10-15-2021 01:42 PM - edited 10-16-2021 04:18 AM
Hello Team,
We are configuring dot1x on ASR1001-x, the configuration is detailed below:
Router(config)# dot1x system-auth-control Router(config)# aaa new-model Router(config)# aaa authentication dot1x default group radius Router(config)# interface GigabitEthernet0/0/2 Router(config-if)# dot1x pae authenticator Router(config-if)# authentication port-control auto
Even after enabling 802.1x on the port, the ASR1001-x is not detecting the 802.1x client.
Any idea?
10-15-2021 01:53 PM
what is the version of the IOS XE ? do you have the radius server group configured ? enable-debug and check(post the debug Logs)
look at the example :
10-19-2021 07:07 AM - edited 10-19-2021 07:22 AM
Setup the server group like this:
radius server RADIUS_SERVER1 address ipv4 192.168.1.123 auth-port 1812 acct-port 1813 key 0 myspecialpassword
might also want to include these on your interface as well:
authentication event fail action next-method authentication event server alive action reinitialize authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication violation restrict mab
So a complete version would be:
dot1x system-auth-control aaa new-model aaa authentication dot1x default group radius radius server RADIUS_SERVER1 address ipv4 192.168.1.123 auth-port 1812 acct-port 1813 key 0 myspecialpassword interface GigabitEthernet0/0/2 dot1x pae authenticator authentication port-control auto authentication event fail action next-method authentication event server alive action reinitialize authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab
assuming you will eventually want to add MAB and phones to the mix.
EDIT:
Unless it might be the bizarre "password encryption aes + type 6 RADIUS passwords + FIPS" bug I noticed 18 months ago, where if you have all those elements together that RADIUS is just ignored. Weirdest part is that you can have all of it on and with type 7 passwords, but if you remove the server group and add it back, they turn into type 6 and then stop working, only turning FIPS off will make them work again as type 6 passwords.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide