ā10-31-2022 03:28 AM
Hi Team,
I have configured NAC in my network with no luck, we are using Packet fence (Opensource) as a NAC sever and below is the configuration from the Cisco switch model : WS-C2960S-48FPS-L , Software version: 12.2(55)SE5.
Switch Configuration:
Dot1x system-AUTH-control
AAA group server radius GR_PACKETFENCE
server 10.0.1.119 AUTH-port 1812 ACCT-port 1813
AAA authentication dot1x default group GR_PACKETFENCE
AAA authorization network default group GR_PACKETFENCE
radius-server VSA send authentication
radius-server host 10.0.1.119 AUTH-port 1812 acct-port 1813 key 7 052550210C4D6D220102451C261C0576530
Interface configuration:
switchport mode access
switchport voice VLAN 10
authentication host-mode multi-domain
authentication order dot1x MAB
authentication priority dot1x MAB
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
MAB
no SNMP trap link-status
dot1x PAE authenticator
dot1x timeout tx-period 5
spanning-tree PORTFAST
Error:
show authentication session interface Gi1/0/15
Interface: GigabitEthernet1/0/15
MAC Address: a029.196d.0111
IP Address: Unknown
User-Name: host/BGL4L7GDN3.actuant.pri
Status: Authz Failed
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AC133FE00000A208AD3A5D8
Acct Session ID: 0x00000DCD
Handle: 0xBC000A20
Runnable methods list:
Method State
dot1x AUTHC Failed
MAB Failed over
SH dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Gi1/0/15 AUTH a029.196d.0111 UNAUTHORIZED
Debug from the Cisco Switch:
Oct 31 07:26:36: @@@ dot1x_auth_bend Gi1/0/15: auth_bend_fail -> auth_bend_idle
Oct 31 07:26:36: dot1x-sm(Gi1/0/15): 0xBB000A4C:auth_bend_idle_enter called
Oct 31 07:26:36: dot1x-sm(Gi1/0/15): Posting AUTH_FAIL on Client 0xBB000A4C
Oct 31 07:26:36: dot1x_auth Gi1/0/15: during state auth_authenticating, got event 15(authFail)
Oct 31 07:26:36: @@@ dot1x_auth Gi1/0/15: auth_authenticating -> auth_authc_result
Oct 31 07:26:36: dot1x-sm(Gi1/0/15): 0xBB000A4C:auth_authenticating_exit called
Oct 31 07:26:36: dot1x-sm(Gi1/0/15): 0xBB000A4C:auth_authc_result_enter called
Oct 31 07:26:36: %DOT1X-5-FAIL: Authentication failed for client (a029.196d.0111) on Interface Gi1/0/15 AuditSessionID
Oct 31 07:26:36: dot1x-ev(Gi1/0/15): Sending event (2) to Auth Mgr for a029.196d.0111
Oct 31 07:26:36: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (a029.196d.0111) on Interface Gi1/0/15 AuditSessionID 0AC133FE00000A2B9A514A7C
Oct 31 07:26:36: %AUTHMGR-5-FAIL: Authorization failed for client (a029.196d.0111) on Interface Gi1/0/15 AuditSessionID 0AC133FE00000A2B9A514A7C
Oct 31 07:26:36: dot1x-redundancy: State for client a029.196d.0111 successfully retrieved
eld, got event 4(eapolStart) (ignored)eceived Authz fail for the client 0xBB000A4C (a029.196d.0111)
Oct 31 07:26:36: dot1x-sm(Gi1/0/15): Posting_AUTHZ_FAIL on Client 0xBB000A4C
Oct 31 07:26:36: dot1x_auth Gi1/0/15: during state auth_authc_result, got event 22(authzFail)
Oct 31 07:26:36: @@@ dot1x_auth Gi1/0/15: auth_authc_result -> auth_held
Oct 31 07:26:36: dot1x-sm(Gi1/0/15): 0xBB000A4C:auth_held_enter called
Oct 31 07:26:36: dot1x-ev(Gi1/0/15): Sending EAPOL packet to group PAE address
Oct 31 07:26:36: dot1x-ev(Gi1/0/15): Role determination not required
Oct 31 07:26:36: dot1x-registry:registry:dot1x_ether_macaddr called
Oct 31 07:26:36: dot1x-ev(Gi1/0/15): Sending out EAPOL packet
Oct 31 07:26:36: EAPOL pak dump Tx
Oct 31 07:26:36: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Oct 31 07:26:36: EAP code: 0x4 id: 0x9 length: 0x0004
Oct 31 07:26:36: dot1x-packet(Gi1/0/15): EAPOL packet sent to client 0xBB000A4C (a029.196d.0111)
Oct 31 07:26:36: EAP-EVENT: Received free context (0x13000EA9) from LL (Dot1x-Authenticator)
Oct 31 07:26:36: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0x13000EA9
Oct 31 07:26:36: EAP-AUTH-EVENT: Freed EAP auth context
Oct 31 07:26:36: EAP-EVENT: Freed EAP context
Oct 31 07:26:37: dot1x-ev(Gi1/0/15): Role determination not required
Oct 31 07:26:37: dot1x-packet(Gi1/0/15): queuing an EAPOL pkt on Auth Q
Oct 31 07:26:37: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Oct 31 07:26:37: EAPOL pak dump rx
Oct 31 07:26:37: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Oct 31 07:26:37: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/15 CODE= 0,TYPE= 0,LEN= 0
Oct 31 07:26:37: dot1x-packet(Gi1/0/15): Received an EAPOL frame
Oct 31 07:26:37: dot1x-ev(Gi1/0/15): Received pkt sadder =a029.196d.0111 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
Oct 31 07:26:37: dot1x-packet(Gi1/0/15): Received an EAPOL-Start packet
Oct 31 07:26:37: EAPOL pak dump rx
Oct 31 07:26:37: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Oct 31 07:26:37: dot1x-sm(Gi1/0/15): Posting EAPOL_START on Client 0xBB000A4C
Oct 31 07:26:37: dot1x_auth Gi1/0/15: during state AUTH_HELD, got event 4(eapolStart) (ignored)
Oct 31 07:26:42: dot1x-ev(Gi1/0/15): Role determination not required
Oct 31 07:26:42: dot1x-packet(Gi1/0/15): queuing an EAPOL PKT on AUTH Q
Oct 31 07:26:42: dot1x-ev:Enqueued the EAPOL packet to the global authenticator queue
Oct 31 07:26:42: EAPOL PAK dump RX
Oct 31 07:26:42: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Oct 31 07:26:42: dot1x-ev:
dot1x_auth_queue_event: INT Gi1/0/15 CODE= 0,TYPE= 0,LEN= 0
Oct 31 07:26:42: dot1x-packet(Gi1/0/15): Received an EAPOL frame
Oct 31 07:26:42: dot1x-ev(Gi1/0/15): Received PKT SADDR =a029.196d.0111 , DADDR = 0180.c200.0003,
PAE-ether-type = 888e.0101.0000
Oct 31 07:26:42: dot1x-packet(Gi1/0/15):
ā10-31-2022 04:12 AM
Do you have only having issue with thsi model 2960 switch, do you have any other switch in the network working as expected ?
First i would check packetfence document : - they mentioned they having some issue with the IOS code you running, so upgrade to suggested version and test it. (check is that effected your environment ?)
https://www.packetfence.org/documentation/pod/pf/Switch/Cisco/Catalyst_2960.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide