06-19-2013 11:50 AM - edited 03-10-2019 08:33 PM
I'm configuring wired dot1x, and it won't work. My end goal is to use machine/user authentication for this wired profile, but for now, because of issues I'm just attempting wired user authentication. Below is what I have
-authorization profile to allow a user based on the default (wired dot1x) and AD memberOF to get the person into the network
-the network card on the computer is setup to use "user authetication" inside of the NIC authentication tab....this is PEAP by the way.
Here is what I am seeing. I do a reboot of the machine, and the login for Windows comes up and I login. Once in Windows I look at the NIC and it says Authentication failed. ISE says that it PASSED and used my authorization profile to pass it and says that it sent my dacl. Doing a show authentication session int gi8/36 says "status authz FAILED".
I get the same thing if I use both machine and user. Machine boot->login->ISE says there was a successful authentication for the machine and sends a dacl->sh auth sess int gi8/36 says status authz failed on the switch, and the NIC shuts due to failed authentication which after that it's obviously not going to pass the user side of my policy. This is driving my nuts. If anyone could help it would be greatly appreciated. Below is config info. Thanks
Windows machines are Win7/64
switch is 6509e with 12.2(33)SXI 11 running on it.
Interface: GigabitEthernet8/36
MAC Address: 10ee.f10c.4820
IP Address: Unknown
User-Name: jcarrabine
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A800C010000018CF35CA5D8
Acct Session ID: 0x0000077B
Handle: 0x0000018C
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Dot1x Info for GigabitEthernet8/36
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 10
interface GigabitEthernet8/36
description TEST PORT
switchport
switchport access vlan 52
switchport mode access
switchport voice vlan 143
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 10
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
end
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server host 10.128.12.41 auth-port 1812 acct-port 1813 key 7 061106324961273C464640
radius-server host 10.126.12.41 auth-port 1812 acct-port 1813 key 7 120E0C0417242221697A76
radius-server vsa send accounting
radius-server vsa send authentication
06-20-2013 06:44 AM
I fixed this issue So to the trained eye this should be obvious. The authz ultimatly failed not because of my authorization policies, but because I have no default permit ip any any ACL on the port. This is a requirement for the IOS I'm running. The dACL's can not be applied to the switchport without it, and thus will throw the port into an authz fail without it.
06-20-2013 12:42 PM
Yes you are right Default permit ip any any ACL should be there so that dot1x authentication because it is mandatory.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: