Hello Pavit, Check the log on the switch to see what’s going on. Elevate the debug logs.
Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <https://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Mar 12, 2021, at 7:32 AM, Pavit Maddy <pavitgulat...@gmail.com> wrote: > > Hey Ludovic > The issue still persists. > What else can be done ? > > On Wed, Mar 10, 2021, 18:24 Ludovic Zammit <lzam...@inverse.ca > <mailto:lzam...@inverse.ca>> wrote: > Ok, try that: > > conf t > default int GigabitEthernet1/0/28 > int GigabitEthernet1/0/28 > > switchport mode access > switchport voice vlan 999 > authentication host-mode multi-domain > authentication order dot1x mab > authentication priority dot1x mab > authentication port-control auto > authentication periodic > authentication timer restart 10800 > authentication timer reauthenticate 10800 > authentication violation replace > mab > no snmp trap link-status > dot1x pae authenticator > dot1x timeout quiet-period 2 > dot1x timeout tx-period 3 > > shut > no shut > > end > > Check if PF receives the radius request: > > test aaa group radius bob bob legacy > > Check in your radius logs or the Auditing tab in PF if you see the user bob > beeing rejected / fails > > Thanks, > > Ludovic Zammit > lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: > www.inverse.ca <https://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > > > > > >> On Mar 8, 2021, at 11:26 PM, Pavit Maddy <pavitgulat...@gmail.com >> <mailto:pavitgulat...@gmail.com>> wrote: >> >> Thanxx for your reply Ludovic >> >> Here is my configuration >> >> Version Details >> >> Switch Ports Model SW Version SW Image >> Mode >> ------ ----- ----- ---------- ---------- >> ---- >> * 1 29 C9300L-24P-4X 16.12.4 CAT9K_IOSXE >> INSTALL >> >> >> >> Global Commands >> >> aaa group server radius packetfence >> server name pfnac >> aaa authentication dot1x default group packetfence >> aaa authorization network default group packetfence >> aaa accounting dot1x default start-stop group packetfence >> aaa accounting update periodic 1 >> dot1x system-auth-control >> radius-server vsa send authentication >> aaa server radius dynamic-author >> client X.X.X.X server-key 7 ************** >> port 3799 >> radius server pfnac >> address ipv4 X.X.X.X auth-port 1812 acct-port 1813 >> key 7 *************** >> snmp-server community abcd RW >> snmp-server community abc RO >> >> >> Interface Commands >> >> switchport mode access >> switchport voice vlan 999 >> ip flow monitor SMC-flow-monitor input >> authentication host-mode multi-auth >> authentication order dot1x mab >> authentication priority dot1x mab >> authentication port-control auto >> authentication periodic >> authentication timer reauthenticate server >> authentication timer restart 10800 >> authentication violation replace >> mab >> no snmp trap link-status >> dot1x pae authenticator >> dot1x timeout quiet-period 2 >> dot1x timeout tx-period 3 >> spanning-tree portfast >> spanning-tree bpduguard enable >> >> Thanks >> >> On Tue, Mar 9, 2021 at 1:31 AM Ludovic Zammit <lzam...@inverse.ca >> <mailto:lzam...@inverse.ca>> wrote: >> Hello Pavit, >> >> Which IOS are you running on the Cisco Catalyst 9300? >> >> Show me the config and I will check it out. >> >> Thanks, >> >> Ludovic Zammit >> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: >> www.inverse.ca <https://www.inverse.ca/> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >> <http://packetfence.org/>) >> >> >> >> >> >> >> >>> On Mar 8, 2021, at 9:36 AM, Pavit Maddy <pavitgulat...@gmail.com >>> <mailto:pavitgulat...@gmail.com>> wrote: >>> >>> Greetings to all >>> >>> We have added new cisco9300 catalyst switches in our environment for dot1x >>> authentication using Packetfence. These new switches have been configured >>> in the same way as we configured cisco2960-x Switch. >>> But when debugging dot1x events, we came across a message >>> >>> %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or >>> unapplied for client (XXXX.XXXX.XXXX) on Interface GigabitEthernet1/0/28 >>> AuditSessionID 1180FC0A00000047DE238CC2. Failure reason: Authc fail. >>> >>> What does this event indicate ? >>> >>> Regards >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
