C9300 AAA: I do not receive the EAP-Request/Identity response

amalitol81 · ‎11-15-2018

Guys,

I have a laptop domain managed and I'm deploying Cisco ISE 2.4 on the network. The laptop is connected to a Catalyst 9300 switch. I'm running Wireshark instance on the laptop.

I noticed the laptop send the EAPOL-Start packet three times with no response (EAP-Request/Identity from SW) I've followed steps from different admin guides, which are almost the same but it don't work.

Any suggestion ?

#### C9300 Config ###

aaa new-model
!
!
aaa group server radius psns
server name ccpanpsn1
server name ccpanpsn2
ip radius source-interface Vlan201
!
aaa authentication login default local
aaa authentication dot1x default group psns

aaa authorization network default group psns

aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
client 10.20.202.101 server-key T1ns$ciscoise
client 10.20.202.102 server-key T1ns$ciscoise
!
aaa session-id common
clock timezone EST 5 0
clock summer-time EDT recurring
switch 1 provision c9300-48p
!
!
...
!...
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor accounting
device-sensor notify all-changes
authentication mac-move permit
access-session acl default passthrough
cpp system-default
device-tracking policy NOTRACKUDP
no protocol udp
tracking enable
!
!
...
!
dot1x system-auth-control
dot1x critical eapol
!
username admin privilege 15 secret 5 $1$/iTY$suJbP9rh.8JEnMPZn1apQ.
username test-user password 0 test-pass
!
!
....
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server ccpanpsn1
address ipv4 10.20.202.101 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key T1ns$ciscoise
!
radius server ccpanpsn2
address ipv4 10.20.202.102 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key T1ns$ciscoise
!
!

interface GigabitEthernet1/0/2
description ** dot1x-test-port **
switchport access vlan 70
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication event no-response action authorize vlan 70
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
!

amalitol81 · ‎11-15-2018

I have ran the following commands and everything seems to be good.

ccisetest#sh aaa servers
RADIUS: id 1, priority 1, host 10.20.202.101, auth-port 1812, acct-port 1813
     State: current UP, duration 1304s, previous duration 900s
     Dead: total time 900s, count 0
     Platform State from SMD: current UP, duration 2143s, previous duration 60s
     SMD Platform Dead: total time 60s, count 0
     Platform State from WNCD: current UP, duration 0s, previous duration 0s
     Platform Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 2, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 2, challenge 0
.......

ccisetest#test aaa group psns username ****** new-code
User successfully authenticated

USER ATTRIBUTES

username             0   "username"
ccisetest#

I also ran the command:

#dot1x test eapol-capable interface gigabitethernet1/0/2

#

and nothing happen. It seems that 802.1x is not enabled on the interface or it is not supported... but all the commands to enable 802.1x on that interface are running....

amalitol81 · ‎11-15-2018

I have ran the following commands and everything seems to be good.

ccisetest#sh aaa servers
RADIUS: id 1, priority 1, host 10.20.202.101, auth-port 1812, acct-port 1813
     State: current UP, duration 1304s, previous duration 900s
     Dead: total time 900s, count 0
     Platform State from SMD: current UP, duration 2143s, previous duration 60s
     SMD Platform Dead: total time 60s, count 0
     Platform State from WNCD: current UP, duration 0s, previous duration 0s
     Platform Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 2, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 2, challenge 0
.......

ccisetest#test aaa group psns username ****** new-code
User successfully authenticated

USER ATTRIBUTES

username             0   "username"
ccisetest#

I also ran the command:

#dot1x test eapol-capable interface gigabitethernet1/0/2

#

and nothing happen. It seems that 802.1x is not enabled on the interface or it is not supported... but all the commands to enable 802.1x on that interface are running....