Re: Unable to authenticate with dot1x

From: The Great Ryan (pv.ryan@gmail.com)
Date: Wed Oct 12 2005 - 01:37:42 GMT-3

• Next message: Brian Dennis: "RE: Use of the 31-Bit Prefixe in a P2P Link"
• Previous message: The Great Ryan: "Re: RIP in IPv6 auto-tunnel"
• Maybe in reply to: Kevin: "Unable to authenticate with dot1x"
• Next in thread: Kevin: "RE: Unable to authenticate with dot1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

your switch should have management IP such that it is ip reachability
between your switch and Radius Server. It is because switch will send
dot1x request, on behalf of your dot1x client connecting to your
switch, to Radius server for authentication.

Ryan

2005/10/12, Kevin <trung@vnsystem.net>:
> Hi group,
>
> I was doing port authentication with dot1x on catalyst 2950 but i never make
> it work. I've successfully tested connectivity between SW & radius server
> (Login using radius is ok).
>
> I've tried many times on cat2950, 3550 , change radius server (steel-belted,
> WinRadius), use different desktop (winxp-sp2). and still have the same
> result - "Authentication failed".. I paste my config & some debug lines here
> and i hope someone in this group can help me out.
>
> Many thanks.
>
>
>
>
>
> Kevin.
>
>
>
> P/s: i'm using the IBM thinkpad T23 with WINXP-sp2 for client.
> Authentication method is MD5.
>
>
>
>
>
>
>
> SW2950-1#sh run
>
> Building configuration...
>
>
>
> !
>
> aaa new-model
>
> aaa authentication login default group radius
>
> aaa authentication dot1x default group radius
>
> !
>
> dot1x system-auth-control
>
> !
>
> !
>
> !
>
> interface FastEthernet0/1
>
> switchport mode access
>
> dot1x port-control auto
>
> !
>
> ..
>
> !
>
> radius-server host 192.168.1.154 auth-port 1812 acct-port 1813
>
> radius-server retransmit 3
>
> radius-server key cisco
>
> !
>
>
>
>
>
> SW2950-1#sh dot1x int fa0/1
>
> Supplicant MAC <Not Applicable>
>
> AuthSM State = CONNECTING
>
> BendSM State = IDLE
>
> PortStatus = UNAUTHORIZED
>
> MaxReq = 2
>
> HostMode = Single
>
> Port Control = Auto
>
> QuietPeriod = 60 Seconds
>
> Re-authentication = Disabled
>
> ReAuthPeriod = 3600 Seconds
>
> ServerTimeout = 30 Seconds
>
> SuppTimeout = 30 Seconds
>
> TxPeriod = 30 Seconds
>
> Guest-Vlan = 0
>
>
>
>
>
> SW2950-1#debug dot1x
>
>
>
> 02:19:05: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
> supplicant 0000.0000.0000
>
>
>
> 02:19:05: dot1x-ev:dot1x_tx_eap: EAP Ptk
>
> 02:19:05: dot1x-ev:EAP-code=REQUEST
>
> 02:19:05: dot1x-ev:EAP Type= IDENTITY
>
> 02:19:05: dot1x-ev:ID=4
>
>
>
> 02:19:35: dot1x-ev:Default and only instance. evaluation for guest vlan move
>
>
>
> 02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
> FastEthernet0/1
>
> 02:19:35: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state
> UNAUTHORIZED
>
>
>
> 02:19:35: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
> send port to unauthorized on vlan 0
>
>
>
> 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CA2C10
>
>
>
> 02:19:35: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0
>
>
>
> 02:19:35: dot1x-ev: GuestVlan configured=0
>
>
>
> 02:19:35: dot1x-ev:supplicant 0000.0000.0000 is default
>
>
>
> 02:19:35: dot1x-ev:supplicant 0000.0000.0000 is last
>
>
>
> 02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
> FastEthernet0/1
>
> 02:19:35: dot1x-ev:Enter function dot1x_aaa_acct_end
>
> 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CA2C10
>
>
>
> 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CA2C10
>
>
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
> interface FastEthernet0/1
>
> 02:19:35: dot1x-ev:
>
> dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
>
>
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
> ID=5
>
>
>
> 02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
>
> 02:19:35: dot1x-ev:EAP-code=FAILURE
>
> 02:19:35: dot1x-ev:EAP Type= IDENTITY
>
> 02:19:35: dot1x-ev:ID=4
>
>
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
> interface FastEthernet0/1
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
> supplicant 0000.0000.0000
>
>
>
> 02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
>
> 02:19:35: dot1x-ev:EAP-code=REQUEST
>
> 02:19:35: dot1x-ev:EAP Type= IDENTITY
>
> 02:19:35: dot1x-ev:ID=5
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian Dennis: "RE: Use of the 31-Bit Prefixe in a P2P Link"
• Previous message: The Great Ryan: "Re: RIP in IPv6 auto-tunnel"
• Maybe in reply to: Kevin: "Unable to authenticate with dot1x"
• Next in thread: Kevin: "RE: Unable to authenticate with dot1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3