If you've been at this for a while, ISE is likely auto-blocking the AP's 802.1x authentication attempts.
Go to Administration --> System --> Settings --> Protocols --> Radius --> Uncheck "Reject Requests After Detection" box. This is a default setting that can hurt during implementations and/or lab testing. Good to disable it during these scenarios. From: [email protected] [mailto:[email protected]] On Behalf Of jeremy co Sent: Friday, November 15, 2013 7:31 PM To: Cisco certification; [email protected]; Jay McMickle; Piotr Kaluzny Subject: [OSL | CCIE_Security] Freaking stuck on AP (itself )dot1x authentication with Radius server, please help All, im trying to authenticate AP with dot1x (NOT MAB) to ISE. my understanding is wlc push 802.1x auth user/pass to AP, then AP tries to respond to switche;s EAP. switch use open authentication so pass user/pass to ISE. I think in my case switch nver received user/pass from AP to pass it on to ISE. Can any one shed some light on this ? AP--SW-WLC and ISE on WLC: I enabled user/pass on 8021x on global config. registered ap without dot1x config on sw port with wlc and once it registered put the dot1x config on the sw. on ISE:(ive got authen/author profile and username/pass etup for the ap. on Sw: interface GigabitEthernet0/3 description Access Point switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-DEFAULT in authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator spanning-tree portfast 3k-access#test aaa gr radius apuser Cisco123 new-code User successfully authenticated on AP: AP5475.d063.f8aa#sh dot1x Sysauthcontrol Disabled Dot1x Protocol Version 2 Debug on the switch: *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.003b *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF000015 (5475.d063.f8aa) *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending out EAPOL packet *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.911: dot1x-ev:Enqueued the eapol packet to the global authenticator queue *Mar 1 01:33:54.911: EAPOL pak dump rx *Mar 1 01:33:54.911: EAPOL Version: 0x2 type: 0x0 length: 0x006B *Mar 1 01:33:54.911: dot1x-ev: dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 107 *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.006b *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF000015 (5475.d063.f8aa) *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending out EAPOL packet *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.937: dot1x-ev:Enqueued the eapol packet to the global authenticator queue *Mar 1 01:33:54.937: EAPOL pak dump rx *Mar 1 01:33:54.937: EAPOL Version: 0x2 type: 0x0 length: 0x002B *Mar 1 01:33:54.937: dot1x-ev: dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 43 *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa , daddr = 5475.d0e3.1403, pae-ether-type = 888e.0200.002b *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response sent to the server from 0xFF000015 (5475.d063.f8aa) *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received an EAP Fail *Mar 1 01:33:54.945: %DOT1X-5-FAIL: Authentication failed for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Sending event (2) to Auth Mgr for 5475.d063.f8aa *Mar 1 01:33:54.945: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID 0A01FA020000001300550D51 *Mar 1 01:33:54.945: %AUTHMGR-5-FAIL: Authorization failed for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID 0A01FA020000001300550D51ogg 3k-access(config)#no epm logging 3k-access(config)# *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received Authz fail for the client 0xFF000015 (5475.d063.f8aa) *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending EAPOL packet to 5475.d063.f8aa *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Role determination not required *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending out EAPOL packet ---------------------------------------------------------------------------- ----------------------------------------- on AP console : *Mar 1 00:06:41.325: dot1x-packet:Received an EAP packet on the GigabitEthernet0 from mac 5475.d0e3.1403 *Mar 1 00:06:41.325: dot1x-ev: dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state supp_bend_receive, got event 7(eapolEap) *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_receive -> supp_bend_request *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit called *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter called *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action called *Mar 1 00:06:41.325: dot1x-packet:Received an EAP response packet from EAP for mac 5475.d0e3.1403 *Mar 1 00:06:41.325: dot1x-ev: dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Sending EAP_RESPONSE *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state supp_bend_request, got event 2(eapResp) *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_request -> supp_bend_response *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_response_enter called *Mar 1 00:06:41.325: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x2 id: 0x5A length: 0x002B type: 0x2B data: *Mar 1 00:06:41.325: dot1x-ev:GigabitEthernet0:Sending EAPOL packet to 5475.d0e3.1403 *Mar 1 00:06:41.325: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0. *Mar 1 00:06:41.325: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0 *Mar 1 00:06:41.325: EAPOL pak dump Tx *Mar 1 00:06:41.325: EAPOL Version: 0x2 type: 0x0 length: 0x002B *Mar 1 00:06:41.325: EAP code: 0x2 id: 0x5A length: 0x002B type: 0x2B *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_response_action called *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: idle during state supp_bend_response *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_response -> supp_bend_receive *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_enter called *Mar 1 00:06:41.338: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0. *Mar 1 00:06:41.338: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Supplicant Q *Mar 1 00:06:41.338: dot1x-ev:Enqueued the eapol packet to the global supplicant queue *Mar 1 00:06:41.338: dot1x-packet:Received an EAPOL frame on interface GigabitEthernet0 *Mar 1 00:06:41.338: dot1x-ev:Received pkt saddr =5475.d0e3.1403 , daddr = 5475.d063.f8aa, pae-ether-type = 888e.0300.0004 *Mar 1 00 Translating "CISCO-CAPWAP-CONTROLLER.demo.local"...domain server (10.1.100.10) :06:41.338: dot1x-err:Protocol version != 2 :version of received eapol = 3 on interface GigabitEthernet0 *Mar 1 00:06:41.338: dot1x-ev:Found an authenticator for mac 5475.d0e3.1403 2AE3AF0 *Mar 1 00:06:41.338: dot1x-packet:Received an EAP packet on interface GigabitEthernet0 *Mar 1 00:06:41.338: EAPOL pak dump rx *Mar 1 00:06:41.338: EAPOL Version: 0x3 type: 0x0 length: 0x0004 *Mar 1 00:06:41.338: dot1x-packet:Received an EAP packet on the GigabitEthernet0 from mac 5475.d0e3.1403 *Mar 1 00:06:41.338: dot1x-ev: dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT *Mar 1 00:06:41.338: dot1x_supp_bend Gi0: during state supp_bend_receive, got event 7(eapolEap) *Mar 1 00:06:41.338: @@@ dot1x_supp_bend Gi0: supp_bend_receive -> supp_bend_request *Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit called *Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter called *Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action called *Mar 1 00:06:41.338: dot1x-packet:Received an EAP Fail packet on the GigabitEthernet0 for mac 5475.d0e3.1403 *Mar 1 00:06:41.338: dot1x-ev: dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_FAIL
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
