Questions

802.1x Wired

+
0 Votes
Locked

802.1x Wired

EVGA
Wondering if anyone out there can point me to information on how to setup wired 802.1x with 2k3 IAS without using any kind of certificate. Cisco device is a 2960 ver 12.55SE and Windows XP sp3 with Correct Services Enabled. I have tried alot of commands on the switch to set this up but there are some problems I am hiting Example I plug the laptop into the port and run a debug on radius events and dot1x and I get all kinds of information about dot1x and then the port is block. I go into my IAS and there are no hits to the radius server. I cannot tell if the issuie is on the switch to server or the switch to Client.


I am attempting to config this with EAP with. MD5 Challenge
  • +
    0 Votes
    NetMan1958

    Can you post a sanitized config from your switch? Maybe also post the debug output.

    +
    0 Votes
    EVGA

    Building configuration...

    Current configuration : 5206 bytes
    !
    version 12.2
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service sequence-numbers
    !
    hostname Bldg-800
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    !
    !
    !
    aaa session-id common
    clock timezone MST -7
    system mtu routing 1500
    authentication mac-move permit
    udld aggressive

    udld message time 7

    ip subnet-zero
    no ip source-route
    !
    !
    !
    crypto pki trustpoint TP-self-signed-481643392
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-481643392
    revocation-check none
    rsakeypair TP-self-signed-481643392
    !
    !
    dot1x system-auth-control
    !
    !
    !
    errdisable recovery cause udld
    errdisable recovery cause bpduguard
    errdisable recovery cause security-violation
    errdisable recovery cause channel-misconfig (STP)
    errdisable recovery cause pagp-flap
    errdisable recovery cause dtp-flap
    errdisable recovery cause link-flap
    errdisable recovery cause sfp-config-mismatch
    errdisable recovery cause gbic-invalid
    errdisable recovery cause psecure-violation
    errdisable recovery cause port-mode-failure
    errdisable recovery cause dhcp-rate-limit
    errdisable recovery cause mac-limit
    errdisable recovery cause vmps
    errdisable recovery cause storm-control
    errdisable recovery cause inline-power
    errdisable recovery cause loopback
    errdisable recovery cause small-frame
    !
    spanning-tree mode pvst
    spanning-tree logging
    spanning-tree etherchannel guard misconfig
    spanning-tree extend system-id
    spanning-tree uplinkfast
    spanning-tree backbonefast
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface FastEthernet0/1
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/2
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/3
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/5
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/7
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/8
    switchport access vlan 40
    switchport mode access
    authentication event no-response action authorize vlan 50
    authentication port-control auto
    spanning-tree portfast
    !
    interface GigabitEthernet0/1
    description Server-3750s 1/0/7
    switchport trunk native vlan 1000
    switchport mode trunk
    logging event spanning-tree
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan99
    ip address 172.16.0.8 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 172.16.0.1
    no ip http server
    ip http secure-server
    ip sla enable reaction-alerts
    logging trap debugging
    snmp-server enable traps stpx loop-inconsistency
    radius-server host 192.168.168.8 auth-port 1645 acct-port 1646 key 7 keyhere
    A1713
    banner motd ^C
    ** ---> Unauthorized Access is Strictly Forbidden <--- ** ^C
    !
    line con 0
    line vty 0 4
    logging synchronous
    transport input telnet ssh
    transport output telnet ssh
    line vty 5 15
    logging synchronous
    transport input none
    !
    ntp clock-period 36029381
    ntp server 172.16.0.1
    end


    I cannot provide the debug becuase I am at a remote location. I can post the debug tommrow

    +
    0 Votes
    NetMan1958

    is that none of the interfaces are configured for dot1x. For example:
    switch#conf t
    switch(config)#interface FastEthernet0/1
    switch(config-if)#dot1x port-control auto

    Try adding that to one of the ports and see if it helps. If not, post your debug output when you can. Also see this article:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/sw8021x.html

    +
    0 Votes
    NetMan1958

    Now that I'm not half asleep I see that you have interface FastEthernet0/8 configured with "authentication port-control auto". I'll watch for you to post the output of your debugs and see if that gives me a clue.

  • +
    0 Votes
    NetMan1958

    Can you post a sanitized config from your switch? Maybe also post the debug output.

    +
    0 Votes
    EVGA

    Building configuration...

    Current configuration : 5206 bytes
    !
    version 12.2
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service sequence-numbers
    !
    hostname Bldg-800
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    !
    !
    !
    aaa session-id common
    clock timezone MST -7
    system mtu routing 1500
    authentication mac-move permit
    udld aggressive

    udld message time 7

    ip subnet-zero
    no ip source-route
    !
    !
    !
    crypto pki trustpoint TP-self-signed-481643392
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-481643392
    revocation-check none
    rsakeypair TP-self-signed-481643392
    !
    !
    dot1x system-auth-control
    !
    !
    !
    errdisable recovery cause udld
    errdisable recovery cause bpduguard
    errdisable recovery cause security-violation
    errdisable recovery cause channel-misconfig (STP)
    errdisable recovery cause pagp-flap
    errdisable recovery cause dtp-flap
    errdisable recovery cause link-flap
    errdisable recovery cause sfp-config-mismatch
    errdisable recovery cause gbic-invalid
    errdisable recovery cause psecure-violation
    errdisable recovery cause port-mode-failure
    errdisable recovery cause dhcp-rate-limit
    errdisable recovery cause mac-limit
    errdisable recovery cause vmps
    errdisable recovery cause storm-control
    errdisable recovery cause inline-power
    errdisable recovery cause loopback
    errdisable recovery cause small-frame
    !
    spanning-tree mode pvst
    spanning-tree logging
    spanning-tree etherchannel guard misconfig
    spanning-tree extend system-id
    spanning-tree uplinkfast
    spanning-tree backbonefast
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface FastEthernet0/1
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/2
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/3
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/5
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/7
    switchport access vlan 40
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet0/8
    switchport access vlan 40
    switchport mode access
    authentication event no-response action authorize vlan 50
    authentication port-control auto
    spanning-tree portfast
    !
    interface GigabitEthernet0/1
    description Server-3750s 1/0/7
    switchport trunk native vlan 1000
    switchport mode trunk
    logging event spanning-tree
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan99
    ip address 172.16.0.8 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 172.16.0.1
    no ip http server
    ip http secure-server
    ip sla enable reaction-alerts
    logging trap debugging
    snmp-server enable traps stpx loop-inconsistency
    radius-server host 192.168.168.8 auth-port 1645 acct-port 1646 key 7 keyhere
    A1713
    banner motd ^C
    ** ---> Unauthorized Access is Strictly Forbidden <--- ** ^C
    !
    line con 0
    line vty 0 4
    logging synchronous
    transport input telnet ssh
    transport output telnet ssh
    line vty 5 15
    logging synchronous
    transport input none
    !
    ntp clock-period 36029381
    ntp server 172.16.0.1
    end


    I cannot provide the debug becuase I am at a remote location. I can post the debug tommrow

    +
    0 Votes
    NetMan1958

    is that none of the interfaces are configured for dot1x. For example:
    switch#conf t
    switch(config)#interface FastEthernet0/1
    switch(config-if)#dot1x port-control auto

    Try adding that to one of the ports and see if it helps. If not, post your debug output when you can. Also see this article:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/sw8021x.html

    +
    0 Votes
    NetMan1958

    Now that I'm not half asleep I see that you have interface FastEthernet0/8 configured with "authentication port-control auto". I'll watch for you to post the output of your debugs and see if that gives me a clue.