Yeah... Bringing the switch down to 12.2.44 code seemed to change the way it reported the port status. But not without a decrease in verbosity. I don't see any output on the console for authentication results with console logging set to debugging. The switch only reports that its port line protocol went up and the port went into an authorized status. No comments again and I'm more and more inclined to think that Cisco has to give a special privilege to those who study for CCIE just for finding bugs and inconsistencies in their documentation.
Eugene From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, May 01, 2012 12:06 AM To: Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] MAB with 802.1x Interesting.. Why are you using the image that supports new dot1x commands? Exam is based on 12.2(44)SE that support the older command set. Can you downgrade it and then check. There is point in troubleshooting on the new image. With regards Kings On Tue, May 1, 2012 at 11:56 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Looks like exactly what you asked, Kings: ACS NAP has a profile created from a template profile - "Agentless Host for L2 (802.1x fall back) In the authentication section for this profile the router's MAC address is entered into the area "Authenticate MAC with" ACS creates a record in the Reports -> "Passed Authentications" for this MAC address as successful with the associated shared Radius authorization profile. The switch AAA config portion is as follows: aaa new-model aaa authentication login default none aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius dot1x system-auth-control interface FastEthernet0/2 //this is where the router is connected switchport mode access authentication order dot1x mab webauth authentication port-control auto mab dot1x pae authenticator dot1x max-reauth-req 1 radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO radius-server vsa send authentication Eugene From: Kingsley Charles [mailto:[email protected]<mailto:[email protected]>] Sent: 30 April 2012 23:08 To: Eugene Pefti Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] MAB with 802.1x Is the MAC address configured in the ACS NAP configured for MAB? Can you paste your AAA config. With regards Kings On Tue, May 1, 2012 at 7:49 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Folks, Anyone can give me a clue why the switch reports the status of the port configured for MAC authentication bypass as "UNAUTHORIZED" ? Based on the output below the authorization session succeeded but the summary for dot1x says it is unauthorized. Is it expected ? .May 1 02:25:34.108: %AUTHMGR-5-START: Starting 'mab' for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.142: %MAB-5-SUCCESS: Authentication successful for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.142: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.142: %AUTHMGR-5-VLANASSIGN: VLAN 30 assigned to Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.645: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:35.174: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up SW2#sh dot1x all sum Interface PAE Client Status -------------------------------------------------------- Fa0/2 AUTH none UNAUTHORIZED Fa0/5 AUTH 001d.72e2.634c AUTHORIZED Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
