cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
58471
Views
0
Helpful
6
Replies

Cisco ISE: DOT1X-5-FAIL: Authentication failed after the first success authentication

Hi all,

i have a trouble with cisco ise trying to authenticate an Active directory user, in the first time all things seem to be running succesfully but the user doesn't get the specified vlan and after a moment the dot1x fail.  this is the port's config

-------------------------------------------------------------------------------

Building configuration...

Current configuration : 463 bytes

!

interface FastEthernet0/17

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan 40

authentication event no-response action authorize vlan 40

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

Switch#

----------------------------------------------------------------------------------------

And here the switch logs:

3d07h: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4dd8.bb74) on Interfa

ce Fa0/17

3d07h: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up

3d07h: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4dd8.bb74) o

n Interface Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for clien

t (001a.4dd8.bb74) on Interface Fa0/17

3d07h: %AUTHMGR-5-FAIL: Authorization failed for client (001a.4dd8.bb74) on Inte

rface Fa0/17

3d07h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17, changed

state to up

3d07h: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4dd8.bb74) o

n Interface Fa0/17

3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter

face Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for clien

t (001a.4dd8.bb74) on Interface Fa0/17

3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter

face Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for clien

t (001a.4dd8.bb74) on Interface Fa0/17

3d07h: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4dd8.bb74) on Interfa

ce Fa0/17

3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter

face Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for c

lient (001a.4dd8.bb74) on Interface Fa0/17

3d07h: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001a.4dd8.bb74

) on Interface Fa0/17

3d07h: %AUTHMGR-5-START: Starting 'mab' for client (001a.4dd8.bb74) on Interface

Fa0/17

3d07h: %MAB-5-SUCCESS: Authentication successful for client (001a.4dd8.bb74) on

Interface Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client

(001a.4dd8.bb74) on Interface Fa0/17

3d07h: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/24 has no ip address

3d07h: %AUTHMGR-5-FAIL: Authorization failed for client (001a.4dd8.bb74) on Inte

rface Fa0/17

3d07h: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4dd8.bb74) o

n Interface Fa0/17

3d07h: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4dd8.bb74) on Interfa

ce Fa0/17

3d07h: %DOT1X-5-FAIL: Authentication failed for client (001a.4dd8.bb74) on Inter

face Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for c

lient (001a.4dd8.bb74) on Interface Fa0/17

3d07h: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001a.4dd8.bb74

) on Interface Fa0/17

3d07h: %AUTHMGR-5-START: Starting 'mab' for client (001a.4dd8.bb74) on Interface

Fa0/17

3d07h: %MAB-5-SUCCESS: Authentication successful for client (001a.4dd8.bb74) on

Interface Fa0/17

3d07h: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client

(001a.4dd8.bb74) on Interface Fa0/17

3d07h: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/24 has no ip address

3d07h: %AUTHMGR-5-FAIL: Authorization failed for client (001a.4dd8.bb74) on Inte

rface Fa0/17

3d07h: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4dd8.bb74) o

n Interface Fa0/17

Any ideas...

please i neeed help

6 Replies 6

dynamitec1
Level 1
Level 1

Im using Cisco ACS for 802.1x with mab, and Im having the same issue. I cant even move to another port as it fails to authenticate. My logs are looks similar to yours.

Sent from Cisco Technical Support iPhone App

Jatin Katyal
Cisco Employee
Cisco Employee

While running into the above issue, could you please get the following outputs:

show auth session interface fa0/17

show mac address-table int fa0/17

show dot1x interface fa0/17

mac address of phone and PC

I don't see data and voice vlan configured on the interface. Are you pushing dynamic vlans from the radius server? Please let me know how you have configured dynamic vlans on radius (screen should would work).

Can you show the aaa config using:

show run | in aaa

Jatin Katyal
- Do rate helpful posts -

~Jatin

With SINGLE RADIUS-SERVER GROUP configured, dot1x computer authenticates only once (if lucky), and then switch reload is needed.

global config

dot1x system-auth-control

aaa authentication dot1x default group radius

aaa authentication network default group radius

aaa accounting network default start-stop group radius

radius-server host 192.168.128.123 auth-port 1812 acct-port 1646 key radkey

radius-server host 192.168.128.121 auth-port 1645 acct-port 1646 key radkey

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

interface config:

sw mode access

sw access vlan ID

sw voice vlan ID

auth host-mode multi-domain

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

mab

dot1x pae authenticator

dot1x timeout tx-period 3

span portfast

span bpduguard enable

I reconfigured the switch with TWO RADIUS SERVER GROUPS, now port-security is triggered.

global config for TWO radius server-group:

aaa group server radius RADIUS-PRI

server 192.168.128.123 auth-port 1812 acct-port 1646

aaa group server radius RADIUS-SEC

server 192.168.128.121

aaa authentication dot1x default group RADIUS-PRI group RADIUS-SEC

aaa authorization network default group RADIUS-PRI group RADIUS-SEC

aaa accounting dot1x default start-start group RADIUS-PRI group RADIUS-SEC

Thank you,

A

Message was edited by: Adam Andersen, logs uploaded.

Hi,

i´ve got the same issue. NON Cisco Phone with a connected Windows PC. After reloading the switch, the PC gets authenticated first.  Then for about 10 Minutes the Phone gets no access. Suddenly it is authenticated and in the VOICE

Domain.

.Jun 21 10:41:26.711 CEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.288 CEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.288 CEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.288 CEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.288 CEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.297 CEST: %MAB-5-SUCCESS: Authentication successful for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.297 CEST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0080.9f79.1de9) on Interface Fa0/1

.Jun 21 10:41:47.297 CEST: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa0/1, new MAC address (0080.9f79.1de9) is seen.

Jun 21 10:51:46.192 CEST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9f79.1de9) on Interface Fa0/1

Interface  MAC Address     Method   Domain   Status         Session ID

Fa0/1      60eb.699e.4299  mab      DATA     Authz Success  0A871ECC0000000400019E27

Fa0/1      0080.9f79.1de9  dot1x    VOICE    Authz Success  0A871ECC0000000C000B8793

switchport mode access

switchport voice vlan 24                                  

authentication event fail action next-method

authentication host-mode multi-domain

authentication order dot1x mab

authentication port-control auto

authentication violation restrict                                   <-- so the interface do not get error-disabled

mab

dot1x pae authenticator

dot1x timeout tx-period 1

dot1x max-reauth-req 1

spanning-tree portfast

end

maybe this brings us a bit closer to a solution

Salamo Alaykom,

I was able to pass the authentication avoiding DACL Allow_All_Traffic even if it contains only 'permit any any' (strange problem) now active directory users are authenticated by Dot1x (and still be) and take the specified Vlan.

Here is a snapshot of the authentication session:

And here the aaa config:

!

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update periodic 5

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

!

I remember  i succeded MAB on IPphone and PC on the same link (i'm not in the LAB to test this now), and i configure the vlan from Plicy>Autorization>Policy element> Results  and the specified authorization

Hope this will help !

Alfredo Cozzino
Level 1
Level 1

Currently it seems  this is an ISE 1.1.x bug, you can use as a workaround in the ALL the dot1x authorization profiles (Compliant and Not Compliant as well) this magic Cisco  AV-Pair

termination-action-modifier=1

this force the ISE to use the last authentication, DOT1X, while keeping the original port authentication order syntax

authentication order mab dot1x

authentication priority dot1x mab

that worked before cisco 1.1.x flawless. Does not work now.

This is (not very) well documented at this URL, last note in the bottom of the page

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html#wp9000028

hope this will help ALL.

This "feature" wasted about 2 day (and this night) of my life.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: