Re: Dot1x not working

patoberli · ‎02-07-2018

Hi all

I'm trying to get Dot1x (802.1x Wired) working on a test switch.

Configuration wise, I've followed this guide: https://networkjutsu.com/implementing-wired-8021x/

Info to my Switch:

Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 12    WS-C2960CX-8PC-L          15.2(6)E              C2960CX-UNIVERSALK9-M

It's using lanbase image.

I've configured a lan port for testing:

sh ru int g0/4
Building configuration...

Current configuration : 203 bytes
!
interface GigabitEthernet0/4
 switchport access vlan 204
 switchport mode access
 authentication port-control auto
 dot1x timeout tx-period 10
 dot1x max-reauth-req 1
 spanning-tree portfast edge
end

For testing I'm using a Windows 10 client, which has the service Wired AutoConfig enabled and set to Automatic.

Configured radius server is an ISE 2.3 Patch2, where I made a very basic configuration.

Now to the weird part, if I plugin the client to this port, the switch doesn't send anything to the radius server.

Here a debug:

2908cx-1011-2#debug dot1x al
All Dot1x debugging is on
2908cx-1011-2#
Feb  7 13:41:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/4, changed state to down
Feb  7 13:41:42: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to down
Feb  7 13:41:47.832: dot1x-packet:[c47d.4618.3fcb, Gi0/4] queuing an EAPOL pkt on Auth Q
Feb  7 13:41:47.832: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1 
Feb  7 13:41:47.832: dot1x-packet: length: 0x0000
Feb  7 13:41:47.832: dot1x-ev:[Gi0/4] Dequeued pkt: Int Gi0/4 CODE= 0,TYPE= 0,LEN= 0

Feb  7 13:41:47.832: dot1x-ev:[Gi0/4] Received pkt saddr =c47d.4618.3fcb , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Feb  7 13:41:47.832: dot1x-ev:[Gi0/4] Couldn't find the supplicant in the list
Feb  7 13:41:47.832: dot1x-ev:[c47d.4618.3fcb, Gi0/4] New client detected, sending session start event for c47d.4618.3fcb
Feb  7 13:41:49: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
Feb  7 13:41:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/4, changed state to up
Feb  7 13:41:52.834: dot1x-packet:[c47d.4618.3fcb, Gi0/4] queuing an EAPOL pkt on Auth Q
Feb  7 13:41:52.834: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1 
Feb  7 13:41:52.834: dot1x-packet: length: 0x0000
Feb  7 13:41:52.834: dot1x-ev:[Gi0/4] Dequeued pkt: Int Gi0/4 CODE= 0,TYPE= 0,LEN= 0

Feb  7 13:41:52.834: dot1x-ev:[Gi0/4] Received pkt saddr =c47d.4618.3fcb , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Feb  7 13:41:52.834: dot1x-ev:[Gi0/4] Couldn't find the supplicant in the list
Feb  7 13:41:52.834: dot1x-ev:[c47d.4618.3fcb, Gi0/4] New client detected, sending session start event for c47d.4618.3fcb
Feb  7 13:41:57.836: dot1x-packet:[c47d.4618.3fcb, Gi0/4] queuing an EAPOL pkt on Auth Q
Feb  7 13:41:57.836: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1 
Feb  7 13:41:57.836: dot1x-packet: length: 0x0000
Feb  7 13:41:57.836: dot1x-ev:[Gi0/4] Dequeued pkt: Int Gi0/4 CODE= 0,TYPE= 0,LEN= 0

Feb  7 13:41:57.836: dot1x-ev:[Gi0/4] Received pkt saddr =c47d.4618.3fcb , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Feb  7 13:41:57.836: dot1x-ev:[Gi0/4] Couldn't find the supplicant in the list
Feb  7 13:41:57.836: dot1x-ev:[c47d.4618.3fcb, Gi0/4] New client detected, sending session start event for c47d.4618.3fcb
2908cx-1011-2#

I've even run a packet capture on the ISE (default settings) and there are no Radius packets in the capture.

But now to the weird part, as soon as I add the 'mab' command to the port, the switch will communicate with the radius server and will try to make a MAB, for the client?!?

This is the only time where I actually see something on the ISE in it's radius Live Log.

2908cx-1011-2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
2908cx-1011-2(config)#int g0/4
2908cx-1011-2(config-if)#mab
2908cx-1011-2(config-if)#end
2908cx-1011-2#
2908cx-1011-2#
2908cx-1011-2#
2908cx-1011-2#
2908cx-1011-2#
2908cx-1011-2#
Feb  7 13:44:04.126: dot1x-packet:[c47d.4618.3fcb, Gi0/4] queuing an EAPOL pkt on Auth Q
Feb  7 13:44:04.126: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1 
Feb  7 13:44:04.126: dot1x-packet: length: 0x0000
Feb  7 13:44:04.126: dot1x-ev:[Gi0/4] Dequeued pkt: Int Gi0/4 CODE= 0,TYPE= 0,LEN= 0

Feb  7 13:44:04.126: dot1x-ev:[Gi0/4] Received pkt saddr =c47d.4618.3fcb , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Feb  7 13:44:04.126: dot1x-ev:[Gi0/4] Couldn't find the supplicant in the list
Feb  7 13:44:04.126: dot1x-ev:[c47d.4618.3fcb, Gi0/4] New client detected, sending session start event for c47d.4618.3fcb
Feb  7 13:44:04: %MAB-5-FAIL: Authentication failed for client (c47d.4618.3fcb) on Interface Gi0/4 AuditSessionID C0A800FC00007D624BE7D06B
Feb  7 13:44:05: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to up
Feb  7 13:44:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/4, changed state to up
Feb  7 13:44:09.121: dot1x-packet:[c47d.4618.3fcb, Gi0/4] queuing an EAPOL pkt on Auth Q
Feb  7 13:44:09.121: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1 
Feb  7 13:44:09.121: dot1x-packet: length: 0x0000
Feb  7 13:44:09.121: dot1x-ev:[Gi0/4] Dequeued pkt: Int Gi0/4 CODE= 0,TYPE= 0,LEN= 0

Feb  7 13:44:09.121: dot1x-ev:[Gi0/4] Received pkt saddr =c47d.4618.3fcb , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Feb  7 13:44:09.121: dot1x-ev:[Gi0/4] Couldn't find the supplicant in the list
Feb  7 13:44:09.121: dot1x-ev:[c47d.4618.3fcb, Gi0/4] New client detected, sending session start event for c47d.4618.3fcb
Feb  7 13:44:14.134: dot1x-packet:[c47d.4618.3fcb, Gi0/4] queuing an EAPOL pkt on Auth Q
Feb  7 13:44:14.134: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1 
Feb  7 13:44:14.134: dot1x-packet: length: 0x0000
Feb  7 13:44:14.134: dot1x-ev:[Gi0/4] Dequeued pkt: Int Gi0/4 CODE= 0,TYPE= 0,LEN= 0

Feb  7 13:44:14.134: dot1x-ev:[Gi0/4] Received pkt saddr =c47d.4618.3fcb , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Feb  7 13:44:14.134: dot1x-ev:[Gi0/4] Couldn't find the supplicant in the list
Feb  7 13:44:14.134: dot1x-ev:[c47d.4618.3fcb, Gi0/4] New client detected, sending session start event for c47d.4618.3fcb
2908cx-1011-2#

Once I remove the 'mab' command, the ISE will not anymore get anything from the switch.

Here the aaa config:

2908cx-1011-2#sh run | inc aaa
aaa new-model
aaa group server radius RAD
aaa group server radius ISE
aaa authentication login RAD group radius local
aaa authentication enable default group radius enable
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization exec default group radius group radius local 
aaa authorization network default group ISE 
aaa accounting dot1x default start-stop group ISE
aaa accounting exec default start-stop group radius
aaa server radius dynamic-author
aaa session-id common
2908cx-1011-2#sh run | inc dot
aaa authentication dot1x default group ISE
aaa accounting dot1x default start-stop group ISE
dot1x system-auth-control

Any idea where I have to start?

Sadly all the ISE documentation videos are for 2.2 or older and 2.3 looks very different. But as I don't get any radius packets (unless mab is enabled on the port) on the ISE, I'm not even sure if I need to search on the ISE or on the Switch.

The client itself logs an 802.1x fail with the Reason:

The network does not support authentication and 802.1X is enforced in the profile.

Thanks for hints

patoberli · ‎02-08-2018

I think I found the solution.
For whatever reason, this command here seems to be required on the interface:
dot1x pae authenticator

Found it here: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_010000.html#d16723e3766a1635