From: Kevin (trung@vnsystem.net)
Date: Wed Oct 12 2005 - 01:30:04 GMT-3
Hi group,
I was doing port authentication with dot1x on catalyst 2950 but i never make
it work. I've successfully tested connectivity between SW & radius server
(Login using radius is ok).
I've tried many times on cat2950, 3550 , change radius server (steel-belted,
WinRadius), use different desktop (winxp-sp2). and still have the same
result - "Authentication failed".. I paste my config & some debug lines here
and i hope someone in this group can help me out.
Many thanks.
Kevin.
P/s: i'm using the IBM thinkpad T23 with WINXP-sp2 for client.
Authentication method is MD5.
SW2950-1#sh run
Building configuration...
!
aaa new-model
aaa authentication login default group radius
aaa authentication dot1x default group radius
!
dot1x system-auth-control
!
!
!
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
!
..
!
radius-server host 192.168.1.154 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key cisco
!
SW2950-1#sh dot1x int fa0/1
Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
PortStatus = UNAUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
SW2950-1#debug dot1x
02:19:05: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
supplicant 0000.0000.0000
02:19:05: dot1x-ev:dot1x_tx_eap: EAP Ptk
02:19:05: dot1x-ev:EAP-code=REQUEST
02:19:05: dot1x-ev:EAP Type= IDENTITY
02:19:05: dot1x-ev:ID=4
02:19:35: dot1x-ev:Default and only instance. evaluation for guest vlan move
02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
FastEthernet0/1
02:19:35: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state
UNAUTHORIZED
02:19:35: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
send port to unauthorized on vlan 0
02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CA2C10
02:19:35: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0
02:19:35: dot1x-ev: GuestVlan configured=0
02:19:35: dot1x-ev:supplicant 0000.0000.0000 is default
02:19:35: dot1x-ev:supplicant 0000.0000.0000 is last
02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
FastEthernet0/1
02:19:35: dot1x-ev:Enter function dot1x_aaa_acct_end
02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CA2C10
02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CA2C10
02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/1
02:19:35: dot1x-ev:
dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
ID=5
02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
02:19:35: dot1x-ev:EAP-code=FAILURE
02:19:35: dot1x-ev:EAP Type= IDENTITY
02:19:35: dot1x-ev:ID=4
02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
interface FastEthernet0/1
02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
supplicant 0000.0000.0000
02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
02:19:35: dot1x-ev:EAP-code=REQUEST
02:19:35: dot1x-ev:EAP Type= IDENTITY
02:19:35: dot1x-ev:ID=5
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3