Re: to the dot1x gurus..any input, appreciated !!!

U right Sadiq, my authentication was screwed up. Stupid me! I completely
forgot Microsoft Active directory does not support MD5, i change the network
card authentication setting to Peap, and its working ok now.

Now that the dot1x is working, my goal is to send an av pair from acs to
trigger a smartport macro for my access port, hopefully that goes
smoothly...

A word or two from you guys is always useful..

Thanks

============
R.I.P to our beloved President Yar'Adua (NIGERIA) ... May04,2010

=============

Cheers

On Wed, May 5, 2010 at 5:02 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Charlie,
>
> What EAP method are you doing on the dot1x client? MD5, PEAP or TLS? Have
> you configured certificates, etc, on client and server?
>
> Seems to be like you dont have a supplicant on the port? See below:
>
>
> May 5 09:18:48.629: %AUTHMGR-7-RESULT: Authentication result 'no-response'
> from 'dot1x' for client (Unknown MAC) on Interface Fa0/1
>
> All EAP Request Identity frames seem to be getting ignored by the client.
> This comes down to what you have configured as an EAP method. Are you
> getting a password prompt on the client?
>
> Can we see a full running configuration?
>
> Thanks,
> Sadiq
>
> On Wed, May 5, 2010 at 8:36 PM, Jason Aarons (US) <
> jason.aarons_at_us.didata.com> wrote:
>
>> ACS Reporting and Monitoring gives back details as well. However if same
>> setup
>> works wirelss than post your switch aaa running-config. Check the dot1x
>> section for your model switch administration guide to see what you missed.
>> Sent from my Windows. phone.
>>
>> ________________________________
>> From:
>> spycharlies <spycharlies_at_gmail.com>
>> Sent: Wednesday, May 05, 2010 3:33 PM
>> To: Jason Aarons (US) <jason.aarons_at_us.didata.com>
>> Cc: Cisco certification
>> <ccielab_at_groupstudy.com>
>> Subject: Re: to the dot1x gurus..any input,
>> appreciated !!!
>>
>> Thats a good idea, i will run wireshark on the client, to
>> see if i get any helpful information.
>>
>> The dot1x is pointing the ACS (fyi
>> ACS v5), although using external Windows s2003 database
>>
>> With regards to my
>> config as ealier posted-- my ports were actually " auth-port 1645
>> acct-port
>> 1646 " not 1000 & 1001
>>
>> Thanks,
>>
>> Charlie
>>
>>
>> On Wed, May 5, 2010 at 12:07
>> PM, Jason Aarons (US)
>> <jason.aarons_at_us.didata.com<mailto:jason.aarons_at_us.didata.com>> wrote:
>> debug
>> radius
>>
>> What are you pointing to 802.1x? ACS or Windows 2003/IAS or Windows
>> 2008/NPS ?
>>
>> On client run Wireshark with Filter = EAPOL
>> On Radius server
>> run Wireshark with Filter = RADIUS
>>
>> ________________________________________
>> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
>> [nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
>> spycharlies
>> [spycharlies_at_gmail.com<mailto:spycharlies_at_gmail.com>]
>>
>> Sent: Wednesday, May
>> 05, 2010 12:46 PM
>> To: Cisco certification
>> Subject: to the dot1x gurus..any
>> input, appreciated !!!
>>
>> To the dot1x gurus..,
>>
>> I have been using dot1x for
>> our wireless network for a while now and its
>> been running smooth. I decided
>> to test
>> dot1x for Wired connections. unfortunately, its not working. for 3
>> days now,
>> i have no idea what am doing wrong.
>>
>>
>> Here is a debug
>>
>> May 5
>> 09:18:48.629: %DOT1X-5-FAIL: Authentication failed for client
>> (Unknown MAC)
>> on Interface Fa0/1
>> May 5 09:18:48.629: dot1x-ev(Fa0/1): Sending event (2) to
>> Auth Mgr for
>> 0000.0000.0000
>> May 5 09:18:48.629: %AUTHMGR-7-RESULT:
>> Authentication result 'no-response'
>> from 'dot1x' for client (Unknown MAC) on
>> Interface Fa0/1
>> May 5 09:18:48.629: dot1x-ev(Fa0/1): Received Authz fail for
>> the client
>> 0x6300001F (0000.0000.0000)
>> May 5 09:18:48.629: dot1x-ev(Fa0/1):
>> Deleting client 0x6300001F
>> (0000.0000.0000)
>> May 5 09:18:48.629:
>> %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
>> client (Unknown MAC) on
>> Interface Fa0/1
>> May 5 09:18:48.629: %AUTHMGR-7-NOMOREMETHODS: Exhausted all
>> authentication
>> methods for client (Unknown MAC) on Interface Fa0/1
>> May 5
>> 09:18:48.671: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
>> 0x6300001F
>> May
>> 5 09:18:48.671: dot1x_auth Fa0/1: during state auth_authc_result,
>> got
>> event 22(authzFail)
>> May 5 09:18:48.671: @@@ dot1x_auth Fa0/1:
>> auth_authc_result -> auth_held
>> May 5 09:18:48.671: dot1x-ev:Delete auth
>> client (0x6300001F) message
>>
>> May 5 09:37:10.738: dot1x-ev(Fa0/1): Dot1x
>> authentication started for
>> 0x3A000020 (0000.0000.0000)
>>
>> May 5
>> 09:38:43.397: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
>> 0x3A000020
>> May
>> 5 09:38:43.397: dot1x_auth Fa0/1: during state auth_authc_result,
>> got
>> event 22(authzFail)
>> May 5 09:38:43.397: @@@ dot1x_auth Fa0/1:
>> auth_authc_result -> auth_held
>> May 5 09:38:43.397: dot1x-ev:Delete auth
>> client (0x3A000020) message
>> May 5 09:38:43.397: dot1x-ev:Auth client ctx
>> destroyed
>> May 5 09:38:43.397: dot1x-ev:Aborted posting message to
>> authenticator state
>> machine: Invalid client
>> May 5 09:38:43.397:
>> %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> FastEthernet0/1, changed
>> state to up
>> May 5 09:38:44.412: %AUTHMGR-5-SUCCESS: Authorization succeeded
>> for client
>> (Unknown MAC) on Interface Fa0/1
>>
>>
>>
>> switch#test aaa group
>> radius cisco cisco123 legacy
>> Attempting authentication test to server-group
>> radius using radius
>> User was successfully authenticated.
>>
>>
>> The weirdest
>> thing is, when i log in with my pc to my domain with the
>> username and
>> password, cisco & cisco123, the ACS log does not
>> even see my username
>> (obviously it seems like the switch is not sending this
>> information to the
>> ACS)
>>
>> ==
>> my dot1x configs are pretty standard
>> ==
>>
>> dot1x
>> system-auth-control
>> dot1x guest-vlan supplicant
>>
>> aaa authentication login
>> default group radius
>> aaa authentication dot1x default group radius
>> aaa
>> authorization network default group radius
>> aaa accounting dot1x default
>> start-stop group radius
>> aaa accounting system default start-stop group radius
>> radius-server host 192.168.2.254 auth-port 1000 acct-port 1001
>> radius-server
>> host 192.168.2.253 auth-port 1000 acct-port 1001
>> radius-server key 7 xx
>> interface FastEthernet0/1
>> switchport mode access 5
>> authentication event
>> fail retry 1 action authorize vlan 4
>> authentication event no-response action
>> authorize vlan 4
>> authentication port-control auto
>> dot1x pae authenticator
>> spanning-tree portfast
>> end
>>
>> ==
>> #sh vlan | in dot1x
>>
>> 5 Staff_dot1xTest
>> active
>> 4 Student_dot1xTest active Fa0/1
>>
>>
>> Any
>> input, much appreciated!
>>
>> Thanks,
>>
>> Charlie
>>
>>
>> Blogs and organic groups
>> at http://www.ccie.net
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> -----------------------------------------
>> Disclaimer:
>>
>> This e-mail
>> communication and any attachments may contain
>> confidential and privileged
>> information and is for use by the
>> designated addressee(s) named above only.
>> If you are not the
>> intended addressee, you are hereby notified that you have
>> received
>> this communication in error and that any use or reproduction of
>> this email or its contents is strictly prohibited and may be
>> unlawful. If
>> you have received this communication in error, please
>> notify us immediately
>> by replying to this message and deleting it
>> from your computer. Thank you.
>> -----------------------------------------
>> Disclaimer:
>>
>> This e-mail
>> communication and any attachments may contain
>> confidential and privileged
>> information and is for use by the
>> designated addressee(s) named above only.
>> If you are not the
>> intended addressee, you are hereby notified that you have
>> received
>> this communication in error and that any use or reproduction of
>> this
>> email or its contents is strictly prohibited and may be
>> unlawful. If you have
>> received this communication in error, please
>> notify us immediately by replying
>> to this message and deleting it
>> from your computer. Thank you.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963

Blogs and organic groups at http://www.ccie.net
Received on Wed May 05 2010 - 18:19:32 ART