Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1695
Views
0
Helpful
7
Replies

CBS 350 & 802.1x & Mac based authentication

henrihoffmann
Level 1
Level 1

‎02-26-2023 09:24 AM

Hi,

 

have a CBS 350 stack and issues with the Mac based authentication, 802.1x authentication with our Radius server works fine. According to the trace, the Radius server receives (in case of a Mac) no packet from the switch. Are there any restrictions. No messages, just "unauthorised", that's all.

How to find the root cause?

 

Thanks

 

Henri 

 

 

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎02-26-2023 10:16 AM

what Radius server you using ?

What does your 802.1x config look like ?

, just "unauthorised", that's all.  - this message from switch or radius (you may be required to enable debug see more logs )

https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/CLI/cbs-350-cli-/802_1X_Commands.html#wp3646181654

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

henrihoffmann
Level 1
Level 1
In response to balaji.bandi

‎02-26-2023 11:49 PM

Hi balaji,

what Radius server you using ?

LANCOM build in Radius server, as I mentioned, it works fine for 802.1x, but the CISCO Switch sends not Mac Auth. Pakets to that box, so I think we do not check the anything, as long, I get no packet from the switch.

What does your 802.1x config look like ?

sh dot1x detailed

Authentication is enabled
Authenticator Global Configuration:
Authenticating Servers: Radius
MAC-Based Authentication:
Type: Eap
Username Groupsize: 12
Username Separator: -
Username case: Lowercase
Password: MD5 checksum
Unauthenticated VLANs:
Guest VLAN: VLAN 4, timeout: immediately
Authentication failure traps are enabled for 802.1x, mac, web
Authentication success traps are disabled
Authentication quiet traps are disabled
Supplicant Global Configuration:
Supplicant Authentication success traps are disabled
Supplicant Authentication failure traps are enabled

gi3/0/1
Authenticator is enabled
Supplicant is disabled
Authenticator Configuration:
Host mode: multi-host
Authentication methods: mac
Port Administrated Status: auto
Guest VLAN: disabled
VLAN Radius Attribute: disabled
Open access: disabled
Server timeout: 30 sec
Port Operational Status: unauthorized
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 0 sec
Quiet period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
Max req: 2
Authentication success: 0
Authentication fails: 0
Supplicant Configuration:
retry-max: 2
EAP time period: 30
Supplicant Held Period: 60

 

Thanks

 

Henri

0 Helpful

KJK99
Level 3
Level 3

‎02-27-2023 10:47 AM

@henrihoffmann 

Have you set up the RADIUS client in the switch?

RC.jpg

Kris K
0 Helpful

henrihoffmann
Level 1
Level 1
In response to KJK99

‎02-27-2023 01:26 PM

sure, "802.1x authentication with our Radius server works fine"!

BR

Henri

0 Helpful

KJK99
Level 3
Level 3

‎02-27-2023 05:12 PM

Yeah, I’ve seen that. You haven’t mentioned explicitly the switch it works with so just checking

Can you toggle between Auto and Force Authorized under 802.1X Authentication >Port Authentication>Edit Port Authentication>Administrative Port Control? You should see some messages in your RADIUS server log when you do that. If those messages are not informative, I don’t know what to say.

My RADIUS server is FreeRADIUS. No issues. The only tricky part was to set the proper format of the username for the server.

My port authentication configuration doesn’t really look different than yours.

#sh dot1x detailed

Authentication is enabled
Authenticator Global Configuration:
Authenticating Servers: Radius
MAC-Based Authentication:
  Type: Radius
  Username Groupsize: 12
  Username Separator: :
  Username case: Uppercase
  Password: MD5 checksum [snip]
Unauthenticated VLANs:
Authentication failure traps are enabled for 802.1x, mac
Authentication success traps are enabled for 802.1x, mac
Authentication quiet traps are disabled
Supplicant Global Configuration:
Supplicant Authentication success traps are enabled
Supplicant Authentication failure traps are enabled

gi1
Authenticator is enabled
Supplicant is disabled
Authenticator Configuration:
Host mode: multi-host
Authentication methods: mac
Port Administrated Status: auto
Guest VLAN: disabled
VLAN Radius Attribute: disabled
Open access: disabled
Server timeout: 30 sec
Port Operational Status: authorized
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 0 sec
Quiet period: 60 sec
Interfaces 802.1X-Based Parameters
  Tx period: 30 sec
  Supplicant timeout: 30 sec
  Max req: 2
Authentication success: 5
Authentication fails: 1
Supplicant Configuration:
retry-max: 2
EAP time period: 30
Supplicant Held Period: 60

Kris K
0 Helpful

henrihoffmann
Level 1
Level 1
In response to KJK99

‎02-27-2023 09:19 PM

Hi Kris,

thanks, I do not see such a message in case of Mac Based Auth.. Are there some restriction in conjunction with that, (e.g. Spanning Tree or things like that?).

BR

Henri

0 Helpful

KJK99
Level 3
Level 3

‎02-28-2023 04:45 AM

It works with STP, but I would make sure Smartport is disabled. Check the RAM Memory log of the switch, too. You should see entries like below.

When authorized: MAC [snip] is authorized on port gi1

When unauthorized: MAC [snip] was rejected on port gi1 due to wrong user name or password in Radius server

Kris K
0 Helpful
Customers Also Viewed These Support Documents