From: Kevin (trung@vnsystem.net)
Date: Thu Oct 13 2005 - 05:45:11 GMT-3
Hi,
The following is debug from the cat3550. Dot1x is configured on port fa0/1
Radius Service is running on 192.168.1.155
What I see from this debug is the authentication request is rejected by
server ? i can't find out the cause.
Thanks in advanced
Kevin
07:29:51: RADIUS: EAP-login: length of radius packet = 125 code = 1
07:29:51: RADIUS(00000000): Send Access-Request to 192.168.1.155:1645 id
1645/8, len 125
SW3550-1(config)#
07:29:51: RADIUS: authenticator 72 8E 3B A7 FA 88 FB 41 - 83 AF F3 84 94 69
39 C0
07:29:51: RADIUS: NAS-IP-Address [4] 6 192.168.1.201
07:29:51: RADIUS: NAS-Port [5] 6 50001
07:29:51: RADIUS: NAS-Port-Type [61] 6 Eth
[15]
07:29:51: RADIUS: User-Name [1] 7 "trung"
07:29:51: RADIUS: Called-Station-Id [30] 19 "00-0D-BC-A8-83-81"
07:29:51: RADIUS: Calling-Station-Id [31] 19 "00-03-47-B6-
SW3550-1(config)#CA-45"
07:29:51: RADIUS: Service-Type [6] 6 Framed
[2]
07:29:51: RADIUS: Framed-MTU [12] 6 1500
07:29:51: RADIUS: EAP-Message [79] 12
07:29:51: RADIUS: 02 01 00 0A 01 74 72 75 6E 67
[?????trung]
07:29:51: RADIUS: Message-Authenticato[80] 18
07:29:51: RADIUS: 15 69 46 DC 87 7D DF 4D 3F DC AF 14 CE 92 83 6F
[?iF??}?M???????o]
07:29:51: RADIUS: Received from id 1645/8 192.168.1.155:1645, Access-Reject,
len 44
07:29:51: RADIUS: authenticator F6 31 2D DC 22 CC 2B 5E - BD F9 A4 7F 8E AF
6A D9
07:29:51: RADIUS: EAP-Message [79] 6
07:29:51: RADIUS: 04 02 00 04 [????]
07:29:51: RADIUS: Message-Authenticato[80] 18
07:29:51: RADIUS: C8 1D B5 41 8A A0 DC 7D 1D 8A 66 F1 C3 EB 14 D1
[???A???}??f?????]
07:29:51: RADIUS: EAP-login: length of eap packet = 4
07:29:51: RADIUS: EAP-login: got reject from radius
07:29:51: AAA/AUTHEN (1920283195): status = FAIL
07:29:51: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_FAIL)
==============================
The configuration is as follow:
SW3550-1#sh run
Building configuration...
Current configuration : 2763 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW3550-1
!
enable password cisco
!
aaa new-model
aaa authentication login default group radius none
aaa authentication dot1x default group radius
!
aaa session-id common
ip subnet-zero
!
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
..........
interface Vlan1
ip address 192.168.1.201 255.255.255.0
no ip route-cache
!
!
radius-server host 192.168.1.155 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco
....
-----Original Message-----
From: Aleksander Klessa [mailto:aleksander.klessa@atm.com.pl]
Sent: Wednesday, October 12, 2005 5:05 PM
To: Kevin
Subject: Re: Unable to authenticate with dot1x
Hi,
what about the radius-server ports (1645/1646 you are using 1812/1813)? have
you watched
debug radius authen, debug aaa authen?
best
aleksander
Kevin wrote:
> Well Ryan,
> I have checked the link you listed several times before and i believe i
> didn't miss any configuration. Unfortunately, i can't make it to work :(.
> Also in my first post, i have specified that the client PC running
WinXP-sp2
> with dot1x enabled (md5-challenge).
>
> Hi Alek,
>
> The cat2950 running IOS ver 12.1(22)EA1, pls see below.
