Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1449
Views
0
Helpful
5
Replies

Dot1x authentication

user_net
Frequent Visitor
Frequent Visitor

‎12-21-2020 07:52 AM - edited ‎12-21-2020 07:53 AM

I'm trying to establish dotx authentication, but I get the following error "%DOT1X-5-FAIL: Authentication failed for client (aabb.cc02.b030) on Interface Et0/3 AuditSessionID 000000000000000D004DBFB8".

 

Both the authenticator and the supplicant are switches, and the configuration seems to be correct

 

Authenticator configuration:

hostname A1
!
boot-start-marker
boot-end-marker
!
!
!
username admin privilege 15 password -
username saad privilege 15 password -
aaa new-model
!
!
aaa authentication dot1x default local
!
!
!
!
!
!
aaa session-id common
clock timezone EET 2 0
!
!
!
!
!
ipv6 multicast rpf use-bgp
no ipv6 cef
cisp enable
!
!
!
!
!
!
!
ip cef
no ip igmp snooping
!
!
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
 authentication port-control auto
 dot1x pae authenticator
!
interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
 authentication port-control auto
 dot1x pae authenticator
!
interface Ethernet0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
 authentication port-control auto
 dot1x pae authenticator
!
interface Ethernet1/0
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
 authentication port-control auto
 dot1x pae authenticator
!
interface Ethernet1/1
!
interface Ethernet1/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
!
interface Ethernet1/3
!
interface Vlan88
 ip address 192.168.88.4 255.255.255.0
!
ip default-gateway 192.168.88.1
ip forward-protocol nd
!
no ip http server
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip route 0.0.0.0 0.0.0.0 192.168.88.1
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
!
end

Supplicant configuration:

hostname ADMIN
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone EET 2 0
!
!
!
!
!
ipv6 multicast rpf use-bgp
no ipv6 cef
cisp enable
!
!
!
!
!
!
!
ip cef
no ip igmp snooping
!
!
dot1x credentials switch_access
 username admin
 password -
!
dot1x supplicant force-multicast
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 switchport access vlan 30
 switchport mode access
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
 dot1x pae supplicant
 dot1x credentials switch_access
!
interface Ethernet1/0
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 88
 switchport mode trunk
 dot1x pae supplicant
 dot1x credentials switch_access
!
interface Vlan88
 ip address 192.168.88.6 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip route 0.0.0.0 0.0.0.0 192.168.88.1
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
!
end

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎12-22-2020 02:49 PM

Hi @user_net 

You are trying to configure NEAT 2 authenticate the 2 switches? You appear to be attempting to authenticate using the local database, though I've only ever seen examples using RADIUS (ISE) - so I am not sure it will work as you intend. What reference documentation have you been using?

 

Reference here:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--100650304

 

HTH

0 Helpful

user_net
Frequent Visitor
Frequent Visitor
In response to Rob Ingram

‎12-23-2020 04:51 AM

Is it possible to use windows server 2012 as an authentication server instead of ISE?

0 Helpful

user_net
Frequent Visitor
Frequent Visitor
In response to Rob Ingram

‎12-23-2020 11:02 AM

However, referring to your first reply. no I am not trying to authenticate 2 switches, one switch is acting as the authenticator using its local username database, and the the other switch is the supplicant, user credentials is right, as well as the dot1x configuration. However, is it possible the the native vlan or trunk configuration are causing the issue?

0 Helpful

Rob Ingram
VIP
VIP
In response to user_net

‎12-23-2020 11:26 AM

No, but you are sending the switch credentials from one switch to be authenticated by the other switch - this I don't believe is supported, only RADIUS. The supplicant switchport would be a trunk port, whereas the authenticator switch would be an access port - this would dynamically change once it received the correct attribute from the RADIUS server.

0 Helpful

Rob Ingram
VIP
VIP

‎12-23-2020 05:05 AM

I don't see why you cannot use any RADIUS server such as Windows NPS. You'd need to return the RADIUS attribute device-traffic-class=switch as defined in this guide.

 

 

0 Helpful
Customers Also Viewed These Support Documents