Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
5
Helpful
2
Replies

dot1x is in Unauthorized state on the switch port

Timur A
Level 1
Level 1

‎12-27-2022 07:35 PM - edited ‎12-27-2022 07:37 PM

Hi, i have an issue with configuring dot1x.

Switch version is:

Switch Ports Model                     SW Version            SW Image

------ ----- -----                     ----------            ----------

*    1 52    WS-C2960+48PST-S          15.2(7)E6             C2960-LANLITEK9-M

We have the following configuration on the port:

C2960-1#show run int fa 0/32

Building configuration...

Current configuration : 552 bytes

!

interface FastEthernet0/32

switchport access vlan 10

switchport mode access

switchport voice vlan 6

authentication event fail action next-method

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority mab dot1x

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

storm-control broadcast level 20.00

storm-control multicast level 30.00

storm-control action shutdown

spanning-tree bpduguard enable

end

Here is the radius configuration:

 

VTDU-C04-C2960-1#show run | sec radius

aaa group server radius ISE

server name ISE_Main

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

ip radius source-interface Vlan250

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

radius-server vsa send cisco-nas-port

radius server ISE_Main

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

key 7 152B312E1779130932

 

We see the session is on Unauthorized state:

 

C2960-1#show authentication sessions int fa 0/32 details

            Interface:  FastEthernet0/32

          MAC Address:  001b.4f2c.869d

         IPv6 Address:  Unknown

         IPv4 Address:  Unknown

            User-Name:  00-1B-4F-2C-86-9D

               Status:  Unauthorized

               Domain:  VOICE

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  N/A

       Session Uptime:  478s

    Common Session ID:  0A10FAFA000004360C1BC3EF

      Acct Session ID:  Unknown

               Handle:  0x8F000053

       Current Policy:  POLICY_Fa0/32

 

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

 

Method status list:

      Method            State

 

      mab                Authc Success

 

----------------------------------------

            Interface:  FastEthernet0/32

          MAC Address:  5065.f339.a045

         IPv6 Address:  Unknown

         IPv4 Address:  Unknown

            User-Name:  USERNAME

               Status:  Unauthorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  N/A

       Session Uptime:  470s

    Common Session ID:  0A10FAFA000004370C1BE0E7

      Acct Session ID:  Unknown

               Handle:  0xAA000054

       Current Policy:  POLICY_Fa0/32

On debug we see that EAPOL is ignored, could someone tell me what should i check:

 

Dec 27 11:36:18.430 ALM: dot1x-packet:[5065.f339.a045, Fa0/32] queuing an EAPOL pkt on Auth Q

Dec 27 11:36:18.430 ALM: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1

Dec 27 11:36:18.430 ALM: dot1x-packet: length: 0x0000

Dec 27 11:36:18.430 ALM: dot1x-ev:[Fa0/32] Dequeued pkt: Int Fa0/32 CODE= 0,TYPE= 0,LEN= 0

 

Dec 27 11:36:18.430 ALM: dot1x-ev:[Fa0/32] Received pkt saddr =5065.f339.a045 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000

Dec 27 11:36:18.430 ALM: dot1x-packet:[5065.f339.a045, Fa0/32] Received an EAPOL-Start packet

Dec 27 11:36:18.430 ALM: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1

Dec 27 11:36:18.430 ALM: dot1x-packet: length: 0x000

Dec 27 11:36:18.430 ALM: dot1x-sm:[5065.f339.a045, Fa0/32] Posting EAPOL_START on Client 0xF200002E

Dec 27 11:36:18.430 ALM:     dot1x_auth Fa0/32: during state auth_authc_result, got event 4(eapolStart) (ignored)

Dec 27 11:36:23.455 ALM: dot1x-packet:[5065.f339.a045, Fa0/32] queuing an EAPOL pkt on Auth Q

Dec 27 11:36:23.455 ALM: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1

Dec 27 11:36:23.464 ALM: dot1x-packet: length: 0x0000

Dec 27 11:36:23.464 ALM: dot1x-ev:[Fa0/32] Dequeued pkt: Int Fa0/32 CODE= 0,TYPE= 0,LEN= 0

 

Dec 27 11:36:23.464 ALM: dot1x-ev:[Fa0/32] Received pkt saddr =5065.f339.a045 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000

Dec 27 11:36:23.464 ALM: dot1x-packet:[5065.f339.a045, Fa0/32] Received an EAPOL-Start packet

Dec 27 11:36:23.464 ALM: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1

Dec 27 11:36:23.464 ALM: dot1x-packet: length: 0x0000

Dec 27 11:36:23.464 ALM: dot1x-sm:[5065.f339.a045, Fa0/32] Posting EAPOL_START on Client 0xF200002E

Dec 27 11:36:23.464 ALM:     dot1x_auth Fa0/32: during state auth_authc_result, got event 4(eapolStart) (ignored)

Dec 27 11:36:28.463 ALM: dot1x-packet:[5065.f339.a045, Fa0/32] queuing an EAPOL pkt on Auth Q

Dec 27 11:36:28.463 ALM: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1

Dec 27 11:36:28.463 ALM: dot1x-packet: length: 0x0000

Dec 27 11:36:28.463 ALM: dot1x-ev:[Fa0/32] Dequeued pkt: Int Fa0/32 CODE= 0,TYPE= 0,LEN= 0

 

Dec 27 11:36:28.463 ALM: dot1x-ev:[Fa0/32] Received pkt saddr =5065.f339.a045 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000

Dec 27 11:36:28.463 ALM: dot1x-packet:[5065.f339.a045, Fa0/32] Received an EAPOL-Start packet

Dec 27 11:36:28.463 ALM: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1

Dec 27 11:36:28.463 ALM: dot1x-packet: length: 0x0000

Dec 27 11:36:28.463 ALM: dot1x-sm:[5065.f339.a045, Fa0/32] Posting EAPOL_START on Client 0xF200002E

Dec 27 11:36:28.463 ALM:     dot1x_auth Fa0/32: during state auth_authc_result, got event 4(eapolStart) (ignored)

 

Authentication is passed but authorization is not. On the Cisco ISE we see that server is sending right policy to the switch port.

Labels:
2 Replies 2

pieterh
VIP
VIP

‎01-02-2023 07:05 AM

>>>On the Cisco ISE we see that server is sending right policy to the switch port. <<<
-> what do you mean by this statement ?
I believe a policy is not sent to the switch ? but executed by ISE ,  and then an ACL is sent to the switch

my guess is the ACL sent to the switch is faulty (wrong syntax or not compatible)

 

0 Helpful

MHM Cisco World
VIP
VIP

‎01-02-2023 07:15 AM

authentication order mab dot1x

authentication priority  dot1x mab <<<- only try change the priortiy setting put dot1x first

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card