- Cisco Community
- Technology and Support
- Networking
- Routing
- dot1X port authentication doesn't work with catalyst 3850
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
dot1X port authentication doesn't work with catalyst 3850
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 04:05 AM - edited 03-05-2019 10:26 AM
I am having some troubles figuring out what is going on here.
We have applied the same configuration with switch WS-C3750X-24P-S Version 12.2(58)SE2 and its working fine.
Now we are applying the same with switch WS-C3850-48P Version 03.06.08.E but switch doesn't allow clients to get IP from DHCP and from the logs I can see the switch is rejecting the client authentication.
We are using Aruba Clearpass for AAA.
We have communicate with aruba team, they inform us to delete the default ACL which are defined in the switch but we couldn't !!!!!!
Below is AAA configuration:
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
client 10.1.80.61 server-key aruba123
port 3799
auth-type all
dot1x system-auth-control
ip access-list extended cppm ///// this ACL is for Aruba AAA authentication
deny ip any host 10.1.80.61
deny ip any host 10.1.80.62
deny ip any host 192.168.142.17
deny ip any host 10.1.80.60
permit tcp any any eq 6658
permit tcp any host 10.1.80.63 eq 6658
permit tcp any any eq www
permit tcp any any eq 443
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.20.20.1
!
tacacs-server host 10.1.80.61 key aruba123
radius-server host 10.1.80.61 key aruba123
!
interface GigabitEthernet1/0/41
switchport access vlan 2020
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 5
dot1x max-req 1
dot1x max-reauth-req 5
spanning-tree portfast
!
ACLs defined in the switch as below :
COMP-GF-C09-AS3#show access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list cppm
10 deny ip any host 10.1.80.61
20 deny ip any host 10.1.80.62
30 deny ip any host 192.168.142.17
40 deny ip any host 10.1.80.60
50 permit tcp any any eq 6658
60 permit tcp any host 10.1.80.63 eq 6658
70 permit tcp any any eq www
80 permit tcp any any eq 443
Extended IP access list implicit_deny_acl
10 deny ip any any
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
Below is the log after connect client machine to interface gi 1/0/41:
*May 13 02:30:01.286: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.286: dot1x-packet: length: 0x032A
*May 13 02:30:01.286: dot1x-packet:EAP code: 0x1 id: 0x6 length: 0x032A
*May 13 02:30:01.287: dot1x-packet: type: 0x19
*May 13 02:30:01.287: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:30:01.287: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response request action
*May 13 02:30:01.299: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Queuing an EAPOL pkt on Authenticator Q
*May 13 02:30:01.299: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.299: dot1x-packet: length: 0x0088
*May 13 02:30:01.299: dot1x-ev:[Gi1/0/41] Dequeued pkt: Int Gi1/0/41 CODE= 2,TYPE= 25,LEN= 136
*May 13 02:30:01.299: dot1x-ev:[Gi1/0/41] Received pkt saddr =588a.5a07.dfe8 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0088
*May 13 02:30:01.299: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.299: dot1x-packet: length: 0x0088
*May 13 02:30:01.299: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAPOL_EAP for 0x30000007
*May 13 02:30:01.299: dot1x_auth_bend Gi1/0/41: during state auth_bend_request, got event 6(eapolEap)
*May 13 02:30:01.299: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_request -> auth_bend_response
*May 13 02:30:01.300: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering response state
*May 13 02:30:01.300: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Response sent to the server from 0x30000007
*May 13 02:30:01.300: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:request response action
*May 13 02:30:01.305: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAP_REQ for 0x30000007
*May 13 02:30:01.305: dot1x_auth_bend Gi1/0/41: during state auth_bend_response, got event 7(eapReq)
*May 13 02:30:01.305: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_response -> auth_bend_request
*May 13 02:30:01.305: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting response state
*May 13 02:30:01.305: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering request state
*May 13 02:30:01.305: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending EAPOL packet
*May 13 02:30:01.305: dot1x-registry:registry:dot1x_ether_macaddr called
*May 13 02:30:01.306: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending out EAPOL packet
*May 13 02:30:01.306: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.306: dot1x-packet: length: 0x0039
*May 13 02:30:01.306: dot1x-packet:EAP code: 0x1 id: 0x7 length: 0x0039
*May 13 02:30:01.306: dot1x-packet: type: 0x19
*May 13 02:30:01.306: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:30:01.306: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response request action
*May 13 02:30:01.314: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Queuing an EAPOL pkt on Authenticator Q
*May 13 02:30:01.314: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.314: dot1x-packet: length: 0x0006
*May 13 02:30:01.314: dot1x-ev:[Gi1/0/41] Dequeued pkt: Int Gi1/0/41 CODE= 2,TYPE= 25,LEN= 6
*May 13 02:30:01.314: dot1x-ev:[Gi1/0/41] Received pkt saddr =588a.5a07.dfe8 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006
*May 13 02:30:01.314: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.314: dot1x-packet: length: 0x0006
*May 13 02:30:01.315: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAPOL_EAP for 0x30000007
*May 13 02:30:01.315: dot1x_auth_bend Gi1/0/41: during state auth_bend_request, got event 6(eapolEap)
*May 13 02:30:01.315: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_request -> auth_bend_response
*May 13 02:30:01.315: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering response state
*May 13 02:30:01.315: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Response sent to the server from 0x30000007
*May 13 02:30:01.315: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:request response action
*May 13 02:30:01.320: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAP_REQ for 0x30000007
*May 13 02:30:01.320: dot1x_auth_bend Gi1/0/41: during state auth_bend_response, got event 7(eapReq)
*May 13 02:30:01.320: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_response -> auth_bend_request
*May 13 02:30:01.320: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting response state
*May 13 02:30:01.320: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering request state
*May 13 02:30:01.320: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending EAPOL packet
*May 13 02:30:01.320: dot1x-registry:registry:dot1x_ether_macaddr called
*May 13 02:30:01.320: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending out EAPOL packet
*May 13 02:30:01.320: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.320: dot1x-packet: length: 0x0028
*May 13 02:30:01.320: dot1x-packet:EAP code: 0x1 id: 0x8 length: 0x0028
*May 13 02:30:01.320: dot1x-packet: type: 0x19
*May 13 02:30:01.321: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:30:01.321: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response request action
*May 13 02:30:01.324: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Queuing an EAPOL pkt on Authenticator Q
*May 13 02:30:01.324: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.324: dot1x-packet: length: 0x002F
*May 13 02:30:01.324: dot1x-ev:[Gi1/0/41] Dequeued pkt: Int Gi1/0/41 CODE= 2,TYPE= 25,LEN= 47
*May 13 02:30:01.324: dot1x-ev:[Gi1/0/41] Received pkt saddr =588a.5a07.dfe8 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.002f
*May 13 02:30:01.324: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.324: dot1x-packet: length: 0x002F
*May 13 02:30:01.325: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAPOL_EAP for 0x30000007
*May 13 02:30:01.325: dot1x_auth_bend Gi1/0/41: during state auth_bend_request, got event 6(eapolEap)
*May 13 02:30:01.325: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_request -> auth_bend_response
*May 13 02:30:01.325: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering response state
*May 13 02:30:01.325: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Response sent to the server from 0x30000007
*May 13 02:30:01.325: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:request response action
*May 13 02:30:01.330: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAP_REQ for 0x30000007
*May 13 02:30:01.330: dot1x_auth_bend Gi1/0/41: during state auth_bend_response, got event 7(eapReq)
*May 13 02:30:01.330: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_response -> auth_bend_request
*May 13 02:30:01.330: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting response state
*May 13 02:30:01.330: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering request state
*May 13 02:30:01.330: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending EAPOL packet
*May 13 02:30:01.331: dot1x-registry:registry:dot1x_ether_macaddr called
*May 13 02:30:01.331: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending out EAPOL packet
*May 13 02:30:01.331: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.331: dot1x-packet: length: 0x0044
*May 13 02:30:01.331: dot1x-packet:EAP code: 0x1 id: 0x9 length: 0x0044
*May 13 02:30:01.331: dot1x-packet: type: 0x19
*May 13 02:30:01.331: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:30:01.331: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response request action
*May 13 02:30:01.339: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Queuing an EAPOL pkt on Authenticator Q
*May 13 02:30:01.339: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.339: dot1x-packet: length: 0x0065
*May 13 02:30:01.339: dot1x-ev:[Gi1/0/41] Dequeued pkt: Int Gi1/0/41 CODE= 2,TYPE= 25,LEN= 101
*May 13 02:30:01.339: dot1x-ev:[Gi1/0/41] Received pkt saddr =588a.5a07.dfe8 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0065
*May 13 02:30:01.339: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.339: dot1x-packet: length: 0x0065
*May 13 02:30:01.340: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAPOL_EAP for 0x30000007
*May 13 02:30:01.340: dot1x_auth_bend Gi1/0/41: during state auth_bend_request, got event 6(eapolEap)
*May 13 02:30:01.340: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_request -> auth_bend_response
*May 13 02:30:01.340: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering response state
*May 13 02:30:01.340: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Response sent to the server from 0x30000007
*May 13 02:30:01.340: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:request response action
*May 13 02:30:01.354: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAP_REQ for 0x30000007
*May 13 02:30:01.354: dot1x_auth_bend Gi1/0/41: during state auth_bend_response, got event 7(eapReq)
*May 13 02:30:01.354: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_response -> auth_bend_request
*May 13 02:30:01.354: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting response state
*May 13 02:30:01.354: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering request state
*May 13 02:30:01.354: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending EAPOL packet
*May 13 02:30:01.355: dot1x-registry:registry:dot1x_ether_macaddr called
*May 13 02:30:01.355: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending out EAPOL packet
*May 13 02:30:01.355: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.355: dot1x-packet: length: 0x0052
*May 13 02:30:01.355: dot1x-packet:EAP code: 0x1 id: 0xA length: 0x0052
*May 13 02:30:01.355: dot1x-packet: type: 0x19
*May 13 02:30:01.355: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:30:01.355: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response request action
*May 13 02:30:01.360: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Queuing an EAPOL pkt on Authenticator Q
*May 13 02:30:01.360: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.360: dot1x-packet: length: 0x0025
*May 13 02:30:01.360: dot1x-ev:[Gi1/0/41] Dequeued pkt: Int Gi1/0/41 CODE= 2,TYPE= 25,LEN= 37
*May 13 02:30:01.360: dot1x-ev:[Gi1/0/41] Received pkt saddr =588a.5a07.dfe8 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0025
*May 13 02:30:01.360: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.360: dot1x-packet: length: 0x0025
*May 13 02:30:01.361: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAPOL_EAP for 0x30000007
*May 13 02:30:01.361: dot1x_auth_bend Gi1/0/41: during state auth_bend_request, got event 6(eapolEap)
*May 13 02:30:01.361: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_request -> auth_bend_response
*May 13 02:30:01.361: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering response state
*May 13 02:30:01.361: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Response sent to the server from 0x30000007
*May 13 02:30:01.361: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:request response action
*May 13 02:30:01.408: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAP_REQ for 0x30000007
*May 13 02:30:01.408: dot1x_auth_bend Gi1/0/41: during state auth_bend_response, got event 7(eapReq)
*May 13 02:30:01.408: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_response -> auth_bend_request
*May 13 02:30:01.408: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting response state
*May 13 02:30:01.408: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering request state
*May 13 02:30:01.408: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending EAPOL packet
*May 13 02:30:01.408: dot1x-registry:registry:dot1x_ether_macaddr called
*May 13 02:30:01.408: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending out EAPOL packet
*May 13 02:30:01.408: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.408: dot1x-packet: length: 0x002E
*May 13 02:30:01.408: dot1x-packet:EAP code: 0x1 id: 0xB length: 0x002E
*May 13 02:30:01.409: dot1x-packet: type: 0x19
*May 13 02:30:01.409: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:30:01.409: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response request action
*May 13 02:30:01.414: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Queuing an EAPOL pkt on Authenticator Q
*May 13 02:30:01.415: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.415: dot1x-packet: length: 0x002E
*May 13 02:30:01.415: dot1x-ev:[Gi1/0/41] Dequeued pkt: Int Gi1/0/41 CODE= 2,TYPE= 25,LEN= 46
*May 13 02:30:01.415: dot1x-ev:[Gi1/0/41] Received pkt saddr =588a.5a07.dfe8 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.002e
*May 13 02:30:01.415: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
*May 13 02:30:01.415: dot1x-packet: length: 0x002E
*May 13 02:30:01.415: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAPOL_EAP for 0x30000007
*May 13 02:30:01.415: dot1x_auth_bend Gi1/0/41: during state auth_bend_request, got event 6(eapolEap)
*May 13 02:30:01.415: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_request -> auth_bend_response
*May 13 02:30:01.415: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering response state
*May 13 02:30:01.415: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Response sent to the server from 0x30000007
*May 13 02:30:01.416: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:request response action
*May 13 02:30:01.420: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] Received an EAP Success
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting EAP_SUCCESS for 0x30000007
*May 13 02:30:01.421: dot1x_auth_bend Gi1/0/41: during state auth_bend_response, got event 11(eapSuccess)
*May 13 02:30:01.421: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_response -> auth_bend_success
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting response state
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering success state
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:response success action
*May 13 02:30:01.421: dot1x_auth_bend Gi1/0/41: idle during state auth_bend_success
*May 13 02:30:01.421: @@@ dot1x_auth_bend Gi1/0/41: auth_bend_success -> auth_bend_idle
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering idle state
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting AUTH_SUCCESS on Client 0x30000007
*May 13 02:30:01.421: dot1x_auth Gi1/0/41: during state auth_authenticating, got event 12(authSuccess_portValid)
*May 13 02:30:01.421: @@@ dot1x_auth Gi1/0/41: auth_authenticating -> auth_authc_result
*May 13 02:30:01.421: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:exiting authenticating state
*May 13 02:30:01.422: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering authc result state
*May 13 02:30:01.422: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAP Key data detected adding to attribute list
*May 13 02:30:01.428: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Received Authz Success for the client 0x30000007 (588a.5a07.dfe8)
*May 13 02:30:01.429: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] Posting AUTHZ_SUCCESS on Client 0x30000007
*May 13 02:30:01.429: dot1x_auth Gi1/0/41: during state auth_authc_result, got event 23(authzSuccess)
*May 13 02:30:01.429: @@@ dot1x_auth Gi1/0/41: auth_authc_result -> auth_authenticated
*May 13 02:30:01.429: dot1x-sm:[588a.5a07.dfe8, Gi1/0/41] 0x30000007:entering authenticated state
*May 13 02:30:01.429: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending EAPOL packet
*May 13 02:30:01.429: dot1x-registry:registry:dot1x_ether_macaddr called
*May 13 02:30:01.429: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Sending out EAPOL packet
*May 13 02:30:01.430: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
*May 13 02:30:01.430: dot1x-packet: length: 0x0004
*May 13 02:30:01.430: dot1x-packet:EAP code: 0x3 id: 0xB length: 0x0004
*May 13 02:30:01.430: dot1x-packet:[588a.5a07.dfe8, Gi1/0/41] EAPOL packet sent to client 0x30000007
*May 13 02:32:04.336: dot1x-ev:[Gi1/0/41] Interface state changed to DOWN
*May 13 02:32:04.338: dot1x-ev:[Gi1/0/41] Clearing all supplicant instances
*May 13 02:32:04.362: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Processing client delete for hdl 0x30000007 sent by Auth Mgr
*May 13 02:32:04.362: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Deleting client 0x30000007 (588a.5a07.dfe8)
*May 13 02:32:04.362: dot1x-ev:[588a.5a07.dfe8, Gi1/0/41] Delete auth client (0x30000007) message
*May 13 02:32:04.362: dot1x-ev:Auth client ctx destroyed
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 10:41 AM
Hello,
post the full configuration of the switch, not just snippets. Which access list can't you delete ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 12:48 PM
Hi Georg,
Thanks for your reply
IF I delete the below ACLs then save and reload the switch, those ACLs appeared in the configuration again !!!.
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list implicit_deny_acl
10 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
This ACL can't be deleted : preauth_ipv4_acl (per-user)
COMP-GF-C09-AS3(config)#no ip access-list extended preauth_ipv4_acl ext
COMP-GF-C09-AS3(config)#no ip access-list extended preauth_ipv4_acl (per-user)
^
% Invalid input detected at '^' marker.
COMP-GF-C09-AS3(config)#exit
COMP-GF-C09-AS3#sho
COMP-GF-C09-AS3#show ip acc
COMP-GF-C09-AS3#show ip acce
COMP-GF-C09-AS3#show ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list cppm
10 deny ip any host 10.1.80.61
20 deny ip any host 10.1.80.62
30 deny ip any host 192.168.142.17
40 deny ip any host 10.1.80.60
50 permit tcp any any eq 6658
60 permit tcp any host 10.1.80.63 eq 6658
70 permit tcp any any eq www
80 permit tcp any any eq 443
Extended IP access list implicit_deny_acl
10 deny ip any any
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
COMP-GF-C09-AS3#
Configuration file on attachment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 01:43 PM
Hello,
the access list comes from Cisco Web Authentication. I am not really sure which part of your config is responsible; try and remove the line 'aaa authorization network default group radius'.
Smart install might also be causing this, unless you are using smart install, disable it with configuring 'no vstack' globally...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 10:29 PM
Disable smart install and remove the aaa authorization but the still can't delete the ACL
COMP-GF-C09-AS3(config)#no vstack
COMP-GF-C09-AS3(config)#no aaa authorization network default group radius
COMP-GF-C09-AS3(config)#no ip acce
COMP-GF-C09-AS3(config)#no ip access-list ex
COMP-GF-C09-AS3(config)#no ip access-list extended preauth_ipv4_acl
COMP-GF-C09-AS3(config)#do sh ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list cppm
10 deny ip any host 10.1.80.61
20 deny ip any host 10.1.80.62
30 deny ip any host 192.168.142.17
40 deny ip any host 10.1.80.60
50 permit tcp any any eq 6658
60 permit tcp any host 10.1.80.63 eq 6658
70 permit tcp any any eq www
80 permit tcp any any eq 443
Extended IP access list implicit_deny_acl
10 deny ip any any
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 01:47 PM
Hi,
Did Aruba give a reason to delete this default ACL?
You said your issue is the client fails to get a DHCP address and the switch is rejecting the client authentication, correct? When using 802.1x a client would only receive a DHCP after successful authentication/authorization. I'd look at why authentication is failing...unless Aruba believe's there is a bug regarding that acl.
What errors/messages are in the ClearPass logs for those authentication attempts?
Perhaps you could take a packet capture to/from CPPM and post it here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2018 10:50 PM
Did Aruba give a reason to delete this default ACL?
They said the issue is due to the other ACL, with other switches we did remove the ACL and client now able to get DHCP and authenticated successfully.
What errors/messages are in the ClearPass logs for those authentication attempts?
In ClearPass we don't see any error messages, its showing client accepted/authenticated successful. Anyhow we will communicate with Aruba team again to see if we can get any other logs from CPPM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2018 12:18 AM
Hello,
I am looking for a solution to delete these (default and built-in) access lists, honestly I am not sure you can...
In the meantime, try and enter a 'permit ip any any' to the access lists with a lower sequence number, so that the permit ip any any appears at the top and effectively makes the access list obsolete. I think you can still edit the access lists:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide