Re: ANY ONE ? strange issue :wired 802.1x windows through from jeremy co on 2013-11-14 (Ccielab archives 12/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Thu, 14 Nov 2013 05:19:44 -0800

I just check, even when I connect directly and it passes the authentication
and authorization, I cant ping anywhere.

its using static ip.

SW3#sh authentication sessions int g1/0/5
            Interface: GigabitEthernet1/0/5
          MAC Address: 48f8.b32b.24e7
           IP Address: 169.254.222.218
            User-Name: test-pc
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 1
              ACS ACL: xACSACLx-IP-DATA_VLAN_DACL-5284a641
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 64000003000000280025DE50
      Acct Session ID: 0x0000002C
               Handle: 0x6D000029

Runnable methods list:
       Method State
       mab Not run
       dot1x Authc Success

Extended IP access list xACSACLx-IP-DATA_VLAN_DACL-5284a641 (per-user)
10 permit ip any any

*any idea ?*

On Thu, Nov 14, 2013 at 5:00 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> Hi,
>
>
> If I plug pc directly to sw it works fine. but if I put it through ipphone
> ,it doesnt work.
>
> phone authenticate via mab just fine and then I get below error.
> %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for
> client
>
>
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> !
> !
> !
> !
> !
> aaa server radius dynamic-author
> client 100.0.0.10
> server-key cisco123
>
> !
> !
> ip device tracking
>
> !
> dot1x system-auth-control
>
> !
> !
> interface GigabitEthernet1/0/5
> switchport mode access
> switchport voice vlan 9
> logging event spanning-tree
> authentication host-mode multi-auth
> authentication order mab dot1x
> authentication priority dot1x mab
> authentication port-control auto
> mab
> dot1x pae authenticator
> spanning-tree portfast
>
> interface Vlan1
> ip address 100.0.0.3 255.255.255.0
> !
> !
> ip radius source-interface Vlan1
> !
> radius-server attribute 6 on-for-login-auth
> radius-server attribute 8 include-in-access-req
> radius-server attribute 25 access-request include
> radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123
> radius-server vsa send accounting
> radius-server vsa send authentication
> !
>
> SW1#$ sh authentication sessions int
> f1/0/5
> Interface: FastEthernet1/0/5
> MAC Address: 48f8.b32b.24a3
> IP Address: Unknown
> User-Name: 48f8b32b24a3
> Status: Running
> Domain: DATA
> Security Policy: Should Secure
> Security Status: Unsecure
> Oper host mode: multi-auth
> Oper control dir: both
> Session timeout: N/A
> Idle timeout: N/A
> Common Session ID: 640000010000000E01DFBAEC
> Acct Session ID: 0x00000011
> Handle: 0x0D00000E
>
> Runnable methods list:
> Method State
> dot1x Running
>
> ----------------------------------------
> Interface: FastEthernet1/0/5
> MAC Address: 000f.2340.71cb
>
> IP Address: Unknown
> User-Name: 00-0F-23-40-71-CB
> Status: Authz Success
> Domain: VOICE
> Security Policy: Should Secure
> Security Status: Unsecure
> Oper host mode: multi-auth
> Oper control dir: both
> Authorized By: Authentication Server
> ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
> Session timeout: N/A
> Idle timeout: N/A
> Common Session ID: 640000010000000F01DFD428
> Acct Session ID: 0x00000012
> Handle: 0x8C00000F
>
> Runnable methods list:
> Method State
> dot1x Failed over
>
>
> *eventually it times out. My suspision is it never pass 802.1x to the PC.*
>
> -----------------------------------------------------------------------------------------------------------------
> %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for
> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 640000010000000E01DFBAEC
> dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x660000A7
> (48f8.b32b.24a3)
> dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3)
> %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (48f8.b32b.24a3)
> on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
> %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 640000010000000E01DFBAEC
> %AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on
> Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
> dot1x-ev:Delete auth client (0x660000A7) message
> dot1x-ev:Auth client ctx destroyed
> dot1x-ev:Aborted posting message to authenticator state machine: Invalid
> client
> SW1#$
>
> dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list
> dot1x-ev(Fa1/0/5): Sending create new context event to EAP for 0xED0000A8
> (48f8.b32b.24a3)
> dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8)
> dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8
> (48f8.b32b.24a3)
> %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on
> Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC
> SW1#$
>
> dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3
> dot1x-ev(Fa1/0/5): Role determination not required
> dot1x-ev(Fa1/0/5): Sending out EAPOL packet

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 14 2013 - 05:19:44 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART