debug radius
What are you pointing to 802.1x? ACS or Windows 2003/IAS or Windows 2008/NPS ?
On client run Wireshark with Filter = EAPOL
On Radius server run Wireshark with Filter = RADIUS
________________________________________
From: nobody_at_groupstudy.com [nobody_at_groupstudy.com] On Behalf Of spycharlies [spycharlies_at_gmail.com]
Sent: Wednesday, May 05, 2010 12:46 PM
To: Cisco certification
Subject: to the dot1x gurus..any input, appreciated !!!
To the dot1x gurus..,
I have been using dot1x for our wireless network for a while now and its
been running smooth. I decided to test
dot1x for Wired connections. unfortunately, its not working. for 3 days now,
i have no idea what am doing wrong.
Here is a debug
May 5 09:18:48.629: %DOT1X-5-FAIL: Authentication failed for client
(Unknown MAC) on Interface Fa0/1
May 5 09:18:48.629: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for
0000.0000.0000
May 5 09:18:48.629: %AUTHMGR-7-RESULT: Authentication result 'no-response'
from 'dot1x' for client (Unknown MAC) on Interface Fa0/1
May 5 09:18:48.629: dot1x-ev(Fa0/1): Received Authz fail for the client
0x6300001F (0000.0000.0000)
May 5 09:18:48.629: dot1x-ev(Fa0/1): Deleting client 0x6300001F
(0000.0000.0000)
May 5 09:18:48.629: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
client (Unknown MAC) on Interface Fa0/1
May 5 09:18:48.629: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
methods for client (Unknown MAC) on Interface Fa0/1
May 5 09:18:48.671: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
0x6300001F
May 5 09:18:48.671: dot1x_auth Fa0/1: during state auth_authc_result,
got event 22(authzFail)
May 5 09:18:48.671: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
May 5 09:18:48.671: dot1x-ev:Delete auth client (0x6300001F) message
May 5 09:37:10.738: dot1x-ev(Fa0/1): Dot1x authentication started for
0x3A000020 (0000.0000.0000)
May 5 09:38:43.397: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
0x3A000020
May 5 09:38:43.397: dot1x_auth Fa0/1: during state auth_authc_result,
got event 22(authzFail)
May 5 09:38:43.397: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
May 5 09:38:43.397: dot1x-ev:Delete auth client (0x3A000020) message
May 5 09:38:43.397: dot1x-ev:Auth client ctx destroyed
May 5 09:38:43.397: dot1x-ev:Aborted posting message to authenticator state
machine: Invalid client
May 5 09:38:43.397: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
May 5 09:38:44.412: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(Unknown MAC) on Interface Fa0/1
switch#test aaa group radius cisco cisco123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
The weirdest thing is, when i log in with my pc to my domain with the
username and password, cisco & cisco123, the ACS log does not
even see my username (obviously it seems like the switch is not sending this
information to the ACS)
==
my dot1x configs are pretty standard
==
dot1x system-auth-control
dot1x guest-vlan supplicant
aaa authentication login default group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
radius-server host 192.168.2.254 auth-port 1000 acct-port 1001
radius-server host 192.168.2.253 auth-port 1000 acct-port 1001
radius-server key 7 xx
interface FastEthernet0/1
switchport mode access 5
authentication event fail retry 1 action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
end
==
#sh vlan | in dot1x
5 Staff_dot1xTest active
4 Student_dot1xTest active Fa0/1
Any input, much appreciated!
Thanks,
Charlie
Blogs and organic groups at http://www.ccie.net
Received on Wed May 05 2010 - 14:07:39 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART