RE: to the dot1x gurus..any input, appreciated !!!

ACS Reporting and Monitoring gives back details as well. However if same setup
works wirelss than post your switch aaa running-config. Check the dot1x
section for your model switch administration guide to see what you missed.
Sent from my Windows. phone.

________________________________
From:
spycharlies <spycharlies_at_gmail.com>
Sent: Wednesday, May 05, 2010 3:33 PM
To: Jason Aarons (US) <jason.aarons_at_us.didata.com>
Cc: Cisco certification
<ccielab_at_groupstudy.com>
Subject: Re: to the dot1x gurus..any input,
appreciated !!!

Thats a good idea, i will run wireshark on the client, to
see if i get any helpful information.

The dot1x is pointing the ACS (fyi
ACS v5), although using external Windows s2003 database

With regards to my
config as ealier posted-- my ports were actually " auth-port 1645 acct-port
1646 " not 1000 & 1001

Thanks,

Charlie

On Wed, May 5, 2010 at 12:07
PM, Jason Aarons (US)
<jason.aarons_at_us.didata.com<mailto:jason.aarons_at_us.didata.com>> wrote:
debug
radius

What are you pointing to 802.1x? ACS or Windows 2003/IAS or Windows
2008/NPS ?

On client run Wireshark with Filter = EAPOL
On Radius server
run Wireshark with Filter = RADIUS

________________________________________
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of spycharlies
[spycharlies_at_gmail.com<mailto:spycharlies_at_gmail.com>]
Sent: Wednesday, May
05, 2010 12:46 PM
To: Cisco certification
Subject: to the dot1x gurus..any
input, appreciated !!!

To the dot1x gurus..,

I have been using dot1x for
our wireless network for a while now and its
been running smooth. I decided
to test
dot1x for Wired connections. unfortunately, its not working. for 3
days now,
i have no idea what am doing wrong.

Here is a debug

May 5
09:18:48.629: %DOT1X-5-FAIL: Authentication failed for client
(Unknown MAC)
on Interface Fa0/1
May 5 09:18:48.629: dot1x-ev(Fa0/1): Sending event (2) to
Auth Mgr for
0000.0000.0000
May 5 09:18:48.629: %AUTHMGR-7-RESULT:
Authentication result 'no-response'
from 'dot1x' for client (Unknown MAC) on
Interface Fa0/1
May 5 09:18:48.629: dot1x-ev(Fa0/1): Received Authz fail for
the client
0x6300001F (0000.0000.0000)
May 5 09:18:48.629: dot1x-ev(Fa0/1):
Deleting client 0x6300001F
(0000.0000.0000)
May 5 09:18:48.629:
%AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
client (Unknown MAC) on
Interface Fa0/1
May 5 09:18:48.629: %AUTHMGR-7-NOMOREMETHODS: Exhausted all
authentication
methods for client (Unknown MAC) on Interface Fa0/1
May 5
09:18:48.671: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
0x6300001F
May
5 09:18:48.671: dot1x_auth Fa0/1: during state auth_authc_result,
got
event 22(authzFail)
May 5 09:18:48.671: @@@ dot1x_auth Fa0/1:
auth_authc_result -> auth_held
May 5 09:18:48.671: dot1x-ev:Delete auth
client (0x6300001F) message

May 5 09:37:10.738: dot1x-ev(Fa0/1): Dot1x
authentication started for
0x3A000020 (0000.0000.0000)

May 5
09:38:43.397: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
0x3A000020
May
5 09:38:43.397: dot1x_auth Fa0/1: during state auth_authc_result,
got
event 22(authzFail)
May 5 09:38:43.397: @@@ dot1x_auth Fa0/1:
auth_authc_result -> auth_held
May 5 09:38:43.397: dot1x-ev:Delete auth
client (0x3A000020) message
May 5 09:38:43.397: dot1x-ev:Auth client ctx
destroyed
May 5 09:38:43.397: dot1x-ev:Aborted posting message to
authenticator state
machine: Invalid client
May 5 09:38:43.397:
%LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed
state to up
May 5 09:38:44.412: %AUTHMGR-5-SUCCESS: Authorization succeeded
for client
(Unknown MAC) on Interface Fa0/1

switch#test aaa group
radius cisco cisco123 legacy
Attempting authentication test to server-group
radius using radius
User was successfully authenticated.

The weirdest
thing is, when i log in with my pc to my domain with the
username and
password, cisco & cisco123, the ACS log does not
even see my username
(obviously it seems like the switch is not sending this
information to the
ACS)

==
my dot1x configs are pretty standard
==

dot1x
system-auth-control
dot1x guest-vlan supplicant

aaa authentication login
default group radius
aaa authentication dot1x default group radius
aaa
authorization network default group radius
aaa accounting dot1x default
start-stop group radius
aaa accounting system default start-stop group radius
radius-server host 192.168.2.254 auth-port 1000 acct-port 1001
radius-server
host 192.168.2.253 auth-port 1000 acct-port 1001
radius-server key 7 xx
interface FastEthernet0/1
 switchport mode access 5
 authentication event
fail retry 1 action authorize vlan 4
 authentication event no-response action
authorize vlan 4
 authentication port-control auto
 dot1x pae authenticator
spanning-tree portfast
end

==
#sh vlan | in dot1x

5 Staff_dot1xTest
active
4 Student_dot1xTest active Fa0/1

Any
input, much appreciated!

Thanks,

Charlie

Blogs and organic groups
at http://www.ccie.net
Received on Wed May 05 2010 - 15:36:55 ART