Re: to the dot1x gurus..any input, appreciated !!!

Thats a good idea, i will run wireshark on the client, to see if i get any
helpful information.

The dot1x is pointing the ACS (fyi ACS v5), although using external Windows
s2003 database

With regards to my config as ealier posted-- my ports were actually "
auth-port 1645 acct-port 1646 " not 1000 & 1001

Thanks,

Charlie

On Wed, May 5, 2010 at 12:07 PM, Jason Aarons (US) <
jason.aarons_at_us.didata.com> wrote:

> debug radius
>
> What are you pointing to 802.1x? ACS or Windows 2003/IAS or Windows
> 2008/NPS ?
>
> On client run Wireshark with Filter = EAPOL
> On Radius server run Wireshark with Filter = RADIUS
>
> ________________________________________
> From: nobody_at_groupstudy.com [nobody_at_groupstudy.com] On Behalf Of
> spycharlies [spycharlies_at_gmail.com]
> Sent: Wednesday, May 05, 2010 12:46 PM
> To: Cisco certification
> Subject: to the dot1x gurus..any input, appreciated !!!
>
> To the dot1x gurus..,
>
> I have been using dot1x for our wireless network for a while now and its
> been running smooth. I decided to test
> dot1x for Wired connections. unfortunately, its not working. for 3 days
> now,
> i have no idea what am doing wrong.
>
>
> Here is a debug
>
> May 5 09:18:48.629: %DOT1X-5-FAIL: Authentication failed for client
> (Unknown MAC) on Interface Fa0/1
> May 5 09:18:48.629: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for
> 0000.0000.0000
> May 5 09:18:48.629: %AUTHMGR-7-RESULT: Authentication result 'no-response'
> from 'dot1x' for client (Unknown MAC) on Interface Fa0/1
> May 5 09:18:48.629: dot1x-ev(Fa0/1): Received Authz fail for the client
> 0x6300001F (0000.0000.0000)
> May 5 09:18:48.629: dot1x-ev(Fa0/1): Deleting client 0x6300001F
> (0000.0000.0000)
> May 5 09:18:48.629: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
> client (Unknown MAC) on Interface Fa0/1
> May 5 09:18:48.629: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
> methods for client (Unknown MAC) on Interface Fa0/1
> May 5 09:18:48.671: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
> 0x6300001F
> May 5 09:18:48.671: dot1x_auth Fa0/1: during state auth_authc_result,
> got event 22(authzFail)
> May 5 09:18:48.671: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
> May 5 09:18:48.671: dot1x-ev:Delete auth client (0x6300001F) message
>
> May 5 09:37:10.738: dot1x-ev(Fa0/1): Dot1x authentication started for
> 0x3A000020 (0000.0000.0000)
>
> May 5 09:38:43.397: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
> 0x3A000020
> May 5 09:38:43.397: dot1x_auth Fa0/1: during state auth_authc_result,
> got event 22(authzFail)
> May 5 09:38:43.397: @@@ dot1x_auth Fa0/1: auth_authc_result -> auth_held
> May 5 09:38:43.397: dot1x-ev:Delete auth client (0x3A000020) message
> May 5 09:38:43.397: dot1x-ev:Auth client ctx destroyed
> May 5 09:38:43.397: dot1x-ev:Aborted posting message to authenticator
> state
> machine: Invalid client
> May 5 09:38:43.397: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet0/1, changed state to up
> May 5 09:38:44.412: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
> (Unknown MAC) on Interface Fa0/1
>
>
>
> switch#test aaa group radius cisco cisco123 legacy
> Attempting authentication test to server-group radius using radius
> User was successfully authenticated.
>
>
> The weirdest thing is, when i log in with my pc to my domain with the
> username and password, cisco & cisco123, the ACS log does not
> even see my username (obviously it seems like the switch is not sending
> this
> information to the ACS)
>
> ==
> my dot1x configs are pretty standard
> ==
>
> dot1x system-auth-control
> dot1x guest-vlan supplicant
>
> aaa authentication login default group radius
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> aaa accounting dot1x default start-stop group radius
> aaa accounting system default start-stop group radius
>
>
> radius-server host 192.168.2.254 auth-port 1000 acct-port 1001
> radius-server host 192.168.2.253 auth-port 1000 acct-port 1001
> radius-server key 7 xx
>
> interface FastEthernet0/1
> switchport mode access 5
> authentication event fail retry 1 action authorize vlan 4
> authentication event no-response action authorize vlan 4
> authentication port-control auto
> dot1x pae authenticator
> spanning-tree portfast
> end
>
> ==
> #sh vlan | in dot1x
>
> 5 Staff_dot1xTest active
> 4 Student_dot1xTest active Fa0/1
>
>
> Any input, much appreciated!
>
> Thanks,
>
> Charlie
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------
> Disclaimer:
>
> This e-mail communication and any attachments may contain
> confidential and privileged information and is for use by the
> designated addressee(s) named above only. If you are not the
> intended addressee, you are hereby notified that you have received
> this communication in error and that any use or reproduction of
> this email or its contents is strictly prohibited and may be
> unlawful. If you have received this communication in error, please
> notify us immediately by replying to this message and deleting it
> from your computer. Thank you.

Blogs and organic groups at http://www.ccie.net
Received on Wed May 05 2010 - 13:29:38 ART