WOW. We got it and had to use a NON Company Laptop Asset. I wonder if there was some type of filtering unbeknownst to us...anyconnect?
Ha I don't know what prompted my colleague to use his own personal laptop but thank goodness he did.
I can clearly see the EAP packets.
We are good to go!
... View more
This is a phone. To make a long story short we are seeing somtimes the client fail dot1x authentication and we need to show them vendor happening in real time. They need a pcap showing EAPoL.
Yes and these clients authenticate and succeed dot1x authentiction.
(for protection i'm going to cover some stuff up)
S-ISE#sho auth sess int gi0/3 details Interface: GigabitEthernet0/3 MAC Address: aaaa.bbbb.cccc.dddd IPv6 Address: Unknown IPv4 Address: x.x.x. User-Name: xxxxx Status: Authorized Domain: VOICE Oper host mode: multi-domain Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 102554s Session Uptime: 70285s Common Session ID: 0AC0015000000239D2A32386 Acct Session ID: 0x00000D94 Handle: 0x0200013D Current Policy: POLICY_Gi0/3
Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecure
Method status list: Method State
dot1x Authc Success
... View more
TY! I appreciate the reply!
So in this case we are capturing from the supplicant to the authenticator. So (at least in my mind) we would see the EAP success but understandly not see the 4 way handshake But yes we are doing exactly we you stated below with regards to capurting on the access port.
... View more
We are trying to solve an issue with a vendor however for them to move forward they as asking for a PCAP that shows EAPoL occur. I have taken multiple pcaps and unable to find this within the PCAP. I have read other blogs/posts that state using a HUB between the device and switch is probably the best approach but finding a hub these days in nearly impossible.
To give you some insight we are using ISE/Radius for Authentication Server --- WS-C3560CX-8PC-S Switch for the Authenticator and the end point/client.
Here is a snippet of the port config:
switchport access vlan X switchport mode access switchport voice vlan Y no logging event link-status srr-queue bandwidth share 1 30 35 5 priority-queue out authentication event fail action next-method authentication event server dead action authorize vlan X authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added no snmp trap link-status mls qos trust cos dot1x pae authenticator auto qos trust spanning-tree portfast edge ip dhcp snooping information option allow-untrusted end
Any help / direction is very much appreciated.
... View more
Good morning experts,
It has reached the point where I have to vent my frustration on the support forums :)
Alright, to make a long story short we have recently deployed a closed mode policy throughout our enterprise. We have a lot of A/V products such as Crestron Scheduling Panels, and Biamps touch panel devices. After moving towards a closed mode environment a handful of these devices either loose their layer 2 address or IP address.
So for example when I try to find authentication sessions within the switch I come up empty handed:
Switch1#sho auth sess int gi7/40 No sessions match supplied criteria. Runnable methods list: Handle Priority Name 17 5 dot1x 18 10 mab 21 15 webauth
When I look at the interface status we can clearly see the device is connected:
Switch1#sho int gi7/40 GigabitEthernet7/40 is up, line protocol is up (connected) Hardware is Gigabit Ethernet Port, address is 54a2.7479.76ef (bia 54a2.7479.76ef) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000-TX input flow-control is off, output flow-control is off Auto-MDIX on (operational: on) ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 4d17h Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: Class-based queueing Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 21229 packets output, 9578713 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
At this point I have to bounce the interface in order for the authentication to re-initialize at which I'm able to see a authentication session.
So my question is why do we have to bounce the port to initialize an authentication session? This is starting to become problematic as we have to bounce the ports to get these devices back online. Do we know why this is an issue? This was never an issue when our environment was within a low impact/monitor mode environment. This only started to rear it head when we moved our NADs into a closed mode policy.
I will provide our port config for further analysis.
Switch1#sho run int gi7/40 Building configuration... Current configuration : 874 bytes ! interface GigabitEthernet7/43 switchport access vlan 144 switchport mode access switchport voice vlan 143 ip access-group ACL-ALLOW in no logging event link-status authentication event fail action next-method authentication event server dead action authorize vlan 43 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order mab dot1x authentication priority dot1x mab webauth authentication port-control auto authentication timer inactivity 60 authentication violation restrict mab snmp trap mac-notification change added no snmp trap link-status auto qos trust dot1x pae authenticator service-policy input AutoQos-4.0-Input-Policy service-policy output AutoQos-4.0-Output-Policy ip dhcp snooping information option allow-untrusted end
... View more