Solved: Re: Dot1x Authentication not working on Cisco 9300

Jhonadms · ‎01-29-2019

Hi All,

Recently I have replaced 3750 with c9300 and dot1x is stopped working,

Below are the outputs:

show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

--------------------------------------------------------------------------------------------

Gi1/0/45 685b.35d3.172f dot1x UNKNOWN Auth 0000000000000010E2B0EA6E

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)

D - Awaiting Deletion

F - Final Removal in progress

I - Awaiting IIF ID allocation

P - Pushed Session

R - Removing User Profile (multi-line status for details)

U - Applying User Profile (multi-line status for details)

X - Unknown Blocker

Jhon

MUHAMMAD TAYYAB MUNIR · ‎01-30-2019

HI @Jhonadms,

I would advise you to check the Authorization profile and make sure you have selected the Advanced attributes, and add the value as follows,

Access Type = ACCESS_ACCEPT

By Default when we select permitany the attribute is missing and c9300 will not work until you add the attribute into it.

Hope this will help you!

BR

Tayyab

*** Please rate all helpful responses and mark solutions***

View solution in original post

Georg Pauwen · ‎01-29-2019

Hello,

what do you have configured ? Post the full config of your 9300...

MUHAMMAD TAYYAB MUNIR · ‎01-29-2019

@Jhonadms

can you try to obtain the below debugs along with the authentication report form ISE and share it here.

debug dot1x all

debug mab all

debug auth error

debug auth events

debug radius

Debug epm all

debug aaa authentication

BR

Tayyab

*** Please rate all helpful responses and mark solutions***

Jhonadms · ‎01-30-2019

Hi,

Following logs i am getting

2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL

MUHAMMAD TAYYAB MUNIR · ‎01-30-2019

@Jhonadms

Let me check the logs can you share Radius and interface level configuration.

BR

Tayyab

*** Please rate all helpful responses and mark solutions***

Jhonadms · ‎01-30-2019

radius server ISE
address ipv4 10.17.38.1 auth 1812 acc 1813
key C1c$o
radius server ISE2
address ipv4 10.17.38.2 auth 1812 acc 1813
key C1c$o
radius server ISE3
address ipv4 10.17.30.1 auth 1812 acc 1813
key C1c$o
radius server ISE4
address ipv4 10.17.30.2 auth 1812 acc 1813
key C1c$o
!
aaa server radius dynamic-author
client 10.17.38.1 server ISE
client 10.17.38.2 server ISE
client 10.17.30.1 server ISE
client 10.17.30.2 server ISE

aaa group server radius ISE
server name ISE1
server name ISE2
server name ISE3
server name ISE4

!
interface GigabitEthernet x/0/x
description *** Data and VOIP Port ***
switchport access vlan 70
switchport mode access
switchport voice vlan 71
authentication event fail action next-method
authentication event server dead action authorize vlan 70
authentication event server alive action reinitialize
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root

Georg Pauwen · ‎01-30-2019

Hello,

since you have bothe data and voice VLANs, you would typically need to configure 'authentication host-mode multi-domain'.

Can you give that a try ?

Jhonadms · ‎01-30-2019

I tried but doesn't work but with the same configuration it was working on 3750.

Jhonadms · ‎01-30-2019

Logs from the access switch:

102834: Oct 4 10:54:14.545: %DOT1X-5-FAIL: Switch 1 R0/0: smd: Authentication failed for client (38C9.8612.865D) on Interface Gi2/0/11 AuditSessionID 0A0B10AC000000963E1637B8

102835: Oct 4 10:54:14.563: %EPM-6-AAA: Switch 1 R0/0: smd: POLICY xACSACLx-IP-Remediation-ACL-56791a76| EVENT DOWNLOAD_REQUEST

102836: Oct 4 10:54:14.584: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102837: Oct 4 10:54:14.585: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102838: Oct 4 10:54:14.566: %EPM-6-AAA: Switch 2 R0/0: smd: POLICY xACSACLx-IP-Remediation-ACL-56791a76| EVENT DOWNLOAD-SUCCESS

102839: Oct 4 10:54:28.677: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102840: Oct 4 10:55:46.481: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102841: Oct 4 10:56:54.263: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102842: Oct 4 10:56:54.264: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102843: Oct 4 10:56:54.266: AUTH-EVENT: [Gi2/0/11] mac seen: 0 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102844: Oct 4 10:56:56.520: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102845: Oct 4 10:56:56.679: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0!

102846: Oct 4 10:58:09.487: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102847: Oct 4 10:58:21.365: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

102848: Oct 4 10:58:21.366: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

102849: Oct 4 10:58:21.366: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

102850: Oct 4 10:58:21.366: %EPM-6-AAA: Switch 1 R0/0: smd: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-544f05ed| EVENT DOWNLOAD_REQUEST

102851: Oct 4 10:58:21.366: %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: smd: Authentication result overridden for client (38C9.8612.865D) on Interface Gi2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

MUHAMMAD TAYYAB MUNIR · ‎01-30-2019

HI @Jhonadms,

I would advise you to check the Authorization profile and make sure you have selected the Advanced attributes, and add the value as follows,

Access Type = ACCESS_ACCEPT

By Default when we select permitany the attribute is missing and c9300 will not work until you add the attribute into it.

Hope this will help you!

BR

Tayyab

*** Please rate all helpful responses and mark solutions***

Jhonadms · ‎01-30-2019

@MUHAMMAD TAYYAB MUNIR

Thank you very much for your prompt support.After changing the mentioned attribute its start working.

Cheer

Jhon

gurbinder.kabbay · ‎02-26-2020

HI Munir,

I am facing same error, and its ACCESS_ACCEPT in authorization profile, still I am facing this error and Authorization is not happening.

Could you please tell, what could be the reason.

Regards,

Garry

Georg Pauwen · ‎01-30-2019

Hello,

try and change the authentication order to:

authentication order mab dot1x

AndreaPoscia0608 · ‎04-21-2020

I'm greatful! Fantastic,

the option on the interface with the command:

authentication priority mab dot1x

solved this problem...

The options of Auth Profiles in Policy Elements was ok.

Obviously, this action is ok where the mab is mandatory.

Thank you very much!

Regards

Andrea Poscia · ‎04-21-2020

I'm greatful! Fantastic,

the option on the interface with the command:

authentication priority mab dot1x

solved this problem...

The options of Auth Profiles in Policy Elements was ok.

Obviously, this action is ok where the mab is mandatory.

Thank you very much!

Regards