cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4288
Views
0
Helpful
2
Replies

ISE Wired DOT1X authorization fails

jcarrabine1
Level 1
Level 1

I'm configuring wired dot1x, and it won't work. My end goal is to use machine/user authentication for this wired profile, but for now, because of issues I'm just attempting wired user authentication. Below is what I have

-authorization profile to allow a user based on the default (wired dot1x) and AD memberOF to get the person into the network

-the network card on the computer is setup to use "user authetication" inside of the NIC authentication tab....this is PEAP by the way.

Here is what I am seeing. I do a reboot of the machine, and the login for Windows comes up and I login. Once in Windows I look at the NIC and it says Authentication failed. ISE says that it PASSED and used my authorization profile to pass it and says that it sent my dacl. Doing a show authentication session int gi8/36 says "status authz FAILED".

I get the same thing if I use both machine and user. Machine boot->login->ISE says there was a successful authentication for the machine and sends a dacl->sh auth sess int gi8/36 says status authz failed on the switch, and the NIC shuts due to failed authentication which after that it's obviously not going to pass the user side of my policy. This is driving my nuts. If anyone could help it would be greatly appreciated. Below is config info. Thanks

Windows machines are Win7/64

switch is 6509e with 12.2(33)SXI 11 running on it.

Interface:  GigabitEthernet8/36

          MAC Address:  10ee.f10c.4820

           IP Address:  Unknown

            User-Name:  jcarrabine

               Status:  Authz Failed

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A800C010000018CF35CA5D8

      Acct Session ID:  0x0000077B

               Handle:  0x0000018C

Runnable methods list:

       Method   State

       dot1x    Authc Success

       mab      Not run

Dot1x Info for GigabitEthernet8/36

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = Both

HostMode                  = MULTI_AUTH

QuietPeriod               = 60

ServerTimeout             = 0

SuppTimeout               = 30

ReAuthMax                 = 2

MaxReq                    = 2

TxPeriod                  = 10

interface GigabitEthernet8/36

description TEST PORT

switchport

switchport access vlan 52

switchport mode access

switchport voice vlan 143

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer inactivity 10

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast edge

spanning-tree bpduguard enable

end

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

ip radius source-interface Loopback0

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server host 10.128.12.41 auth-port 1812 acct-port 1813 key 7 061106324961273C464640

radius-server host 10.126.12.41 auth-port 1812 acct-port 1813 key 7 120E0C0417242221697A76

radius-server vsa send accounting

radius-server vsa send authentication

2 Replies 2

jcarrabine1
Level 1
Level 1

I fixed this issue So to the trained eye this should be obvious. The authz ultimatly failed not because of my authorization policies, but because I have no default permit ip any any ACL on the port. This is a requirement for the IOS I'm running. The dACL's can not be applied to the switchport without it, and thus will throw the port into an authz fail without it.

Ravi Singh
Level 7
Level 7

Yes you are right Default permit ip any any ACL should be there so that dot1x authentication because it is mandatory.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: