Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
2
Replies

Dot1x Issue

Networker0
Level 1
Level 1

‎10-15-2021 01:42 PM - edited ‎10-16-2021 04:18 AM

Hello Team,

 

We are configuring dot1x on ASR1001-x, the configuration is detailed below:

 

Router(config)# dot1x system-auth-control
Router(config)# aaa new-model
Router(config)# aaa authentication dot1x default group radius

Router(config)# interface GigabitEthernet0/0/2
Router(config-if)# dot1x pae authenticator
Router(config-if)# authentication port-control auto

Even after enabling 802.1x on the port, the ASR1001-x is not detecting the 802.1x client.

 

Any idea?

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎10-15-2021 01:53 PM

what is the version of the IOS XE ? do you have the radius server group configured ? enable-debug and check(post the debug Logs)

 

look at the example :

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16-6/macsec-xe-16-6-book/macsec-xe-16-6-book_chapter_010.html#id_32878

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

hemmerling
Level 1
Level 1

‎10-19-2021 07:07 AM - edited ‎10-19-2021 07:22 AM

Setup the server group like this:

radius server RADIUS_SERVER1
 address ipv4 192.168.1.123 auth-port 1812 acct-port 1813
 key 0 myspecialpassword

might also want to include these on your interface as well:

 authentication event fail action next-method
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication violation restrict
 mab

So a complete version would be:

dot1x system-auth-control
aaa new-model
aaa authentication dot1x default group radius

radius server RADIUS_SERVER1
 address ipv4 192.168.1.123 auth-port 1812 acct-port 1813
 key 0 myspecialpassword

interface GigabitEthernet0/0/2
 dot1x pae authenticator
 authentication port-control auto
 authentication event fail action next-method
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab

assuming you will eventually want to add MAB and phones to the mix.

 

 

EDIT:

Unless it might be the bizarre "password encryption aes + type 6 RADIUS passwords + FIPS" bug I noticed 18 months ago, where if you have all those elements together that RADIUS is just ignored. Weirdest part is that you can have all of it on and with type 7 passwords, but if you remove the server group and add it back, they turn into type 6 and then stop working, only turning FIPS off will make them work again as type 6 passwords.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card