Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
5
Replies

802.1x supplicant on 819 router not working

Bryce Palmer
Level 1
Level 1

‎03-10-2017 12:09 PM - edited ‎03-05-2019 08:10 AM

The switch port that I am connecting the router to has the config

interface FastEthernet1/8
  switchport mode access
  authentication event fail action authorize vlan 6
  authentication event server dead action authorize vlan 15
  authentication event no-response action authorize vlan 15
  authentication host-mode multi-auth
  authentication port-control auto
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 2

I am able to authorize a PC against that that port using 802.1x and it successfully authorizes

The router has the following config on it

dot1x system-auth-control
dot1x credentials mycredentials
username myusername
password 0 mypassword
!
dot1x supplicant force-multicast

eap profile EAP
  method mschapv2

interface GigabitEthernet0
  ip address dhcp
  duplex auto
  speed auto
  dot1x pae supplicant
  dot1x credentials pasonrig
  dot1x supplicant eap profile EAP
!

The router fails to authenticate with 802.1x and ends up falling through to mab (which works fine).

The dot1x log on the router looks like this when I bounce the port on the switch.

*Mar 10 17:45:10.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 10 17:45:11.855: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*Mar 10 17:45:13.291: dot1x-ev(Gi0): Role determination not required
*Mar 10 17:45:13.291: dot1x-packet(Gi0): Queuing an EAPOL pkt on Supplicant Q
*Mar 10 17:45:13.291: dot1x-ev:Enqueued the eapol packet to the global supplicant queue

*Mar 10 17:45:13.291: dot1x-packet:Received an EAPOL frame on interface GigabitEthernet0
*Mar 10 17:45:13.291: dot1x-ev:Received pkt saddr =10f3.11c3.a40a , daddr = 0057.d27d.79bf,
pae-ether-type = 888e.0300.0005
*Mar 10 17:45:13.291: dot1x-ev:Interface down - cannot start supplicant
*Mar 10 17:45:13.291: dot1x-ev:Interface down - cannot start supplicant
*Mar 10 17:45:13.291: dot1x-err:Unable to create an entry for the authenticator on interface GigabitEthernet0 for mac 10f3.11c3.a40a

*Mar 10 17:45:15.355: dot1x-ev(Gi0): Role determination not required
*Mar 10 17:45:15.355: dot1x-packet(Gi0): Queuing an EAPOL pkt on Supplicant Q
*Mar 10 17:45:15.355: dot1x-ev:Enqueued the eapol packet to the global supplicant queue

*Mar 10 17:45:15.355: dot1x-packet:Received an EAPOL frame on interface GigabitEthernet0
*Mar 10 17:45:15.355: dot1x-ev:Received pkt saddr =10f3.11c3.a40a , daddr = 0057.d27d.79bf,
pae-ether-type = 888e.0300.0005
*Mar 10 17:45:15.355: dot1x-ev:Interface down - cannot start supplicant
*Mar 10 17:45:15.355: dot1x-ev:Interface down - cannot start supplicant
*Mar 10 17:45:15.355: dot1x-err:Unable to create an entry for the authenticator on interface GigabitEthernet0 for mac 10f3.11c3.a40a

*Mar 10 17:45:17.355: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 10 17:45:17.407: dot1x-ev(Gi0): Role determination not required
*Mar 10 17:45:17.407: dot1x-packet(Gi0): Queuing an EAPOL pkt on Supplicant Q
*Mar 10 17:45:17.407: dot1x-ev:Enqueued the eapol packet to the global supplicant queue

*Mar 10 17:45:17.407: dot1x-packet:Received an EAPOL frame on interface GigabitEthernet0
*Mar 10 17:45:17.411: dot1x-ev:Received pkt saddr =10f3.11c3.a40a , daddr = 0057.d27d.79bf,
pae-ether-type = 888e.0300.0005
*Mar 10 17:45:17.411: dot1x-ev:Interface down - cannot start supplicant
*Mar 10 17:45:17.411: dot1x-ev:Interface down - cannot start supplicant
*Mar 10 17:45:17.411: dot1x-err:Unable to create an entry for the authenticator on interface GigabitEthernet0 for mac 10f3.11c3.a40a

*Mar 10 17:45:18.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 10 17:45:29.647: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.100.15.59, mask 255.255.255.0, hostname myhostname

3 people had this problem
Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎03-10-2017 11:31 PM

Bryce,

which IOS version is the 819 running ? This could be a bug.

0 Helpful

Bryce Palmer
Level 1
Level 1
In response to Georg Pauwen

‎03-11-2017 07:00 AM

I was using 15.4(3)M3 and then I tried upgrading to 15.6(3)M1 even though the release notes didn't indicate any sort of 802.1x fix.  The result was the same.

0 Helpful

paul driver
VIP
VIP

‎03-11-2017 06:02 AM

Hello

Is this supplicant dot1x compatible? Also you seem to have a quite a short timeout period for client response 

have you tried increasing this?

Int x/x

dot1x timeout to period 60

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Bryce Palmer
Level 1
Level 1
In response to paul driver

‎03-11-2017 07:01 AM

I had tried increasing the timeout but the result was the same.  From my understanding the 819 should have no problem authenticating against this switch.

0 Helpful

rgoode214
Level 1
Level 1
In response to Bryce Palmer

‎09-05-2017 01:26 PM

did you ever fix this? im having the same problem and cant figure out why it thinks the interface is down.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card