cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9698
Views
0
Helpful
14
Replies

Help with dot1x authentication on access ports.

Hello,

I am trying to configure dot1x authentication for all access ports on our access switches. We currently have dot1x set up for our WLAN with WAP-Enterprise that uses certificates on the Windows machines to authenticate on a Cisco ISE server. That works and has been working for a long time. Now I'm trying to have the same thing but for our physical access ports.

 

I set up an extra switch we had laying around as a test switch and configured radius login authentication with the same ISE server and I can log in with my normal credentials into this test switch. So I know it can reach our radius (ISE) server. However I cannot get dot1x to work as expected. No matter what I plug into the configured port, it just connects; no authentication, no dropped packets, nothing, just works like it was just configured normally. Below is important parts from the config and some show commands (with some info redacted such as an IP address or company names):

aaa new-model
!
!
aaa group server radius RADIUS
server name (ISE_server_name)
!
aaa authentication login default group radius local
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius if-authenticated 
aaa authorization auth-proxy default group radius 
aaa accounting identity default start-stop group radius
dot1x system-auth-control
dot1x logging verbose
interface GigabitEthernet1/0/3
 switchport access vlan 222
 switchport mode access
 switchport voice vlan 228
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge
 spanning-tree bpduguard enable
radius server (ISE_server_name)
 address ipv4 (ISE_ip_address) auth-port 1812 acct-port 1813
 key 7 (radius_secret)

Here are some show commands:

TEST_SWITCH#sh dot1x
Sysauthcontrol              Enabled
Dot1x Protocol Version            3
TEST_SWITCH#sh dot1x int g1/0/3 details 

Dot1x Info for GigabitEthernet1/0/3
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

Dot1x Authenticator Client List Empty
TEST_SWITCH#sh dot1x statistics 
Dot1x Global Statistics for
--------------------------------------------
RxStart = 0     RxLogoff = 0    RxResp = 0      RxRespID = 0
RxReq = 0       RxInvalid = 0   RxLenErr = 0
RxTotal = 0

TxStart = 0     TxLogoff = 0    TxResp = 0
TxReq = 0       ReTxReq = 0     ReTxReqFail = 0
TxReqID = 0     ReTxReqID = 0   ReTxReqIDFail = 0
TxTotal = 0

It seems just nothing is happening on this port for authentication, because the client list stays empty and the stats never increment. I also see nothing in the ISE from this device except for my VTY logins. But I can see for every wireless user it going through the policies and all that. I have looked up every tutorial and explanation of dot1x thinking that I have forgotten something, but everything has the same basic config that I have here. Can anyone help? We have Cisco 2960x's for our access switches and the test switch is also a 2960x. And let me know if I need to provide anything else to help troubleshoot this issue. Thanks in advance!

1 Accepted Solution

Accepted Solutions

at first did you shut/no shut the interface after making changes?

 

Yes, i agree unknown clients should not have access.

you can start with configuring an access-vlan that is isolated (quarantine vlan) to accomplish this.

The correct vlan can be assigned by ISE when authenticated.

But you still need to activate the wired dot1x supplicant on the clients that you DO want to authenticate

 

We can go through all switch and ISE config manually, 

but I would suggest going to cisco ISE and start the assesment tool on this switch. This will give you lots of commands

present/needed/advised  on both global and port level and match this with the config present on the switch. 

 

ISE has a tool internally, but there are also external tools. 

Dot1x readiness assessment tool

View solution in original post

14 Replies 14

Jaderson Pessoa
VIP Alumni
VIP Alumni

@JacobDerington1018 hello,

 

radius group name is right?   

 

aaa group server radius RADIUS

 

aaa authentication dot1x default group radius

 try using the same name uppercase in lines of AAA configuration.

Jaderson Pessoa
*** Rate All Helpful Responses ***

It's actually not named that. I changed it RADIUS because it has our company name in it. But how I understand with "aaa authentication dot1x default group radius" it uses all configured radius servers. But to be sure and rule anything out I changed it to "aaa authentication dot1x default group (company_radius_group)" and the behavior didn't change.

You mention the config on the switchport, did you also enable Dot1x on the LAN adapter of the client?

(wireless and wired are configured separately on the client)

I didn't even think to do that. I had to look up how, because I've never had to do that before. Anyways, it wasn't configured for wired lan, just wireless. I set it to automatic (on my computer) and the switch had the same behavior. Immediate network access, no dot1x clients or stats, nothing in the ISE livelog. And even if this did work, I still don't want someone that doesn't have this configured to have access. I want the switch to block access to everyone but client that can authenticate. So it should have been blocking me the entire time.

at first did you shut/no shut the interface after making changes?

 

Yes, i agree unknown clients should not have access.

you can start with configuring an access-vlan that is isolated (quarantine vlan) to accomplish this.

The correct vlan can be assigned by ISE when authenticated.

But you still need to activate the wired dot1x supplicant on the clients that you DO want to authenticate

 

We can go through all switch and ISE config manually, 

but I would suggest going to cisco ISE and start the assesment tool on this switch. This will give you lots of commands

present/needed/advised  on both global and port level and match this with the config present on the switch. 

 

ISE has a tool internally, but there are also external tools. 

Dot1x readiness assessment tool

I didn't know the ISE had such a thing and I really liked the idea of it. So I gave that a try and it did exactly like you said, checked everything and told me what I had and didn't have. And what I don't have is a lot. The only problem is some of what the ISE says I should add don't work on the switch. It gives me a "command deprecated" message and tells me to use another thing. That isn't a problem for some, I just have to change a word or something. But there are a set of commands that I am not really sure what to do with. All the interface commands that start with "authentication" are either replaced with "access-session" (which is fine), or say: 

Command deprecated (insert_failed_command_here) - use cpl config

I looked this up and it seems to be completely different way to configuring this. I found a post about these Control Policy configs saying it might be best to downgrade the switch until "all the bugs are worked out". Anyways, it seems this is the answer I needed, it listed a lot of things that I didn't have, and now the issue is just something different. I assume if i had the correct IOS version then it would have worked perfectly. Thanks for the help, I'll mark your reply as the answer for someone else with a similar issue, because it's probably the best way to find out what you did wrong without needing to bother other people.

thank you for the points

please specify the IOS version and ISE version.

maybe we need to search for a compatibility matrix?

to check you do not need to either upgrade ISE or downgrade IOS for things to work.

 

maybe yo find some helpful hint to convert the commands in this document Table 1-2

IOS version: 15.2(4)E7

ISE version: 2.0.0.306

ISE seems a bit old, but it was supported by the assessment tool.

I found this link which explains how to configure CPL but it was a little overwhelming to look through. It seems like there are a lot more commands and things to configure to get them to work. I figured I would spend some time reading up on it and try to understand what all these commands do exactly so I don't just blindly try different things until it works. It's kind of annoying though, everything I have learned about this so far has been the old way and now it seems I have to throw most of that out the window. I guess I could down grade the switch, but this is just my test switch and I don't want to have to do that for all our access switches, especially if the config will be going this way eventually anyways. It would be better to upgrade the ISE to help me get the commands right and that way everything is update to date.

Hello, 

 

looking at the configuration of your switchport, I think you need to add 'authentication port-control auto'. Below is a sample config:

 

interface GigabitEthernet1/0/3
switchport access vlan 222
switchport mode access
switchport voice vlan 228
authentication port-control auto
mab
dot1x timeout quiet-period 5
dot1x timeout server-timeout 10
dot1x timeout tx-period 5
dot1x max-reauth-req 1
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast edge
spanning-tree bpduguard enable

I tried that before and this is what it says:

TEST_SWITCH(config-if)#authentication port-control auto
%Command deprecated (authentication port-control auto) - use access-session instead

and as you can see I have access-session port-control auto there. Not sure how I would have both at the same time like in your example.

Hello,

 

sorry for the misunderstanding, you can indeed not use both. The idea was to test if it works with the older command (provided the switch lets you configure it)...

 

Either way, out of curiosity, since you have marked a solution...what was it ?

No problem, I am thankful for your help either way! I was ready to pull my hair out at this issue.

 

The solution isn't very satisfying. Above pieterh suggested using the ISE tool to evaluate the config, said that it would tell me what I missing. That was very correct. However the ISE is telling me that I need to run commands that the switch won't let me do because they are deprecated (just like you suggestion). I'm also missing the new set of commands, but cisco seems to have completely changes how they port access authentication is configured, using Control Policies. So I felt that is the answer and it would have helped a lot, but it seems the ISE needs to be updated and then it might tell me the correct commands to run. So I marked it answered because my problem now is learning how to configure this cpl config that the switch is demanding of me.

Hi, did someone find a real solution to this case ? I've got the same problem. Switch receives authentications tries from supplicant, but not tries to relay authentication to Radius. We can not rollack version and we must correct this problem

The best way to solve an issue is to have the right analytical approach

The real solution was that there was config missing on the switch. If you are using Cisco ISE then you can do what's in the accepted solution to get help from the ISE on what commands you need. In my case the ISE was old and was suggesting older commands that I couldn't do on newer switches. So I just had to do a little research on the Cisco docs to find the newer version of that config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: