 PM
hi,
when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant)
and logs show something like that
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
port config:
interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500
authentication event no-response action authorize vlan 500
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab eap
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 1
dot1x max-req 1
dot1x max-reauth-req 1
dot1x timeout held-period 3
dot1x timeout auth-period 3
spanning-tree portfast
ip dhcp snooping limit rate 20
end
in global config:
dot1x system-auth-control
dot1x guest-vlan supplican
#sh dot1x inter g0/1 det
Dot1x Info for GigabitEthernet0/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 3
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 1
MaxReq = 1
TxPeriod = 1
Dot1x Authenticator Client List
-------------------------------
EAP Method = (0)
Supplicant = 001e.3718.7297
Session ID = 0A0EFF5D0000024C29E03686
Auth SM State = AUTHENTICATING
Auth BEND SM State = REQUEST
please help
sorry for my bad english
07-16-2012 08:24 AM
Lukasz,
Try to remove the command "authentication event no-response action authorize vlan 500", essential if mab fails they will still get on the correct vlan anyways.
See if that helps with your situation.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-17-2012 12:13 AM
thanks for replay but ...
...your idea not help, still the same.
Interface: GigabitEthernet0/1
MAC Address: 001e.3718.7297
IP Address: Unknown
User-Name: host/tymczasowosc.krakow.qumak.pl
Status: Running
Domain: UNKNOWN
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0EFF5D000002BB47691865
Acct Session ID: 0x00000813
Handle: 0x500002BC
Runnable methods list:
Method State
dot1x Running
---------------------------------------------------------------------
interface GigabitEthernet0/1
description DOSTEP_DO_KORPO_214.A
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail retry 3 action authorize vlan 500
authentication order dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab eap
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 1
dot1x max-req 1
dot1x max-reauth-req 1
dot1x timeout held-period 3
dot1x timeout auth-period 3
spanning-tree portfast
ip dhcp snooping limit rate 20
end
after i uninstall supplicat laptop (without supplicant - Odysey Access Client) should be in guest vlan500 but after i remove "authentication event no-response action authorize vlan 500" won't work so i need this commend to
i have no idea what to do next
07-17-2012 04:57 AM
I wonder if this is an issue with the dot1x version that the new ios code is using, can you try uninstalling the odessey client and see if the native windows supplicant works? Also can you take a pcap of the client with the odessey client to see where this is failing at?
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide