Dot1X AAA issue

abdulwadood · ‎05-20-2024

%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (0076.861a.2790) with reason (AAA Server Down) on Interface Gi1/0/17 AuditSessionID 099FA8C00000001E973BE640 Username: CP-7821-SEP0076861A2790
May 20 18:21:18.739: %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: sessmgrd: Authentication result overridden for client (0076.861a.2790) on Interface Gi1/0/17 AuditSessionID 099FA8C00000001E973BE640

I have configured clear pass when i configure AAA Configuration on this switch i face an error above details could someone help me on this whats the issue.

MHM Cisco World · ‎05-20-2024

specify the interface use as source to connect to AAA and issue will solved
ip radius source-interface <>

MHM

balaji.bandi · ‎05-20-2024

what is the model of the switch and IOS running, what configuration done on the switch ?

what is the port configuration also on G1/0/17 - what end device connected to that port ?

is this AAA worked before is new setup ?

also check the does the switch can reach you clear pass server.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abdulwadood · ‎05-21-2024

Please find the configuration

balaji.bandi · ‎05-21-2024

Please find the configuration

we do not see yet or missed to attach the confg here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abdulwadood · ‎05-21-2024

This is the issue we face once we connect with Newly Cisco IP PHone

%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (0076.861a.2790) with reason (AAA Server Down) on Interface Gi1/0/17 AuditSessionID 099FA8C00000001E973BE640 Username: CP-7821-SEP0076861A2790
May 20 18:21:18.739: %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: sessmgrd: Authentication result overridden for client (0076.861a.2790) on Interface Gi1/0/17 AuditSessionID 099FA8C00000001E973BE640

Clearpass receive both authentication MAC as well as 802.1X authentication but we want only mac authentication why this phone send both authentication how do i stop this

MHM Cisco World · ‎05-21-2024

Can you share config

MHM

abdulwadood · ‎05-22-2024

TestSw#sh running-config
Building configuration...

Current configuration : 15982 bytes
!
! Last configuration change at 19:51:36 UTC Mon May 20 2024 by admin
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform punt-keepalive disable-kernel-core
!
hostname TestSw
!
!
vrf definition Mgmt-vrf
!
**bleep**-family ipv4
exit-**bleep**-family
!
**bleep**-family ipv6
exit-**bleep**-family
!
enable secret xxxxxxxx
!
aaa new-model
!
!
aaa group server radius GR
server name GR-NAC
!
aaa authentication dot1x default group GR
aaa authorization network default group GR
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group GR
aaa accounting system default start-stop group GR
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.40.21 server-key xxxxxxxx
!
aaa session-id common
switch 1 provision c9300-48p
!
!
!
!
ip routing
!
!
!
!
ip dhcp snooping
login on-success log
!
!
!
!
!
device-sensor accounting
device-sensor notify all-changes
!
crypto pki trustpoint TP-self-signed-1514558421
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1514558421
revocation-check none
rsakeypair TP-self-signed-1514558421
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!

quit
!
dot1x system-auth-control
license boot level network-essentials addon dna-essentials
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 131688

!
redundancy
mode sso
!
!
!
!
crypto engine compliance shield disable
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus **bleep** resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip **bleep**
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 150
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 150
switchport trunk native vlan 150
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 150
!
interface GigabitEthernet1/0/5
switchport access vlan 40
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 150
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 40
switchport voice vlan 65
spanning-tree portfast
!
interface GigabitEthernet1/0/25
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/26
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/27
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/28
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/29
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/30
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/31
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/32
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/33
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/34
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/35
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/36
switchport access vlan 40
switchport voice vlan dot1p
spanning-tree portfast
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
switchport mode trunk
!
interface GigabitEthernet1/0/48
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/5
switchport access vlan 10
spanning-tree portfast
!
interface TenGigabitEthernet1/1/6
switchport access vlan 10
spanning-tree portfast
!
interface TenGigabitEthernet1/1/7
switchport access vlan 10
spanning-tree portfast
!
interface TenGigabitEthernet1/1/8
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface TwentyFiveGigE1/1/1
!
interface TwentyFiveGigE1/1/2
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
no ip **bleep**
shutdown
!
interface Vlan10
ip **bleep** 10.10.10.1 255.255.255.0
!
interface Vlan40
ip **bleep** 192.168.40.19 255.255.255.0
!
interface Vlan65
ip **bleep** 192.168.65.19 255.255.255.0
!
interface Vlan150
ip **bleep** 192.168.150.251 255.255.255.0
!
interface Vlan151
ip **bleep** 192.168.151.19 255.255.255.0
!
interface Vlan152
ip **bleep** 192.168.152.19 255.255.255.0
!
interface Vlan160
ip **bleep** 192.168.160.2 255.255.255.0
!
interface Vlan190
ip **bleep** 192.168.190.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip radius source-interface Vlan40
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server GR-NAC
**bleep** ipv4 192.168.40.21 auth-port 1812 acct-port 1813
timeout 2
retransmit 3
key xxxxxxxxx
!
!
control-plane
service-policy input system-cpp-policy
!

!
line con 0
transport preferred telnet
stopbits 1
line vty 0 4
transport input all
line vty 5 31
transport input all