Re: ANY ONE ? strange issue :wired 802.1x windows through from Sadiq Yakasai on 2013-11-14 (Ccielab archives 12/2013)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Thu, 14 Nov 2013 14:03:27 +0000

Hi Jeremy,

So are there two issues here? 1. You cannot ping when PC directly attached
to this? 2. When the PC is behind the IP phone, dot1x does not authenticate
for the PC?

1. Multi-auth host mode does not allow dynamic VLAN assignment (I dont know
if the newer code on the switches allows this). This means the client is
placed in VLAN 1 after successful authentication. The SVI has a different
IP address to the client and hence no ping. Configure the client in the
same subnet as the SVI and let us know if it works.

2. Is this a Cisco IP phone? After the session times out, can you disable
and re-enable dot1x under the PC interface? I am hoping the OS you are
using is configured to send out EAPoL Start frames (as not all OSs can do
this). Does that trigget anything on the switch? Can you try this all with
the host-mode configured as multi-domain (and not multi-auth)?

What switch hardware and software are you running?

HTH,

Sadiq

On Thu, Nov 14, 2013 at 1:19 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> I just check, even when I connect directly and it passes the authentication
> and authorization, I cant ping anywhere.
>
> its using static ip.
>
>
>
> SW3#sh authentication sessions int g1/0/5
> Interface: GigabitEthernet1/0/5
> MAC Address: 48f8.b32b.24e7
> IP Address: 169.254.222.218
> User-Name: test-pc
> Status: Authz Success
> Domain: DATA
> Oper host mode: multi-auth
> Oper control dir: both
> Authorized By: Authentication Server
> Vlan Policy: 1
> ACS ACL: xACSACLx-IP-DATA_VLAN_DACL-5284a641
> Session timeout: N/A
> Idle timeout: N/A
> Common Session ID: 64000003000000280025DE50
> Acct Session ID: 0x0000002C
> Handle: 0x6D000029
>
> Runnable methods list:
> Method State
> mab Not run
> dot1x Authc Success
>
> Extended IP access list xACSACLx-IP-DATA_VLAN_DACL-5284a641 (per-user)
> 10 permit ip any any
>
>
>
> *any idea ?*
>
>
>
>
>
>
> On Thu, Nov 14, 2013 at 5:00 AM, jeremy co <jeremy.cool14_at_gmail.com>
> wrote:
>
> > Hi,
> >
> >
> > If I plug pc directly to sw it works fine. but if I put it through
> ipphone
> > ,it doesnt work.
> >
> > phone authenticate via mab just fine and then I get below error.
> > %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for
> > client
> >
> >
> > aaa new-model
> > !
> > !
> > aaa authentication login default local
> > aaa authentication dot1x default group radius
> > aaa authorization network default group radius
> > !
> > !
> > !
> > !
> > !
> > aaa server radius dynamic-author
> > client 100.0.0.10
> > server-key cisco123
> >
> > !
> > !
> > ip device tracking
> >
> > !
> > dot1x system-auth-control
> >
> > !
> > !
> > interface GigabitEthernet1/0/5
> > switchport mode access
> > switchport voice vlan 9
> > logging event spanning-tree
> > authentication host-mode multi-auth
> > authentication order mab dot1x
> > authentication priority dot1x mab
> > authentication port-control auto
> > mab
> > dot1x pae authenticator
> > spanning-tree portfast
> >
> > interface Vlan1
> > ip address 100.0.0.3 255.255.255.0
> > !
> > !
> > ip radius source-interface Vlan1
> > !
> > radius-server attribute 6 on-for-login-auth
> > radius-server attribute 8 include-in-access-req
> > radius-server attribute 25 access-request include
> > radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123
> > radius-server vsa send accounting
> > radius-server vsa send authentication
> > !
> >
> > SW1#$ sh authentication sessions int
> > f1/0/5
> > Interface: FastEthernet1/0/5
> > MAC Address: 48f8.b32b.24a3
> > IP Address: Unknown
> > User-Name: 48f8b32b24a3
> > Status: Running
> > Domain: DATA
> > Security Policy: Should Secure
> > Security Status: Unsecure
> > Oper host mode: multi-auth
> > Oper control dir: both
> > Session timeout: N/A
> > Idle timeout: N/A
> > Common Session ID: 640000010000000E01DFBAEC
> > Acct Session ID: 0x00000011
> > Handle: 0x0D00000E
> >
> > Runnable methods list:
> > Method State
> > dot1x Running
> >
> > ----------------------------------------
> > Interface: FastEthernet1/0/5
> > MAC Address: 000f.2340.71cb
> >
> > IP Address: Unknown
> > User-Name: 00-0F-23-40-71-CB
> > Status: Authz Success
> > Domain: VOICE
> > Security Policy: Should Secure
> > Security Status: Unsecure
> > Oper host mode: multi-auth
> > Oper control dir: both
> > Authorized By: Authentication Server
> > ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
> > Session timeout: N/A
> > Idle timeout: N/A
> > Common Session ID: 640000010000000F01DFD428
> > Acct Session ID: 0x00000012
> > Handle: 0x8C00000F
> >
> > Runnable methods list:
> > Method State
> > dot1x Failed over
> >
> >
> > *eventually it times out. My suspision is it never pass 802.1x to the
> PC.*
> >
> >
> -----------------------------------------------------------------------------------------------------------------
> > %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for
> > client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> > 640000010000000E01DFBAEC
> > dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x660000A7
> > (48f8.b32b.24a3)
> > dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3)
> > %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client
> (48f8.b32b.24a3)
> > on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
> > %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client
> > (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> > 640000010000000E01DFBAEC
> > %AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on
> > Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
> > dot1x-ev:Delete auth client (0x660000A7) message
> > dot1x-ev:Auth client ctx destroyed
> > dot1x-ev:Aborted posting message to authenticator state machine: Invalid
> > client
> > SW1#$
> >
> > dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list
> > dot1x-ev(Fa1/0/5): Sending create new context event to EAP for 0xED0000A8
> > (48f8.b32b.24a3)
> > dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8)
> > dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8
> > (48f8.b32b.24a3)
> > %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on
> > Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
> > SW1#$
> >
> > dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3
> > dot1x-ev(Fa1/0/5): Role determination not required
> > dot1x-ev(Fa1/0/5): Sending out EAPOL packet
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Thu Nov 14 2013 - 14:03:27 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART