RE: Unable to authenticate with dot1x

From: Kevin (trung@vnsystem.net)
Date: Wed Oct 12 2005 - 03:29:40 GMT-3

• Next message: Bajo: "Re: TCL Script to Ping."
• Previous message: Jian Gu: "Re: RIP in IPv6 auto-tunnel"
• Maybe in reply to: Kevin: "Unable to authenticate with dot1x"
• Next in thread: Kevin: "RE: Unable to authenticate with dot1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Ryan,
Yes, i did have config the IP add on my sw, as i described in the previous
post, i have a successful connectivity & authentication between the sw &
radius server. I've tested the radius server with login method and it worked
fine, but it was not ok with dot1x.
I see this in debug but i don't actually understand what does it mean ?

> 02:19:35: dot1x-ev:
>
> dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL

Kevin.

-----Original Message-----
From: The Great Ryan [mailto:pv.ryan@gmail.com]
Sent: Wednesday, October 12, 2005 11:38 AM
To: Kevin
Cc: ccielab@groupstudy.com
Subject: Re: Unable to authenticate with dot1x

your switch should have management IP such that it is ip reachability
between your switch and Radius Server. It is because switch will send
dot1x request, on behalf of your dot1x client connecting to your
switch, to Radius server for authentication.

Ryan

2005/10/12, Kevin <trung@vnsystem.net>:
> Hi group,
>
> I was doing port authentication with dot1x on catalyst 2950 but i never
make
> it work. I've successfully tested connectivity between SW & radius server
> (Login using radius is ok).
>
> I've tried many times on cat2950, 3550 , change radius server
(steel-belted,
> WinRadius), use different desktop (winxp-sp2). and still have the same
> result - "Authentication failed".. I paste my config & some debug lines
here
> and i hope someone in this group can help me out.
>
> Many thanks.
>
>
>
>
>
> Kevin.
>
>
>
> P/s: i'm using the IBM thinkpad T23 with WINXP-sp2 for client.
> Authentication method is MD5.
>
>
>
>
>
>
>
> SW2950-1#sh run
>
> Building configuration...
>
>
>
> !
>
> aaa new-model
>
> aaa authentication login default group radius
>
> aaa authentication dot1x default group radius
>
> !
>
> dot1x system-auth-control
>
> !
>
> !
>
> !
>
> interface FastEthernet0/1
>
> switchport mode access
>
> dot1x port-control auto
>
> !
>
> ..
>
> !
>
> radius-server host 192.168.1.154 auth-port 1812 acct-port 1813
>
> radius-server retransmit 3
>
> radius-server key cisco
>
> !
>
>
>
>
>
> SW2950-1#sh dot1x int fa0/1
>
> Supplicant MAC <Not Applicable>
>
> AuthSM State = CONNECTING
>
> BendSM State = IDLE
>
> PortStatus = UNAUTHORIZED
>
> MaxReq = 2
>
> HostMode = Single
>
> Port Control = Auto
>
> QuietPeriod = 60 Seconds
>
> Re-authentication = Disabled
>
> ReAuthPeriod = 3600 Seconds
>
> ServerTimeout = 30 Seconds
>
> SuppTimeout = 30 Seconds
>
> TxPeriod = 30 Seconds
>
> Guest-Vlan = 0
>
>
>
>
>
> SW2950-1#debug dot1x
>
>
>
> 02:19:05: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
> supplicant 0000.0000.0000
>
>
>
> 02:19:05: dot1x-ev:dot1x_tx_eap: EAP Ptk
>
> 02:19:05: dot1x-ev:EAP-code=REQUEST
>
> 02:19:05: dot1x-ev:EAP Type= IDENTITY
>
> 02:19:05: dot1x-ev:ID=4
>
>
>
> 02:19:35: dot1x-ev:Default and only instance. evaluation for guest vlan
move
>
>
>
> 02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
> FastEthernet0/1
>
> 02:19:35: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state
> UNAUTHORIZED
>
>
>
> 02:19:35: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
> send port to unauthorized on vlan 0
>
>
>
> 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CA2C10
>
>
>
> 02:19:35: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest
vlan=0
>
>
>
> 02:19:35: dot1x-ev: GuestVlan configured=0
>
>
>
> 02:19:35: dot1x-ev:supplicant 0000.0000.0000 is default
>
>
>
> 02:19:35: dot1x-ev:supplicant 0000.0000.0000 is last
>
>
>
> 02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface
> FastEthernet0/1
>
> 02:19:35: dot1x-ev:Enter function dot1x_aaa_acct_end
>
> 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CA2C10
>
>
>
> 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
80CA2C10
>
>
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
> interface FastEthernet0/1
>
> 02:19:35: dot1x-ev:
>
> dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
>
>
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
> ID=5
>
>
>
> 02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
>
> 02:19:35: dot1x-ev:EAP-code=FAILURE
>
> 02:19:35: dot1x-ev:EAP Type= IDENTITY
>
> 02:19:35: dot1x-ev:ID=4
>
>
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
> interface FastEthernet0/1
>
> 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
> supplicant 0000.0000.0000
>
>
>
> 02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
>
> 02:19:35: dot1x-ev:EAP-code=REQUEST
>
> 02:19:35: dot1x-ev:EAP Type= IDENTITY
>
> 02:19:35: dot1x-ev:ID=5
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bajo: "Re: TCL Script to Ping."
• Previous message: Jian Gu: "Re: RIP in IPv6 auto-tunnel"
• Maybe in reply to: Kevin: "Unable to authenticate with dot1x"
• Next in thread: Kevin: "RE: Unable to authenticate with dot1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3