Re: to the dot1x gurus..any input, appreciated !!!

Good luck! Seen it work, so keep your head up. ;-)

Yeah, may his gentle soul rest in perfect peace - in Aljanna! Ameen.

Sadiq

On Thu, May 6, 2010 at 1:19 AM, spycharlies <spycharlies_at_gmail.com> wrote:

> U right Sadiq, my authentication was screwed up. Stupid me! I completely
> forgot Microsoft Active directory does not support MD5, i change the network
> card authentication setting to Peap, and its working ok now.
>
> Now that the dot1x is working, my goal is to send an av pair from acs to
> trigger a smartport macro for my access port, hopefully that goes
> smoothly...
>
> A word or two from you guys is always useful..
>
> Thanks
>
> ============
> R.I.P to our beloved President Yar'Adua (NIGERIA) ... May04,2010
>
> =============
>
> Cheers
>
>
>
>
>
> On Wed, May 5, 2010 at 5:02 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> Charlie,
>>
>> What EAP method are you doing on the dot1x client? MD5, PEAP or TLS? Have
>> you configured certificates, etc, on client and server?
>>
>> Seems to be like you dont have a supplicant on the port? See below:
>>
>>
>> May 5 09:18:48.629: %AUTHMGR-7-RESULT: Authentication result
>> 'no-response'
>> from 'dot1x' for client (Unknown MAC) on Interface Fa0/1
>>
>> All EAP Request Identity frames seem to be getting ignored by the client.
>> This comes down to what you have configured as an EAP method. Are you
>> getting a password prompt on the client?
>>
>> Can we see a full running configuration?
>>
>> Thanks,
>> Sadiq
>>
>> On Wed, May 5, 2010 at 8:36 PM, Jason Aarons (US) <
>> jason.aarons_at_us.didata.com> wrote:
>>
>>> ACS Reporting and Monitoring gives back details as well. However if same
>>> setup
>>> works wirelss than post your switch aaa running-config. Check the dot1x
>>> section for your model switch administration guide to see what you
>>> missed.
>>> Sent from my Windows. phone.
>>>
>>> ________________________________
>>> From:
>>> spycharlies <spycharlies_at_gmail.com>
>>> Sent: Wednesday, May 05, 2010 3:33 PM
>>> To: Jason Aarons (US) <jason.aarons_at_us.didata.com>
>>> Cc: Cisco certification
>>> <ccielab_at_groupstudy.com>
>>> Subject: Re: to the dot1x gurus..any input,
>>> appreciated !!!
>>>
>>> Thats a good idea, i will run wireshark on the client, to
>>> see if i get any helpful information.
>>>
>>> The dot1x is pointing the ACS (fyi
>>> ACS v5), although using external Windows s2003 database
>>>
>>> With regards to my
>>> config as ealier posted-- my ports were actually " auth-port 1645
>>> acct-port
>>> 1646 " not 1000 & 1001
>>>
>>> Thanks,
>>>
>>> Charlie
>>>
>>>
>>> On Wed, May 5, 2010 at 12:07
>>> PM, Jason Aarons (US)
>>> <jason.aarons_at_us.didata.com<mailto:jason.aarons_at_us.didata.com>> wrote:
>>> debug
>>> radius
>>>
>>> What are you pointing to 802.1x? ACS or Windows 2003/IAS or Windows
>>> 2008/NPS ?
>>>
>>> On client run Wireshark with Filter = EAPOL
>>> On Radius server
>>> run Wireshark with Filter = RADIUS
>>>
>>> ________________________________________
>>> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
>>> [nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
>>> spycharlies
>>> [spycharlies_at_gmail.com<mailto:spycharlies_at_gmail.com>]
>>>
>>> Sent: Wednesday, May
>>> 05, 2010 12:46 PM
>>> To: Cisco certification
>>> Subject: to the dot1x gurus..any
>>> input, appreciated !!!
>>>
>>> To the dot1x gurus..,
>>>
>>> I have been using dot1x for
>>> our wireless network for a while now and its
>>> been running smooth. I decided
>>> to test
>>> dot1x for Wired connections. unfortunately, its not working. for 3
>>> days now,
>>> i have no idea what am doing wrong.
>>>
>>>
>>> Here is a debug
>>>
>>> May 5
>>> 09:18:48.629: %DOT1X-5-FAIL: Authentication failed for client
>>> (Unknown MAC)
>>> on Interface Fa0/1
>>> May 5 09:18:48.629: dot1x-ev(Fa0/1): Sending event (2) to
>>> Auth Mgr for
>>> 0000.0000.0000
>>> May 5 09:18:48.629: %AUTHMGR-7-RESULT:
>>> Authentication result 'no-response'
>>> from 'dot1x' for client (Unknown MAC) on
>>> Interface Fa0/1
>>> May 5 09:18:48.629: dot1x-ev(Fa0/1): Received Authz fail for
>>> the client
>>> 0x6300001F (0000.0000.0000)
>>> May 5 09:18:48.629: dot1x-ev(Fa0/1):
>>> Deleting client 0x6300001F
>>> (0000.0000.0000)
>>> May 5 09:18:48.629:
>>> %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
>>> client (Unknown MAC) on
>>> Interface Fa0/1
>>> May 5 09:18:48.629: %AUTHMGR-7-NOMOREMETHODS: Exhausted all
>>> authentication
>>> methods for client (Unknown MAC) on Interface Fa0/1
>>> May 5
>>> 09:18:48.671: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
>>> 0x6300001F
>>> May
>>> 5 09:18:48.671: dot1x_auth Fa0/1: during state auth_authc_result,
>>> got
>>> event 22(authzFail)
>>> May 5 09:18:48.671: @@@ dot1x_auth Fa0/1:
>>> auth_authc_result -> auth_held
>>> May 5 09:18:48.671: dot1x-ev:Delete auth
>>> client (0x6300001F) message
>>>
>>> May 5 09:37:10.738: dot1x-ev(Fa0/1): Dot1x
>>> authentication started for
>>> 0x3A000020 (0000.0000.0000)
>>>
>>> May 5
>>> 09:38:43.397: dot1x-sm(Fa0/1): Posting_AUTHZ_FAIL on Client
>>> 0x3A000020
>>> May
>>> 5 09:38:43.397: dot1x_auth Fa0/1: during state auth_authc_result,
>>> got
>>> event 22(authzFail)
>>> May 5 09:38:43.397: @@@ dot1x_auth Fa0/1:
>>> auth_authc_result -> auth_held
>>> May 5 09:38:43.397: dot1x-ev:Delete auth
>>> client (0x3A000020) message
>>> May 5 09:38:43.397: dot1x-ev:Auth client ctx
>>> destroyed
>>> May 5 09:38:43.397: dot1x-ev:Aborted posting message to
>>> authenticator state
>>> machine: Invalid client
>>> May 5 09:38:43.397:
>>> %LINEPROTO-5-UPDOWN: Line protocol on Interface
>>> FastEthernet0/1, changed
>>> state to up
>>> May 5 09:38:44.412: %AUTHMGR-5-SUCCESS: Authorization succeeded
>>> for client
>>> (Unknown MAC) on Interface Fa0/1
>>>
>>>
>>>
>>> switch#test aaa group
>>> radius cisco cisco123 legacy
>>> Attempting authentication test to server-group
>>> radius using radius
>>> User was successfully authenticated.
>>>
>>>
>>> The weirdest
>>> thing is, when i log in with my pc to my domain with the
>>> username and
>>> password, cisco & cisco123, the ACS log does not
>>> even see my username
>>> (obviously it seems like the switch is not sending this
>>> information to the
>>> ACS)
>>>
>>> ==
>>> my dot1x configs are pretty standard
>>> ==
>>>
>>> dot1x
>>> system-auth-control
>>> dot1x guest-vlan supplicant
>>>
>>> aaa authentication login
>>> default group radius
>>> aaa authentication dot1x default group radius
>>> aaa
>>> authorization network default group radius
>>> aaa accounting dot1x default
>>> start-stop group radius
>>> aaa accounting system default start-stop group radius
>>> radius-server host 192.168.2.254 auth-port 1000 acct-port 1001
>>> radius-server
>>> host 192.168.2.253 auth-port 1000 acct-port 1001
>>> radius-server key 7 xx
>>> interface FastEthernet0/1
>>> switchport mode access 5
>>> authentication event
>>> fail retry 1 action authorize vlan 4
>>> authentication event no-response action
>>> authorize vlan 4
>>> authentication port-control auto
>>> dot1x pae authenticator
>>> spanning-tree portfast
>>> end
>>>
>>> ==
>>> #sh vlan | in dot1x
>>>
>>> 5 Staff_dot1xTest
>>> active
>>> 4 Student_dot1xTest active Fa0/1
>>>
>>>
>>> Any
>>> input, much appreciated!
>>>
>>> Thanks,
>>>
>>> Charlie
>>>
>>>
>>> Blogs and organic groups
>>> at http://www.ccie.net
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>> -----------------------------------------
>>> Disclaimer:
>>>
>>> This e-mail
>>> communication and any attachments may contain
>>> confidential and privileged
>>> information and is for use by the
>>> designated addressee(s) named above only.
>>> If you are not the
>>> intended addressee, you are hereby notified that you have
>>> received
>>> this communication in error and that any use or reproduction of
>>> this email or its contents is strictly prohibited and may be
>>> unlawful. If
>>> you have received this communication in error, please
>>> notify us immediately
>>> by replying to this message and deleting it
>>> from your computer. Thank you.
>>> -----------------------------------------
>>> Disclaimer:
>>>
>>> This e-mail
>>> communication and any attachments may contain
>>> confidential and privileged
>>> information and is for use by the
>>> designated addressee(s) named above only.
>>> If you are not the
>>> intended addressee, you are hereby notified that you have
>>> received
>>> this communication in error and that any use or reproduction of
>>> this
>>> email or its contents is strictly prohibited and may be
>>> unlawful. If you have
>>> received this communication in error, please
>>> notify us immediately by replying
>>> to this message and deleting it
>>> from your computer. Thank you.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> CCIE #19963
>>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net