cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
509
Views
0
Helpful
8
Replies
Beginner

CLIENT AUTHENTICATION FAILURE

Hi all,

I have setup ise on vmware and using a real switch for authentication configurations and a test pc. Network device is setup in ise together with mac-address of client however there is authentication failure! i have disabled windows firewall on host and test pc but no success. Kindly advise how i can sort this. Please find the switch configs attached!

 

Thanks!

8 REPLIES 8
VIP Engager

Re: CLIENT AUTHENTICATION FAILURE

Can you provide us with the ISE authentication details log. ISE often gives a pretty direct reason for an authentication failure, or we can at least infer quite a bit from it.
Beginner

Re: CLIENT AUTHENTICATION FAILURE

Hi Damien,

 

Thanks for the quick response! from ISE side i didn't see much in the operations>live authentication section just old authentication failures. I hope am checking the right place. Here is snapshot attached.

VIP Advisor

Re: CLIENT AUTHENTICATION FAILURE

In addition to other post.

 

You need to check radius connectivity on ports 1812 and 1813 udp.

If you type show aaa server in the switch you will see the radius status dead.

 

Can you also Enable debug : ( to see what is wrong) , since if the packet not reached to ISE, ISE would not have any logs in this case.

 

debug radius
debug authentication all
debug authentication feature all

BB
*** Rate All Helpful Responses ***
Beginner

Re: CLIENT AUTHENTICATION FAILURE

Hi Balaji,

 

Firstly,thanks for the prompt response. I have captured logs from switch(please find attached). Kindly, clarify which device i am checking for ports 1812/1813 and if its switch how will i check this. I have check form ISE GUI ,operations>live authentication(is this the correct place?), there is much there just old authentication failure. 

 

Just to clarify f0/1 is connected to my laptop where ise is running, f0/3 is connected to test pc.

 

i come across this lines in the logs,does it mean dot1x is not enabled on test pc?

Jan 2 04:47:38.428: AUTH-FEAT-CRITICAL-EVENT (Fa0/3) Critcal authc fail, mac a0d3.c19c.5956, auth_event 2
*Jan 2 04:47:38.428: AUTH-FEAT-CRITICAL-EVENT (Fa0/3) Critical auth not applicable. Feature is not enabled

 

Thanks once more!

Highlighted
Cisco Employee

Re: CLIENT AUTHENTICATION FAILURE

In your snapshot you will see the column "details"

Please click on that and provide a screen shot of those lots.

 

As well please provide your Authentication policy you have setup.

Beginner

Re: CLIENT AUTHENTICATION FAILURE

Hi Idanny,

 

Thanks for your response. I have taken snapshots of the detail column. Its a fresh installation and am just beginning to use ise so i didn't set any authentication policy on ise.snapshot-section1.PNGsnapshot-section2.PNGsnapshot-section3.PNGsnapshot-section4.PNG

Beginner

Re: CLIENT AUTHENTICATION FAILURE

Hi,

An update on authentication policy.See attached!

Thanks.

Beginner

Re: CLIENT AUTHENTICATION FAILURE

Hi,

 

Please find more debugs from todays tshooting. Thanks.

 

SW1#
*Jan 2 03:03:18.387: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:03:18.387: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:04:06.999: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#test aaa group radisu  us j Joseph @i  Winter2019 ke  legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

SW1#
*Jan 2 03:04:50.905: RADIUS: Pick NAS IP for u=0x593D66C tableid=0 cfg_addr=0.0.0.0
*Jan 2 03:04:50.905: RADIUS(00000000): Config NAS IPv6: ::
*Jan 2 03:04:50.905: RADIUS: ustruct sharecount=1
*Jan 2 03:04:50.905: Radius: radius_port_info() success=0 radius_nas_port=1
*Jan 2 03:04:50.905: RADIUS/ENCODE: Best Local IP-Address 192.168.159.2 for Radius-Server 192.168.159.145
*Jan 2 03:04:50.905: RADIUS(00000000): Send Access-Requ
SW1#est to 192.168.159.145:1645 id 1645/6, len 58
*Jan 2 03:04:50.905: RADIUS: authenticator FD 02 72 DE 6F 30 CD 7A - C1 2C 09 6A B0 2D 02 9E
*Jan 2 03:04:50.905: RADIUS: NAS-IP-Address [4] 6 192.168.159.2
*Jan 2 03:04:50.905: RADIUS: NAS-Port-Type [61] 6 Async [0]
*Jan 2 03:04:50.905: RADIUS: User-Name [1] 8 "Joseph"
*Jan 2 03:04:50.905: RADIUS: User-Password [2] 18 *
*Jan 2 03:04:50.905: RADIUS(00000000): Sending a IP
SW1#v4 Radius Packet
*Jan 2 03:04:50.905: RADIUS(00000000): Started 5 sec timeout
*Jan 2 03:04:50.972: RADIUS: Received from id 1645/6 192.168.159.145:1645, Access-Accept, len 122
*Jan 2 03:04:50.972: RADIUS: authenticator F1 D9 34 78 8E DE 1A 14 - 96 23 04 67 EA 4A D3 8A
*Jan 2 03:04:50.972: RADIUS: User-Name [1] 8 "Joseph"
*Jan 2 03:04:50.972: RADIUS: State [24] 40
*Jan 2 03:04:50.972: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 63 30 [ReauthSession:c0] SW1#
*Jan 2 03:04:50.972: RADIUS: 61 38 39 66 39 31 30 30 30 30 30 30 30 35 35 43 [a89f91000000055C]
*Jan 2 03:04:50.972: RADIUS: 38 42 42 37 46 32 [ 8BB7F2]
*Jan 2 03:04:50.972: RADIUS: Class [25] 48
*Jan 2 03:04:50.972: RADIUS: 43 41 43 53 3A 63 30 61 38 39 66 39 31 30 30 30 [CACS:c0a89f91000]
*Jan 2 03:04:50.972: RADIUS: 30 30 30 30 35 35 43 38 42 42 37 46 32 3A 49 53 [000055C8BB7F2:IS]
*Jan 2 03:04:50.972: RADIUS: 45 31 2F 33 34 32 30 30 33 38 35 33 2F
SW1#36 [ E1/342003853/6]
*Jan 2 03:04:50.972: RADIUS: Termination-Action [29] 6 1
*Jan 2 03:04:50.980: RADIUS: saved authorization data for user 593D66C at 593AC94
SW1#
*Jan 2 03:05:32.429: %DOT1X-5-FAIL: Authentication failed for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
*Jan 2 03:05:32.429: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:05:32.429: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:08:05.068: %DOT1X-5-FAIL: Authentication failed for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:08:05.068: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0022.64b3.0b38) on Interface Fa0/3 AuditSessionID C0A80A010000002700A1FF8A
SW1#
*Jan 2 03:09:38.005: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:09:38.005: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
SW1#
*Jan 2 03:12:10.661: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-7-NOM
SW1#OREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:12:10.661: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
SW1#
*Jan 2 03:14:43.988: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A80A010000002800AC74FB
*Jan 2 03:14:43.988: %AUTHMGR-7-NOM