> I tried another sw, the cat3550, with an IOS ver 12.2(25) Enhance Image,
but
> still have no luck :(
>
> SW2950-1#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA2, RELEASE
> SOFTWARE
> (fc1)
> Copyright (c) 1986-2004 by cisco Systems, Inc.
> Compiled Sun 07-Nov-04 23:14 by antonino
> Image text-base: 0x80010000, data-base: 0x8055E000
>
> ROM: Bootstrap program is C2950 boot loader
>
> SW2950-1 uptime is 7 hours, 22 minutes
> System returned to ROM by power-on
> System image file is "flash:/c2950-i6q4l2-mz.121-22.EA2.bin"
>
>
> ------------
>
> SW3550-1#sh ver
> Cisco IOS Software, C3550 Software (C3550-I5Q3L2-M), Version 12.2(25)SEA,
> RELEAS
> E SOFTWARE (fc)
> Copyright (c) 1986-2005 by Cisco Systems, Inc.
> Compiled Tue 25-Jan-05 18:57 by antonino
>
> ROM: Bootstrap program is C3550 boot loader
>
> SW3550-1 uptime is 7 hours, 25 minutes
> System returned to ROM by power-on
> System image file is "flash:/c3550-i5q3l2-mz.122-25.SEA.bin"
>
>
> -----Original Message-----
> From: The Great Ryan [mailto:pv.ryan@gmail.com]
> Sent: Wednesday, October 12, 2005 2:06 PM
> To: Kevin
> Subject: Re: Unable to authenticate with dot1x
>
> Ok. Your switch configuration seem to be ok.
>
> Besides, there are some special settings for Dot1x in Radius Server. I
> have setup Dot1x Authentication using ACS server only. Try the
> following link:
>
http://www.cisco.com/en/US/partner/products/hw/switches/ps700/products_tech_
> note09186a00801d11a4.shtml
>
> Finally, there are some requirements on the client side. Such as, you
> must use Windows XP (no Windows 98 ) for Dot1x authentication and need
> to enable Dot1x Feature on Your PC.
>
>
> Ryan
>
>
> 2005/10/12, Kevin <trung@vnsystem.net>:
>
>>Thanks Ryan,
>>Yes, i did have config the IP add on my sw, as i described in the previous
>>post, i have a successful connectivity & authentication between the sw &
>>radius server. I've tested the radius server with login method and it
>
> worked
>
>>fine, but it was not ok with dot1x.
>>I see this in debug but i don't actually understand what does it mean ?
>>
>>
>>>02:19:35: dot1x-ev:
>>>
>>>dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
>>
>>Kevin.
>>
>>
>>-----Original Message-----
>>From: The Great Ryan [mailto:pv.ryan@gmail.com]
>>Sent: Wednesday, October 12, 2005 11:38 AM
>>To: Kevin
>>Cc: ccielab@groupstudy.com
>>Subject: Re: Unable to authenticate with dot1x
>>
>>your switch should have management IP such that it is ip reachability
>>between your switch and Radius Server. It is because switch will send
>>dot1x request, on behalf of your dot1x client connecting to your
>>switch, to Radius server for authentication.
>>
>>
>>Ryan
>>
>>2005/10/12, Kevin <trung@vnsystem.net>:
>>
>>>Hi group,
>>>
>>>I was doing port authentication with dot1x on catalyst 2950 but i never
>>
>>make
>>
>>>it work. I've successfully tested connectivity between SW & radius
>
> server
>
>>>(Login using radius is ok).
>>>
>>>I've tried many times on cat2950, 3550 , change radius server
>>
>>(steel-belted,
>>
>>>WinRadius), use different desktop (winxp-sp2). and still have the same
>>>result - "Authentication failed".. I paste my config & some debug lines
>>
>>here
>>
>>>and i hope someone in this group can help me out.
>>>
>>>Many thanks.
>>>
>>>
>>>
>>>
>>>
>>>Kevin.
>>>
>>>
>>>
>>>P/s: i'm using the IBM thinkpad T23 with WINXP-sp2 for client.
>>>Authentication method is MD5.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>SW2950-1#sh run
>>>
>>>Building configuration...
>>>
>>>
>>>
>>>!
>>>
>>>aaa new-model
>>>
>>>aaa authentication login default group radius
>>>
>>>aaa authentication dot1x default group radius
>>>
>>>!
>>>
>>>dot1x system-auth-control
>>>
>>>!
>>>
>>>!
>>>
>>>!
>>>
>>>interface FastEthernet0/1
>>>
>>> switchport mode access
>>>
>>> dot1x port-control auto
>>>
>>>!
>>>
>>>..
>>>
>>>!
>>>
>>>radius-server host 192.168.1.154 auth-port 1812 acct-port 1813
>>>
>>>radius-server retransmit 3
>>>
>>>radius-server key cisco
>>>
>>>!
>>>
>>>
>>>
>>>
>>>
>>>SW2950-1#sh dot1x int fa0/1
>>>
>>>Supplicant MAC <Not Applicable>
>>>
>>> AuthSM State = CONNECTING
>>>
>>> BendSM State = IDLE
>>>
>>>PortStatus = UNAUTHORIZED
>>>
>>>MaxReq = 2
>>>
>>>HostMode = Single
>>>
>>>Port Control = Auto
>>>
>>>QuietPeriod = 60 Seconds
>>>
>>>Re-authentication = Disabled
>>>
>>>ReAuthPeriod = 3600 Seconds
>>>
>>>ServerTimeout = 30 Seconds
>>>
>>>SuppTimeout = 30 Seconds
>>>
>>>TxPeriod = 30 Seconds
>>>
>>>Guest-Vlan = 0
>>>
>>>
>>>
>>>
>>>
>>>SW2950-1#debug dot1x
>>>
>>>
>>>
>>>02:19:05: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
>>>supplicant 0000.0000.0000
>>>
>>>
>>>
>>>02:19:05: dot1x-ev:dot1x_tx_eap: EAP Ptk
>>>
>>>02:19:05: dot1x-ev:EAP-code=REQUEST
>>>
>>>02:19:05: dot1x-ev:EAP Type= IDENTITY
>>>
>>>02:19:05: dot1x-ev:ID=4
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:Default and only instance. evaluation for guest vlan
>>
>>move
>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on
>
> interface
>
>>>FastEthernet0/1
>>>
>>>02:19:35: dot1x-ev:dot1x_update_port_status: Called with host_mode=0
>
> state
>
>>>UNAUTHORIZED
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_update_port_status: using mac 0000.0000.0000 to
>>>send port to unauthorized on vlan 0
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
>>
>>80CA2C10
>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest
>>
>>vlan=0
>>
>>>
>>>
>>>02:19:35: dot1x-ev: GuestVlan configured=0
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:supplicant 0000.0000.0000 is default
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:supplicant 0000.0000.0000 is last
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_port_cleanup_author: cleanup author on
>
> interface
>
>>>FastEthernet0/1
>>>
>>>02:19:35: dot1x-ev:Enter function dot1x_aaa_acct_end
>>>
>>>02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
>>
>>80CA2C10
>>
>>>
>>>
>>>02:19:35: dot1x-ev:Found a supplicant block for mac 0000.0000.0000
>>
>>80CA2C10
>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
>>>interface FastEthernet0/1
>>>
>>>02:19:35: dot1x-ev:
>>>
>>>dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current
>>>ID=5
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
>>>
>>>02:19:35: dot1x-ev:EAP-code=FAILURE
>>>
>>>02:19:35: dot1x-ev:EAP Type= IDENTITY
>>>
>>>02:19:35: dot1x-ev:ID=4
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from
>>>interface FastEthernet0/1
>>>
>>>02:19:35: dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for
>>>supplicant 0000.0000.0000
>>>
>>>
>>>
>>>02:19:35: dot1x-ev:dot1x_tx_eap: EAP Ptk
>>>
>>>02:19:35: dot1x-ev:EAP-code=REQUEST
>>>
>>>02:19:35: dot1x-ev:EAP Type= IDENTITY
>>>
>>>02:19:35: dot1x-ev:ID=5
>>>
>>>_______________________________________________________________________
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3