Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3361
Views
0
Helpful
3
Replies

DOT1X-5-FAIL: Authentication failed for client (Unknown MAC)

samna50042702
Level 1
Level 1

‎05-13-2019 05:32 AM - edited ‎05-13-2019 06:25 AM

Hi 

 

 I configured dot1x but i received log message 

Switch(config)#
*Mar  1 01:10:10.326: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18
*Mar  1 01:10:10.326: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18
*Mar  1 01:10:10.326: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A86403000000100030CD18
*Mar  1 01:10:10.326: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa0/3 
 
don't authenticate but  when disable enable NIC's client  authentication is success .
please help me 
 
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-13-2019 05:56 AM

Please share your interface configs. Also, are you using a native supplicant or Anyconnect?
0 Helpful

samna50042702
Level 1
Level 1
In response to Mike.Cifelli

‎05-13-2019 06:05 AM - edited ‎05-13-2019 06:18 AM 

I using native supplicant 
aaa authentication login default group radius local 
aaa authentication dot1x default group radius local 
aaa authorization config-commands
 aaa authorization exec default group tacacs+ if-authenticated
 aaa authorization commands 1 com1 group tacacs+ local if-authenticated 
aaa authorization commands 15 com15 group tacacs+ local if-authenticated 
aaa authorization network default group radius local 
aaa accounting dot1x default start-stop group radius 
aaa accounting exec exec start-stop group tacacs+
 aaa accounting commands 1 com1 start-stop group tacacs+ 
aaa accounting commands 15 com15 start-stop group tacacs+ 
! ! ! ! ! ! aaa session-id common system mtu routing 1500 authentication mac-move permit 
! ! no ip domain-lookup ! ! ! 
dot1x system-auth-control ! ! ! ! !
 spanning-tree mode pvst spanning-tree extend system-id !
 vlan internal allocation policy ascending ! ! !
 interface FastEthernet0/3 switchport access vlan 10
 switchport mode access 
authentication port-control auto 
dot1x pae authenticator mab
 dot1x timeout tx-period 5 
! ! interface Vlan1 no ip address shutdown !
 interface Vlan10 ip address 192.168.100.3 255.255.255.0
 ! radius-server attribute 6 on-for-login-auth
 radius-server attribute 6 support-multiple 
radius-server attribute 8 include-in-access-req 
radius-server attribute 25 access-request include 
! ip http server
 ip http secure-server 
ip radius source-interface Vlan10
 radius-server host 192.168.100.4 key 1234 
! ! ! ! line con 0 line vty 0 4 authorization commands 1 com1 authorization commands 15 com15 authorization exec exec accounting commands 1 com1
 accounting commands 15 com15 
accounting exec exec transport input telnet line vty 5 15 authorization commands 1 com1 
authorization commands 15 com15
 authorization exec exec 
accounting commands 1 com1 
accounting commands 15 com15
 accounting exec exec transport input telnet
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to samna50042702

‎05-13-2019 09:02 AM

So based on this comment: don't authenticate but when disable enable NIC's client authentication is success

When you trigger it via the nic bounce the node actually authenticates via 8021x? What is used as the identity? Can you share what ISE live log says on failure & a successful attempt?

I am a little confused based on your comment. Have you attempted this:
authentication order dot1x mab
authentication priority dot1x mab

Also, is your end goal to authenticate nodes via mac address? If so, test with the commands above and maybe re-order them so mab is tried first.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents