Re: Dot1x Configuration on 2960G

fdharmawan · ‎10-02-2018

Hi Guys,

I'm trying to configure dot1x on my 2960G and here is the scenario. I want user's laptops to be authenticated using certificate when connecting via LAN. I'm using ISE as my authentication server. My 2960G's IOS is 12.2(55)SE12 and my ISE's is 2.3.

I am able to do the dot1x authentication on my 3850XU using 16.3.5b, but somehow I am unable to replicate that on my 2960G. Maybe I'm missing something.

Here is my 2960G config.

Global
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host myserver1 auth-port 1812 acct-port 1813 key 7 mykey
radius-server host myserver2 auth-port 1812 acct-port 1813 key 7 mykey
radius-server retransmit 1
radius-server timeout 2

Interface:

interface GigabitEthernet0/1
switchport access vlan 38
switchport mode access
authentication host-mode multi-host
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

With config above, based on the log from ISE, my laptop is authenticated and is in session. But somehow the evidence from laptop and switch's log say differently. My LAN NIC says authentication failed. And here is the switch log:
Oct 2 10:41:43.187: %AUTHMGR-5-START: Starting 'dot1x' for client (My MAC) on Interface Gi0/1 AuditSessionID 0A98200A000000070014C786
Oct 2 10:41:43.464: %DOT1X-5-SUCCESS: Authentication successful for client (My MAC) on Interface Gi0/1 AuditSessionID
Oct 2 10:41:43.464: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (My MAC) on Interface Gi0/1 AuditSessionID 0A98200A000000070014C786
Oct 2 10:41:43.498: %AUTHMGR-5-FAIL: Authorization failed for client (My MAC) on Interface Gi0/1 AuditSessionID 0A98200A000000070014C786
Oct 2 10:41:43.515: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (My MAC) on Interface Gi0/1 AuditSessionID 0A98200A000000070014C786
Oct 2 10:41:44.177: %AUTHMGR-5-START: Starting 'dot1x' for client (My MAC) on Interface Gi0/1 AuditSessionID 0A98200A000000080014CA1C
Oct 2 10:41:45.075: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

Any idea why? Thank you.

Deepak Kumar · ‎10-02-2018

Hi,

I am not sure authentication success and failure is happing for same MAC address or not. Same time:

More a command "authentication periodic" and test it.

and Share output of "Show Authentication"

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

fdharmawan · ‎10-02-2018

Hi Deepak,

The success and the failed authentication happens on the same MAC address. That's weird, right?

I already deployed the "authentication periodic" and it still happens.

Below is the output on show authentication:

Switch#show authentication int gi0/1

Client list:
Interface MAC Address Method Domain Status Session ID
Gi0/1 54e1.adcc.5614 dot1x DATA Authz Failed 0A98200A0000003A03BF290A

Available methods list:
Handle Priority Name
3 0 dot1x
Runnable methods list:
Handle Priority Name
3 0 dot1x

Switch#show authentication registrations
Auth Methods registered with the Auth Manager:
Handle Priority Name
3 0 dot1x
2 1 mab
1 2 webauth

ID-JKTASW0101#show authentication sessions

Interface MAC Address Method Domain Status Session ID
Gi0/1 My MAC dot1x DATA Authz Failed 0A98200A0000003803BA3C29

Thanks.

Deepak Kumar · ‎10-02-2018

Hi,

Have you checked Radius event logs?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

fdharmawan · ‎10-02-2018

Hi Deepak,

Yes I did, but I don't know how to read the information properly.

But good news is I just got my dot1x working. I did the try-and-error method. My final config looks like this:

Global config

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control
dot1x critical eapol

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

radius-server retransmit 1
radius-server timeout 2
radius-server vsa send accounting
radius-server vsa send authentication

ip radius source-interface VlanXX

Interface

interface GigabitEthernet0/1
switchport access vlan XX
switchport mode access
ip access-group ACL-DEFAULT in
authentication host-mode multi-host
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

ACL

Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit tcp any host myserver1
60 permit tcp any host myserver2
70 deny ip any any log

Basically just follow the instruction on this link with some adjustment https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0100001.html#reference_98C6814C4A01421CAD6774C76568CAD4.

Cheers.

Deepak Kumar · ‎10-02-2018

Hi,

in your interface configuration, I saw MAC Authentication Bypass configuration, are you using same?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

fdharmawan · ‎10-02-2018

Hi Deepak,

Should it be in place? The tutorial stated that so I put in the line. Any advise?

Cheers.

Aravind Ravichandran · ‎10-03-2018

Hi,

Radius-server vsa command is required to send radius request.

Also I would like to mention 2960G is not mentioned in compatibility matrix of ISE 2.3

please refer the compatibility matrix https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html

-Aravind

fdharmawan · ‎10-03-2018

Hi Aravind,

Well, that's kind of weird since the config works on my switch. Those laptops that have certificate installed are authenticated and those that don't cannot access the network.

But anyway I'm grateful the config works as I wanted to :)

Cheers.

Nidhi · ‎10-02-2018

I see you are missing the a command ' dot1x port-control auto'

Can you run the test again and collect the radius logs from ISE as well ?

Thanks,

Nidhi

fdharmawan · ‎10-02-2018

Hi Nidhi,

I could not find "dot1x port-control auto", so I put "authentication port-control auto" on interface config.

Cheers.