Interesting.. Why are you using the image that supports new dot1x commands? Exam is based on 12.2(44)SE that support the older command set. Can you downgrade it and then check. There is point in troubleshooting on the new image.
With regards Kings On Tue, May 1, 2012 at 11:56 AM, Eugene Pefti <[email protected]>wrote: > Looks like exactly what you asked, Kings:**** > > ** ** > > ACS NAP has a profile created from a template profile – “Agentless Host > for L2 (802.1x fall back)**** > > In the authentication section for this profile the router’s MAC address is > entered into the area “Authenticate MAC with” **** > > ACS creates a record in the Reports -> “Passed Authentications” for this > MAC address as successful with the associated shared Radius authorization > profile.**** > > ** ** > > The switch AAA config portion is as follows:**** > > ** ** > > aaa new-model**** > > aaa authentication login default none**** > > aaa authentication dot1x default group radius**** > > aaa authorization network default group radius **** > > aaa accounting dot1x default start-stop group radius**** > > dot1x system-auth-control**** > > ** ** > > interface FastEthernet0/2 *//this is where the router is connected*** > > switchport mode access**** > > authentication order dot1x mab webauth**** > > authentication port-control auto**** > > mab**** > > dot1x pae authenticator**** > > dot1x max-reauth-req 1**** > > ** ** > > radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO**** > > radius-server vsa send authentication**** > > ** ** > > Eugene**** > > ** ** > > ** ** > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* 30 April 2012 23:08 > *To:* Eugene Pefti > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] MAB with 802.1x**** > > ** ** > > Is the MAC address configured in the ACS NAP configured for MAB? > > Can you paste your AAA config. > > With regards > Kings**** > > On Tue, May 1, 2012 at 7:49 AM, Eugene Pefti <[email protected]> > wrote:**** > > Folks,**** > > Anyone can give me a clue why the switch reports the status of the port > configured for MAC authentication bypass as “UNAUTHORIZED” ?**** > > Based on the output below the authorization session succeeded but the > summary for dot1x says it is unauthorized. Is it expected ?**** > > **** > > .May 1 02:25:34.108: %AUTHMGR-5-START: Starting 'mab' for client > (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 > **** > > .May 1 02:25:34.142: %MAB-5-SUCCESS: Authentication successful for client > (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 > **** > > .May 1 02:25:34.142: %AUTHMGR-7-RESULT: Authentication result 'success' > from 'mab' for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID > 0A000008000000368C2CD8E4**** > > .May 1 02:25:34.142: %AUTHMGR-5-VLANASSIGN: VLAN 30 assigned to Interface > Fa0/2 AuditSessionID 0A000008000000368C2CD8E4**** > > .May 1 02:25:34.645: %AUTHMGR-5-SUCCESS: *Authorization succeeded for > client (0015.f956.e389) on Interface Fa0/2* AuditSessionID > 0A000008000000368C2CD8E4**** > > .May 1 02:25:35.174: %LINEPROTO-5-UPDOWN: Line protocol on Interface > FastEthernet0/2, changed state to up**** > > **** > > SW2#sh dot1x all sum**** > > Interface PAE Client Status **** > > --------------------------------------------------------**** > > Fa0/2 AUTH none *UNAUTHORIZED***** > > Fa0/5 AUTH 001d.72e2.634c AUTHORIZED**** > > **** > > Eugene**** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
