All,
im trying to authenticate AP with dot1x (NOT MAB) to ISE. my understanding
is wlc push 802.1x auth user/pass to AP, then AP tries to respond to
switche;s EAP. switch use open authentication so pass user/pass to ISE.
I think in my case switch nver received user/pass from AP to pass it on to
ISE.
Can any one shed some light on this ?
AP--SW-WLC and ISE
on WLC: I enabled user/pass on 8021x on global config. registered ap
without dot1x config on sw port with wlc and once it registered put the
dot1x config on the sw.
on ISE:(ive got authen/author profile and username/pass etup for the ap.
on Sw:
interface GigabitEthernet0/3
description Access Point
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-DEFAULT in
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast
3k-access#test aaa gr radius apuser Cisco123 new-code
User successfully authenticated
on AP:
AP5475.d063.f8aa#sh dot1x
Sysauthcontrol Disabled
Dot1x Protocol Version 2
*Debug on the switch:*
*Mar 1 01:33:54.870: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa ,
daddr = 5475.d0e3.1403,
pae-ether-type = 888e.0200.003b
*Mar 1 01:33:54.870: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response
sent to the server from 0xFF000015 (5475.d063.f8aa)
*Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending EAPOL packet to
5475.d063.f8aa
*Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Role determination not required
*Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending out EAPOL packet
*Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Role determination not required
*Mar 1 01:33:54.911: dot1x-ev:Enqueued the eapol packet to the global
authenticator queue
*Mar 1 01:33:54.911: EAPOL pak dump rx
*Mar 1 01:33:54.911: EAPOL Version: 0x2 type: 0x0 length: 0x006B
*Mar 1 01:33:54.911: dot1x-ev:
dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 107
*Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa ,
daddr = 5475.d0e3.1403,
pae-ether-type = 888e.0200.006b
*Mar 1 01:33:54.911: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response
sent to the server from 0xFF000015 (5475.d063.f8aa)
*Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending EAPOL packet to
5475.d063.f8aa
*Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Role determination not required
*Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending out EAPOL packet
*Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Role determination not required
*Mar 1 01:33:54.937: dot1x-ev:Enqueued the eapol packet to the global
authenticator queue
*Mar 1 01:33:54.937: EAPOL pak dump rx
*Mar 1 01:33:54.937: EAPOL Version: 0x2 type: 0x0 length: 0x002B
*Mar 1 01:33:54.937: dot1x-ev:
dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 43
*Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa ,
daddr = 5475.d0e3.1403,
pae-ether-type = 888e.0200.002b
*Mar 1 01:33:54.937: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response
sent to the server from 0xFF000015 (5475.d063.f8aa)
*Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received an EAP Fail
*Mar 1 01:33:54.945: %DOT1X-5-FAIL: Authentication failed for client
(5475.d063.f8aa) on Interface Gi0/3 AuditSessionID
*Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Sending event (2) to Auth Mgr for
5475.d063.f8aa
*Mar 1 01:33:54.945: %AUTHMGR-7-RESULT: Authentication result 'fail' from
'dot1x' for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID
0A01FA020000001300550D51
*Mar 1 01:33:54.945: %AUTHMGR-5-FAIL: Authorization failed for client
(5475.d063.f8aa) on Interface Gi0/3 AuditSessionID
0A01FA020000001300550D51ogg
3k-access(config)#no epm logging
3k-access(config)#
*Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received Authz fail for the client
0xFF000015 (5475.d063.f8aa)
*Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending EAPOL packet to
5475.d063.f8aa
*Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Role determination not required
*Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending out EAPOL packet
---------------------------------------------------------------------------------------------------------------------
*on AP console :*
*Mar 1 00:06:41.325: dot1x-packet:Received an EAP packet on the
GigabitEthernet0 from mac 5475.d0e3.1403
*Mar 1 00:06:41.325: dot1x-ev:
dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT
*Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state
supp_bend_receive, got event 7(eapolEap)
*Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_receive ->
supp_bend_request
*Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit
called
*Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter
called
*Mar 1 00:06:41.325:
dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action called
*Mar 1 00:06:41.325: dot1x-packet:Received an EAP response packet from
EAP for mac 5475.d0e3.1403
*Mar 1 00:06:41.325: dot1x-ev:
dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Sending EAP_RESPONSE
*Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state
supp_bend_request, got event 2(eapResp)
*Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_request ->
supp_bend_response
*Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_response_enter
called
*Mar 1 00:06:41.325: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x2 id:
0x5A length: 0x002B type: 0x2B data:
*Mar 1 00:06:41.325: dot1x-ev:GigabitEthernet0:Sending EAPOL packet to
5475.d0e3.1403
*Mar 1 00:06:41.325: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role
determination not required on GigabitEthernet0.
*Mar 1 00:06:41.325: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL
packet on GigabitEthernet0
*Mar 1 00:06:41.325: EAPOL pak dump Tx
*Mar 1 00:06:41.325: EAPOL Version: 0x2 type: 0x0 length: 0x002B
*Mar 1 00:06:41.325: EAP code: 0x2 id: 0x5A length: 0x002B type: 0x2B
*Mar 1 00:06:41.325:
dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_response_action called
*Mar 1 00:06:41.325: dot1x_supp_bend Gi0: idle during state
supp_bend_response
*Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_response ->
supp_bend_receive
*Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_enter
called
*Mar 1 00:06:41.338: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role
determination not required on GigabitEthernet0.
*Mar 1 00:06:41.338: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an
EAPOL pkt on Supplicant Q
*Mar 1 00:06:41.338: dot1x-ev:Enqueued the eapol packet to the global
supplicant queue
*Mar 1 00:06:41.338: dot1x-packet:Received an EAPOL frame on interface
GigabitEthernet0
*Mar 1 00:06:41.338: dot1x-ev:Received pkt saddr =5475.d0e3.1403 , daddr =
5475.d063.f8aa,
pae-ether-type = 888e.0300.0004
*Mar 1 00
Translating "CISCO-CAPWAP-CONTROLLER.demo.local"...domain server
(10.1.100.10)
:06:41.338: dot1x-err:Protocol version != 2 :version of received eapol = 3
on interface GigabitEthernet0
*Mar 1 00:06:41.338: dot1x-ev:Found an authenticator for mac
5475.d0e3.1403 2AE3AF0
*Mar 1 00:06:41.338: dot1x-packet:Received an EAP packet on interface
GigabitEthernet0
*Mar 1 00:06:41.338: EAPOL pak dump rx
*Mar 1 00:06:41.338: EAPOL Version: 0x3 type: 0x0 length: 0x0004
*Mar 1 00:06:41.338: dot1x-packet:Received an EAP packet on the
GigabitEthernet0 from mac 5475.d0e3.1403
*Mar 1 00:06:41.338: dot1x-ev:
dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT
*Mar 1 00:06:41.338: dot1x_supp_bend Gi0: during state
supp_bend_receive, got event 7(eapolEap)
*Mar 1 00:06:41.338: @@@ dot1x_supp_bend Gi0: supp_bend_receive ->
supp_bend_request
*Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit
called
*Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter
called
*Mar 1 00:06:41.338:
dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action called
*Mar 1 00:06:41.338: dot1x-packet:Received an EAP Fail packet on the
GigabitEthernet0 for mac 5475.d0e3.1403
*Mar 1 00:06:41.338: dot1x-ev:
dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_FAIL
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
iPexpert on YouTube: www.youtube.com/ipexpertinc
