01-29-2019 05:02 AM - edited 03-08-2019 05:11 PM
Hi All,
Recently I have replaced 3750 with c9300 and dot1x is stopped working,
Below are the outputs:
show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/45 685b.35d3.172f dot1x UNKNOWN Auth 0000000000000010E2B0EA6E
Session count = 1
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Jhon
Solved! Go to Solution.
01-30-2019 03:00 AM
HI @Jhonadms,
I would advise you to check the Authorization profile and make sure you have selected the Advanced attributes, and add the value as follows,
Access Type = ACCESS_ACCEPT
By Default when we select permitany the attribute is missing and c9300 will not work until you add the attribute into it.
Hope this will help you!
BR
Tayyab
01-29-2019 05:25 AM
Hello,
what do you have configured ? Post the full config of your 9300...
01-29-2019 09:32 PM
can you try to obtain the below debugs along with the authentication report form ISE and share it here.
debug dot1x all
debug mab all
debug auth error
debug auth events
debug radius
Debug epm all
debug aaa authentication
BR
Tayyab
01-30-2019 02:00 AM
Hi,
Following logs i am getting
2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL
2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL
2018/09/19 07:56:56.572 [radius] [10049]: UUID: 0, ra: 0, TID: 0 (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL
01-30-2019 02:07 AM
Let me check the logs can you share Radius and interface level configuration.
BR
Tayyab
01-30-2019 02:08 AM
radius server ISE
address ipv4 10.17.38.1 auth 1812 acc 1813
key C1c$o
radius server ISE2
address ipv4 10.17.38.2 auth 1812 acc 1813
key C1c$o
radius server ISE3
address ipv4 10.17.30.1 auth 1812 acc 1813
key C1c$o
radius server ISE4
address ipv4 10.17.30.2 auth 1812 acc 1813
key C1c$o
!
aaa server radius dynamic-author
client 10.17.38.1 server ISE
client 10.17.38.2 server ISE
client 10.17.30.1 server ISE
client 10.17.30.2 server ISE
aaa group server radius ISE
server name ISE1
server name ISE2
server name ISE3
server name ISE4
!
interface GigabitEthernet x/0/x
description *** Data and VOIP Port ***
switchport access vlan 70
switchport mode access
switchport voice vlan 71
authentication event fail action next-method
authentication event server dead action authorize vlan 70
authentication event server alive action reinitialize
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
01-30-2019 02:22 AM
Hello,
since you have bothe data and voice VLANs, you would typically need to configure 'authentication host-mode multi-domain'.
Can you give that a try ?
01-30-2019 02:35 AM
I tried but doesn't work but with the same configuration it was working on 3750.
01-30-2019 02:54 AM
Logs from the access switch:
102834: Oct 4 10:54:14.545: %DOT1X-5-FAIL: Switch 1 R0/0: smd: Authentication failed for client (38C9.8612.865D) on Interface Gi2/0/11 AuditSessionID 0A0B10AC000000963E1637B8
102835: Oct 4 10:54:14.563: %EPM-6-AAA: Switch 1 R0/0: smd: POLICY xACSACLx-IP-Remediation-ACL-56791a76| EVENT DOWNLOAD_REQUEST
102836: Oct 4 10:54:14.584: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0
102837: Oct 4 10:54:14.585: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0
102838: Oct 4 10:54:14.566: %EPM-6-AAA: Switch 2 R0/0: smd: POLICY xACSACLx-IP-Remediation-ACL-56791a76| EVENT DOWNLOAD-SUCCESS
102839: Oct 4 10:54:28.677: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1
102840: Oct 4 10:55:46.481: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1
102841: Oct 4 10:56:54.263: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0
102842: Oct 4 10:56:54.264: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0
102843: Oct 4 10:56:54.266: AUTH-EVENT: [Gi2/0/11] mac seen: 0 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0
102844: Oct 4 10:56:56.520: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1
102845: Oct 4 10:56:56.679: AUTH-EVENT: [Gi2/0/11] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 1 replace open set: 0 notify all: 1 block notification: 0!
102846: Oct 4 10:58:09.487: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCPDISCOVER, MAC sa: 0012.5f17.cfe1
102847: Oct 4 10:58:21.365: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475
102848: Oct 4 10:58:21.366: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475
102849: Oct 4 10:58:21.366: %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client (38C9.8612.865D) on Interface GigabitEthernet2/0/11 AuditSessionID 0A0B10AC000000983E1F3475
102850: Oct 4 10:58:21.366: %EPM-6-AAA: Switch 1 R0/0: smd: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-544f05ed| EVENT DOWNLOAD_REQUEST
102851: Oct 4 10:58:21.366: %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: smd: Authentication result overridden for client (38C9.8612.865D) on Interface Gi2/0/11 AuditSessionID 0A0B10AC000000983E1F3475
01-30-2019 03:00 AM
HI @Jhonadms,
I would advise you to check the Authorization profile and make sure you have selected the Advanced attributes, and add the value as follows,
Access Type = ACCESS_ACCEPT
By Default when we select permitany the attribute is missing and c9300 will not work until you add the attribute into it.
Hope this will help you!
BR
Tayyab
01-30-2019 12:22 PM
Thank you very much for your prompt support.After changing the mentioned attribute its start working.
Cheer
Jhon
02-26-2020 02:24 AM
HI Munir,
I am facing same error, and its ACCESS_ACCEPT in authorization profile, still I am facing this error and Authorization is not happening.
Could you please tell, what could be the reason.
Regards,
Garry
01-30-2019 03:21 AM
Hello,
try and change the authentication order to:
authentication order mab dot1x
04-21-2020 08:03 AM
I'm greatful! Fantastic,
the option on the interface with the command:
authentication priority mab dot1x
solved this problem...
The options of Auth Profiles in Policy Elements was ok.
Obviously, this action is ok where the mab is mandatory.
Thank you very much!
Regards
04-21-2020 08:39 AM
I'm greatful! Fantastic,
the option on the interface with the command:
authentication priority mab dot1x
solved this problem...
The options of Auth Profiles in Policy Elements was ok.
Obviously, this action is ok where the mab is mandatory.
Thank you very much!
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide