cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2477
Views
5
Helpful
11
Replies
Beginner

Dot1x Authentication not working on Cisco 9300

Hi All,

 

Recently I have replaced 3750 with c9300 and dot1x is stopped working,

 

Below are the outputs:

show authentication sessions

Interface                MAC Address    Method  Domain  Status Fg  Session ID

--------------------------------------------------------------------------------------------

Gi1/0/45                 685b.35d3.172f dot1x   UNKNOWN Auth        0000000000000010E2B0EA6E

 

Session count = 1

 

Key to Session Events Blocked Status Flags:

 

  A - Applying Policy (multi-line status for details)

  D - Awaiting Deletion

  F - Final Removal in progress

  I - Awaiting IIF ID allocation

  P - Pushed Session

  R - Removing User Profile (multi-line status for details)

  U - Applying User Profile (multi-line status for details)

  X - Unknown Blocker

 

Jhon

 

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Dot1x Authentication not working on Cisco 9300

HI @Jhonadms,

 

I would advise you to check the Authorization profile and make sure you have selected the Advanced attributes, and add the value as follows,

 

Access Type = ACCESS_ACCEPTPermitany.JPG

 

By Default when we select permitany the attribute is missing and c9300 will not work until you add the attribute into it.

 

Hope this will help you!

 

BR

Tayyab 

*** Please rate all helpful responses and mark solutions***
11 REPLIES 11
VIP Mentor

Re: Dot1x Authentication not working on Cisco 9300

Hello,

 

what do you have configured ? Post the full config of your 9300...

Beginner

Re: Dot1x Authentication not working on Cisco 9300

@Jhonadms

 

can you try to obtain the below debugs along with the authentication report form ISE and share it here.

 

debug dot1x all

debug mab all

debug auth error

debug auth events

debug radius

Debug epm all

debug aaa authentication

 

BR

Tayyab

 

*** Please rate all helpful responses and mark solutions***
Beginner

Re: Dot1x Authentication not working on Cisco 9300

Hi,

 

Following logs i am getting

 

2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL

2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL

2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL

Beginner

Re: Dot1x Authentication not working on Cisco 9300

@Jhonadms

 

Let me check the logs can you share  Radius and interface level configuration.

 

BR

Tayyab

*** Please rate all helpful responses and mark solutions***
Beginner

Re: Dot1x Authentication not working on Cisco 9300

radius server ISE
address ipv4 10.17.38.1 auth 1812 acc 1813
key C1c$o
radius server ISE2
address ipv4 10.17.38.2 auth 1812 acc 1813
key C1c$o
radius server ISE3
address ipv4 10.17.30.1 auth 1812 acc 1813
key C1c$o
radius server ISE4
address ipv4 10.17.30.2 auth 1812 acc 1813
key C1c$o
!
aaa server radius dynamic-author
client 10.17.38.1  server  ISE
client 10.17.38.2  server ISE
client 10.17.30.1 server ISE
client 10.17.30.2 server  ISE

aaa group server radius ISE
server name ISE1
server name ISE2
server name ISE3
server name ISE4


!
interface GigabitEthernet x/0/x
description *** Data and VOIP Port ***
switchport access vlan 70
switchport mode access
switchport voice vlan 71
authentication event fail action next-method
authentication event server dead action authorize vlan 70
authentication event server alive action reinitialize
 authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root

VIP Mentor

Re: Dot1x Authentication not working on Cisco 9300

Hello,

 

since you have bothe data and voice VLANs, you would typically need to configure 'authentication host-mode multi-domain'.

 

Can you give that a try ?

Beginner

Re: Dot1x Authentication not working on Cisco 9300

I tried but doesn't work but with the same configuration it was working on 3750.

 

Highlighted
Beginner

Re: Dot1x Authentication not working on Cisco 9300

 

Logs from the access switch:

 

 

102834: Oct  4 10:54:14.545: %DOT1X-5-FAIL: Switch 1 R0/0: smd:  Authentication failed for client (38C9.8612.865D) on Interface Gi2/0/11 AuditSessionID 0A0B10AC000000963E1637B8

102835: Oct  4 10:54:14.563: %EPM-6-AAA: Switch 1 R0/0: smd:  POLICY xACSACLx-IP-Remediation-ACL-56791a76| EVENT DOWNLOAD_REQUEST

102836: Oct  4 10:54:14.584: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102837: Oct  4 10:54:14.585: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102838: Oct  4 10:54:14.566: %EPM-6-AAA: Switch 2 R0/0: smd:  POLICY xACSACLx-IP-Remediation-ACL-56791a76| EVENT DOWNLOAD-SUCCESS

102839: Oct  4 10:54:28.677: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102840: Oct  4 10:55:46.481: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102841: Oct  4 10:56:54.263: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102842: Oct  4 10:56:54.264: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102843: Oct  4 10:56:54.266: AUTH-EVENT: [Gi2/0/11] mac seen: 0 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0

102844: Oct  4 10:56:56.520: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102845: Oct  4 10:56:56.679: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0!

102846: Oct  4 10:58:09.487: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1

102847: Oct  4 10:58:21.365: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd:  Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

102848: Oct  4 10:58:21.366: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd:  Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

102849: Oct  4 10:58:21.366: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd:  Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

102850: Oct  4 10:58:21.366: %EPM-6-AAA: Switch 1 R0/0: smd:  POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-544f05ed| EVENT DOWNLOAD_REQUEST

102851: Oct  4 10:58:21.366: %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: smd:  Authentication result overridden for client (38C9.8612.865D) on Interface Gi2/0/11 AuditSessionID 0A0B10AC000000983E1F3475

Beginner

Re: Dot1x Authentication not working on Cisco 9300

HI @Jhonadms,

 

I would advise you to check the Authorization profile and make sure you have selected the Advanced attributes, and add the value as follows,

 

Access Type = ACCESS_ACCEPTPermitany.JPG

 

By Default when we select permitany the attribute is missing and c9300 will not work until you add the attribute into it.

 

Hope this will help you!

 

BR

Tayyab 

*** Please rate all helpful responses and mark solutions***
Beginner

Re: Dot1x Authentication not working on Cisco 9300

@TAYYAB MUNIR

Thank you very much for your prompt support.After changing the mentioned attribute its start working.

 

Cheer

Jhon

VIP Mentor

Re: Dot1x Authentication not working on Cisco 9300

Hello,

 

try and change the authentication order to:

 

authentication order mab dot1x

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards