02-11-2022 01:54 AM
Hi folks,
Trying to use radius authentication for mac addresses.
First it seems ok, at first plug, supplicant is correctly authenticated
10-Feb-2022 16:54:28 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:xx:xx:xx is authorized on port gi2/0/14
But if unplug it and then plug in back again, status stays unauthenticated and I can't see any request to radius server...
relevant part of the config :
dot1x system-auth-control
dot1x traps authentication failure 802.1x mac
dot1x traps authentication success 802.1x mac
dot1x supplicant traps authentication failure
dot1x supplicant traps authentication success
dot1x mac-auth radius
encrypted dot1x mac-auth password *removed*
encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x
aaa authentication login SSH local
aaa authentication enable SSH enable
aaa authentication login Console local
aaa accounting dot1x start-stop group radius
interface GigabitEthernet2/0/14
dot1x guest-vlan enable
dot1x reauthentication
dot1x timeout reauth-period 300
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
firmware up to date, i'm stuck.
02-11-2022 02:00 AM
- What type or brand is the radius server (model/version) ? Can you confirm that for the problem case no data are send to the radius server (with packet capture) ?
M.
02-11-2022 02:19 AM
radius server ( win 2012R2 NPS anyway) is behind a vpn, and answer correctly at first connection.
In the firewall (FPR-1010 in asa mode), I can see tcp 1812 connection at first plug, but nothing in subsequent plug tries.
Also tried with a purposely wrong mac addresse (on a "new" port) :
11-Feb-2022 10:06:35 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi2/0/11 due to wrong user name or password in Radius server
and then plug the rightful device :
11-Feb-2022 10:09:29 %LINK-I-Up: Vlan 100
11-Feb-2022 10:09:29 %SEC-I-PORTAUTHORIZED: Port gi2/0/11 is Authorized
11-Feb-2022 10:09:29 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:21:05:b0 is authorized on port gi2/0/11
(vlan 100 is assigned by radius)
Seems ok right ? then i unplug it, and plug it back... and it stays unauthorized :
11-Feb-2022 10:11:45 %LINK-W-Down: gi2/0/11
11-Feb-2022 10:11:45 %LINK-W-Down: Vlan 100
11-Feb-2022 10:11:45 %LINK-W-Down: Vlan 500
11-Feb-2022 10:11:53 %LINK-I-Up: gi2/0/11
11-Feb-2022 10:11:53 %LINK-I-Up: Vlan 500
11-Feb-2022 10:11:53 %SEC-W-PORTUNAUTHORIZED: Port gi2/0/11 is unAuthorized
11-Feb-2022 10:11:58 %STP-W-PORTSTATUS: gi2/0/11: STP status Forwarding
sh dot1x int gi 2/0/11
Authentication is enabled
Authenticator Global Configuration:
Authenticating Servers: Radius
MAC-Based Authentication:
Type: Radius
Username Groupsize: 12
Username Separator: -
Username case: Lowercase
Password: MD5 checksum *removed*
Unauthenticated VLANs:
Guest VLAN: VLAN 500, timeout 30 sec
Authentication failure traps are enabled for 802.1x, mac
Authentication success traps are enabled for 802.1x, mac
Authentication quiet traps are disabled
Supplicant Global Configuration:
Supplicant Authentication success traps are enabled
Supplicant Authentication failure traps are enabled
gi2/0/11
Authenticator is enabled
Supplicant is disabled
Authenticator Configuration:
Host mode: multi-host
Authentication methods: mac
Port Administrated Status: auto
Guest VLAN: enabled
VLAN Radius Attribute: enabled, static
Open access: disabled
Server timeout: 30 sec
Port Operational Status: unauthorized
Reauthentication is enabled
Reauthentication period: 300 sec
Silence period: 0 sec
Quiet period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
Max req: 2
Authentication success: 1
Authentication fails: 3
Supplicant Configuration:
retry-max: 2
EAP time period: 30
Supplicant Held Period: 60
And no connexion attempt to the radius server... In case you ask, the 3 failed authentication were done when i purposely started with another device plugged in.
drives me mad, and i'm pretty sure there's an easy explanation...
02-11-2022 02:31 AM
If i try to plug the same "wrong" device back again (like I did in the first step) :
11-Feb-2022 10:28:06 %LINK-W-Down: gi2/0/11
11-Feb-2022 10:28:06 %LINK-W-Down: Vlan 500
11-Feb-2022 10:28:08 %LINK-I-Up: gi2/0/11
11-Feb-2022 10:28:08 %LINK-I-Up: Vlan 500
11-Feb-2022 10:28:13 %STP-W-PORTSTATUS: gi2/0/11: STP status Forwarding
And that's all, i don't have the reject message either... Like it won't talk again with the radius server...
02-11-2022 04:13 AM
From device config :
>...encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x
Have a try with : encrypted radius-server host 172.16.32.247 key *removed* usage all dot1.x
M.
02-11-2022 04:30 AM
Thanks for your answer.
Changed it, same behaviour.
Broke stack to make it single switch, idem.
Tried with another (brand new) switch with older firmware (v3.0.0.69), idem.
02-11-2022 04:13 AM
Another test :
I stopped NPS service. Plugged in 2/0/7 (never plugged anything on it before), there's a normal message for the offline radius. then plug back in 2/0/11 : no message at all. then gain on a new port 2/0/13 : message for offline radius !
11-Feb-2022 12:02:49 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b0 was rejected on port gi2/0/7 because Radius server does not respond
11-Feb-2022 12:02:58 %LINK-W-Down: gi2/0/7
11-Feb-2022 12:02:58 %LINK-W-Down: Vlan 500
11-Feb-2022 12:03:02 %LINK-I-Up: gi2/0/11
11-Feb-2022 12:03:02 %LINK-I-Up: Vlan 500
11-Feb-2022 12:03:06 %STP-W-PORTSTATUS: gi2/0/11: STP status Forwarding
11-Feb-2022 12:06:53 %LINK-W-Down: Vlan 500
11-Feb-2022 12:07:02 %LINK-I-Up: gi2/0/13
11-Feb-2022 12:07:02 %LINK-I-Up: Vlan 500
11-Feb-2022 12:07:02 %SEC-W-PORTUNAUTHORIZED: Port gi2/0/13 is unAuthorized
11-Feb-2022 12:07:07 %STP-W-PORTSTATUS: gi2/0/13: STP status Forwarding
11-Feb-2022 12:07:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b0 was rejected on port gi2/0/13 because Radius server does not respond
Then I suspect the wrong behaviour is : authenticated once, then won't ask again. At least it won't stay authenticated after unplug but (definitely) stay unauthenticated, because it won't try to authenticate again.
02-11-2022 04:33 AM
- It seems like your spanning-tree is flapping which could hamper stable communication with the radius server. what is connected to gi2/0/7 and gi2/0/13 ?
M.
02-11-2022 04:36 AM
The very same device I use for testing. STP info seems normal after each plug (and link up).
02-11-2022 04:51 AM
- Did you also checkout this reply :
From device config :
>...encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x
Have a try with : encrypted radius-server host 172.16.32.247 key *removed* usage all dot1.x
M.
02-11-2022 04:53 AM
Yes, see my message up there :
Thanks for your answer.
Changed it, same behaviour.
Broke stack to make it single switch, idem.
Tried with another (brand new) switch with older firmware (v3.0.0.69), idem.
02-11-2022 05:20 AM
- Consider escalating this problem : https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
M.
02-11-2022 05:04 AM
Follow, i will check config comeback later tonight.
02-11-2022 06:07 AM
I opened Case Number 693044104, hopefully I'll come back with an answer. nevetheless, any idea is welcome : )
02-11-2022 06:33 AM
OK, when the re-auth the host connect to 802.1x-SW?
1- link down <-this direct connect host
2- inactivity <- if the host connect to SW/hub not directly connect to 802.1x-SW OR host connect to IPhone.
3-CDP<- if the host connect to IPhone
so which case you have from above?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide