From: Kevin (trung@vnsystem.net)
Date: Wed Oct 12 2005 - 06:11:50 GMT-3
Well Ryan,
I have checked the link you listed several times before and i believe i
didn't miss any configuration. Unfortunately, i can't make it to work :(.
Also in my first post, i have specified that the client PC running WinXP-sp2
with dot1x enabled (md5-challenge).
Hi Alek,
The cat2950 running IOS ver 12.1(22)EA1, pls see below.
I tried another sw, the cat3550, with an IOS ver 12.2(25) Enhance Image, but
still have no luck :(
SW2950-1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA2, RELEASE
SOFTWARE
(fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Sun 07-Nov-04 23:14 by antonino
Image text-base: 0x80010000, data-base: 0x8055E000
ROM: Bootstrap program is C2950 boot loader
SW2950-1 uptime is 7 hours, 22 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA2.bin"
------------
SW3550-1#sh ver
Cisco IOS Software, C3550 Software (C3550-I5Q3L2-M), Version 12.2(25)SEA,
RELEAS
E SOFTWARE (fc)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 25-Jan-05 18:57 by antonino
ROM: Bootstrap program is C3550 boot loader
SW3550-1 uptime is 7 hours, 25 minutes
System returned to ROM by power-on
System image file is "flash:/c3550-i5q3l2-mz.122-25.SEA.bin"
-----Original Message-----
From: The Great Ryan [mailto:pv.ryan@gmail.com]
Sent: Wednesday, October 12, 2005 2:06 PM
To: Kevin
Subject: Re: Unable to authenticate with dot1x
Ok. Your switch configuration seem to be ok.
Besides, there are some special settings for Dot1x in Radius Server. I
have setup Dot1x Authentication using ACS server only. Try the
following link:
http://www.cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_
note09186a00801d11a4.shtml
Finally, there are some requirements on the client side. Such as, you
must use Windows XP (no Windows 98 ) for Dot1x authentication and need
to enable Dot1x Feature on Your PC.
Ryan
2005/10/12, Kevin <trung@vnsystem.net>:
> Thanks Ryan,
> Yes, i did have config the IP add on my sw, as i described in the previous
> post, i have a successful connectivity & authentication between the sw &
> radius server. I've tested the radius server with login method and it
worked
> fine, but it was not ok with dot1x.
> I see this in debug but i don't actually understand what does it mean ?
>
> > 02:19:35: dot1x-ev:
> >
> > dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
>
> Kevin.
>
>
> -----Original Message-----
> From: The Great Ryan [mailto:pv.ryan@gmail.com]
> Sent: Wednesday, October 12, 2005 11:38 AM
> To: Kevin
> Cc: ccielab@groupstudy.com
> Subject: Re: Unable to authenticate with dot1x
>
> your switch should have management IP such that it is ip reachability
> between your switch and Radius Server. It is because switch will send
> dot1x request, on behalf of your dot1x client connecting to your
> switch, to Radius server for authentication.
>
>
> Ryan
>
> 2005/10/12, Kevin <trung@vnsystem.net>:
> > Hi group,
> >
> > I was doing port authentication with dot1x on catalyst 2950 but i never
> make
> > it work. I've successfully tested connectivity between SW & radius
server
> > (Login using radius is ok).
> >
> > I've tried many times on cat2950, 3550 , change radius server
> (steel-belted,
> > WinRadius), use different desktop (winxp-sp2). and still have the same
> > result - "Authentication failed".. I paste my config & some debug lines
> here
> > and i hope someone in this group can help me out.
> >
> > Many thanks.
> >
> >
> >
> >
> >
> > Kevin.
> >
> >
> >
> > P/s: i'm using the IBM thinkpad T23 with WINXP-sp2 for client.
> > Authentication method is MD5.
> >
> >
> >
> >
> >
> >
> >
> > SW2950-1#sh run
> >
> > Building configuration...
> >
> >
> >
> > !
> >
> > aaa new-model
> >
> > aaa authentication login default group radius
> >
> > aaa authentication dot1x default group radius
> >
> > !
> >
> > dot1x system-auth-control
> >
> > !
> >
> > !
> >
> > !
> >
> > interface FastEthernet0/1
> >
> > switchport mode access
> >
> > dot1x port-control auto
> >
> > !
> >
> > ..
> >
> > !
> >
> > radius-server host 192.168.1.154 auth-port 1812 acct-port 1813
> >
> > radius-server retransmit 3
> >
> > radius-server key cisco
> >
> > !
> >
> >
> >
> >
> >
> > SW2950-1#sh dot1x int fa0/1
> >
> > Supplicant MAC <Not Applicable>
> >
> > AuthSM State = CONNECTING
> >
> > BendSM State = IDLE
> >
> > PortStatus = UNAUTHORIZED
> >
> > MaxReq = 2
> >
> > HostMode = Single
> >
> > Port Control = Auto
> >
> > QuietPeriod = 60 Seconds
> >
> > Re-authentication = Disabled
> >
> > ReAuthPeriod = 3600 Seconds
> >
> > ServerTimeout = 30 Seconds
> >
> > SuppTimeout = 30 Seconds
> >
> > TxPeriod = 30 Seconds
> >
> > Guest-Vlan = 0
> >
> >
> >
> >
> >
> > SW2950-1#debug dot1x
> >
> >
> >
> > 02:19:05: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
> > supplicant 0000.0000.0000
> >
> >
> >
> > 02:19:05: dot1x-ev:dot1x_tx_eap: EAP Ptk
> >
> > 02:19:05: dot1x-ev:EAP-code=REQUEST
> >
> > 02:19:05: dot1x-ev:EAP Type= IDENTITY
> >
> > 02:19:05: dot1x-ev:ID=4
> >
> >
> >
> > 02:19:35: dot1x-ev:Default and only instance. evaluation for guest vlan
> move
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on
interface
> > FastEthernet0/1
> >
> > 02:19:35: dot1x-ev:dot1x_update_port_status: Called with host_mode=0
state
> > UNAUTHORIZED
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
> > send port to unauthorized on vlan 0
> >
> >
> >
> > 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
> 80CA2C10
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest
> vlan=0
> >
> >
> >
> > 02:19:35: dot1x-ev: GuestVlan configured=0
> >
> >
> >
> > 02:19:35: dot1x-ev:supplicant 0000.0000.0000 is default
> >
> >
> >
> > 02:19:35: dot1x-ev:supplicant 0000.0000.0000 is last
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on
interface
> > FastEthernet0/1
> >
> > 02:19:35: dot1x-ev:Enter function dot1x_aaa_acct_end
> >
> > 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
> 80CA2C10
> >
> >
> >
> > 02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
> 80CA2C10
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
> > interface FastEthernet0/1
> >
> > 02:19:35: dot1x-ev:
> >
> > dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
> > ID=5
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
> >
> > 02:19:35: dot1x-ev:EAP-code=FAILURE
> >
> > 02:19:35: dot1x-ev:EAP Type= IDENTITY
> >
> > 02:19:35: dot1x-ev:ID=4
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
> > interface FastEthernet0/1
> >
> > 02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
> > supplicant 0000.0000.0000
> >
> >
> >
> > 02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
> >
> > 02:19:35: dot1x-ev:EAP-code=REQUEST
> >
> > 02:19:35: dot1x-ev:EAP Type= IDENTITY
> >
> > 02:19:35: dot1x-ev:ID=5
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3