05-14-2018 08:04 AM - edited 03-08-2019 03:00 PM
Hi
I would like to achieve that a wired client can authenticate via dot1x and received the defined vlan id from the radius server. The wifi configuration is already working. Client logs in with AD credentials and gets matched with the defined vlan.
Now I am trying to configure wired dot1x on a cisco 3650 switch.
When i connect a device to my test switchport i receive the following error message:
*May 14 18:29:18 CEST: %DOT1X-5-SUCCESS:Switch 1 R0/0: smd: Authentication successful for client (406C.8F1F.9B49) on Interface Gi4/0/19 AuditSessionID 0AFFE7020000008D5F7C187A *May 14 18:29:18 CEST: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (406C.8F1F.9B49) on Interface GigabitEthernet4/0/19 AuditSessionID 0AFFE7020000008D5F7C187A *May 14 18:29:18 CEST: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (406C.8F1F.9B49) on Interface GigabitEthernet4/0/19 AuditSessionID 0AFFE7020000008D5F7C187A *May 14 18:29:18 CEST: %DOT1X-5-RESULT_OVERRIDE:Switch 1 R0/0: smd: Authentication result overridden for client (406C.8F1F.9B49) on Interface Gi4/0/19 AuditSessionID 0
My switchport configuration looks like this:
interface GigabitEthernet4/0/19 subscriber aging inactivity-timer 60 probe switchport mode access access-session host-mode single-host access-session port-control auto dot1x pae authenticator dot1x timeout tx-period 3 service-policy type control subscriber POLICY_1 end
My service policy looks like this:
POLICY_1 event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x
---
I mostly used this manual:
---
I'm using a Microsoft Radius Server (Windows 2008 R2). The radius server receives and grants access, but the switch doesn't grant access and the client never receives a valid ip.
Any idea whats wrong?
Thanks for your help!
Janis
Solved! Go to Solution.
05-22-2018 06:11 AM - edited 05-22-2018 06:13 AM
Found the solution!
I had to change the Vlan ID on my radius server. I had the vlan name set, and not the ID. Our WLC could handle both (Name and ID).
My radius standard attributes now look like this:
Service-Type: Framed
Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet ...)
Tunnel-Pvt-Group-ID: 94
Tunnel-Type: Virtual LANs (VLAN)
Important: The vlan name (as Tunnel-Pvt-Group-ID) does not work for wired 802.1x!
My inferface config looks like this:
interface GigabitEthernet4/0/19 switchport mode access access-session host-mode single-host access-session port-control auto dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast service-policy type control subscriber POLICY_1
My aaa config:
aaa authentication login default local group RADIUS-Servers aaa authentication enable default enable none aaa authentication dot1x default group RADIUS-Servers aaa authentication dot1x group group RADIUS-Servers aaa authorization network default group RADIUS-Servers
---
If dot1x is not already active:
dot1x system-auth-control
Thanks for your support!
05-14-2018 08:21 AM
Hi,
Please can you post the output of "show run aaa"?
05-15-2018 01:40 AM
Thanks for your answer!
switch#sh run aaa ! aaa authentication login default local group RADIUS-Servers aaa authentication enable default enable none aaa authentication dot1x default group RADIUS-Servers aaa authorization network default group RADIUS-Servers aaa accounting Identity default start-stop group RADIUS-Servers aaa accounting update newinfo username *** privilege 15 password 7 *** username *** privilege 15 secret 9 *** ! ! ! ! ! ! radius server Radius01.domain.com address ipv4 10.9.2.10 auth-port 1812 acct-port 1813 timeout 10 retransmit 5 key 7 *** ! radius server Radius02.domain.com address ipv4 10.9.2.11 auth-port 1812 acct-port 1813 timeout 10 retransmit 5 key 7 *** ! radius-server load-balance method least-outstanding ! aaa group server radius RADIUS-Servers server name Radius01.domain.com server name Radius02.domain.com ! ! ! aaa new-model aaa session-id common ! !
05-22-2018 06:11 AM - edited 05-22-2018 06:13 AM
Found the solution!
I had to change the Vlan ID on my radius server. I had the vlan name set, and not the ID. Our WLC could handle both (Name and ID).
My radius standard attributes now look like this:
Service-Type: Framed
Tunnel-Medium-Type: 802 (includes all 802 media plus Ethernet ...)
Tunnel-Pvt-Group-ID: 94
Tunnel-Type: Virtual LANs (VLAN)
Important: The vlan name (as Tunnel-Pvt-Group-ID) does not work for wired 802.1x!
My inferface config looks like this:
interface GigabitEthernet4/0/19 switchport mode access access-session host-mode single-host access-session port-control auto dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast service-policy type control subscriber POLICY_1
My aaa config:
aaa authentication login default local group RADIUS-Servers aaa authentication enable default enable none aaa authentication dot1x default group RADIUS-Servers aaa authentication dot1x group group RADIUS-Servers aaa authorization network default group RADIUS-Servers
---
If dot1x is not already active:
dot1x system-auth-control
Thanks for your support!
07-08-2018 03:36 AM
Hello,
i have tried setting up with same config as yours but not getting an IP for my laptop. can you help me to check my config.
08-20-2018 03:37 AM - edited 08-20-2018 05:36 AM
Do you have set your ip helper address on your VLAN interface?
Do you get an ip if you configure an interface without dot1x?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide