Can you also send the output of "show run | s lwapp" from the AP?
Regards, Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> CCIE # 25665 :: Security *:: World-Class Cisco Certification Training* Direct: +1.810.332.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <https://www.facebook.com/IPexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <https://twitter.com/ipexpert> On Sat, Nov 16, 2013 at 1:31 AM, jeremy co <jeremy.coo...@gmail.com> wrote: > All, > > im trying to authenticate AP with dot1x (NOT MAB) to ISE. my understanding > is wlc push 802.1x auth user/pass to AP, then AP tries to respond to > switche;s EAP. switch use open authentication so pass user/pass to ISE. > > I think in my case switch nver received user/pass from AP to pass it on to > ISE. > > Can any one shed some light on this ? > > AP--SW-WLC and ISE > > on WLC: I enabled user/pass on 8021x on global config. registered ap > without dot1x config on sw port with wlc and once it registered put the > dot1x config on the sw. > > > on ISE:(ive got authen/author profile and username/pass etup for the ap. > > on Sw: > > interface GigabitEthernet0/3 > description Access Point > switchport access vlan 10 > switchport mode access > switchport voice vlan 40 > ip access-group ACL-DEFAULT in > authentication host-mode multi-auth > authentication open > authentication order dot1x mab > authentication priority dot1x mab > authentication port-control auto > authentication periodic > authentication timer reauthenticate server > mab > dot1x pae authenticator > spanning-tree portfast > > 3k-access#test aaa gr radius apuser Cisco123 new-code > User successfully authenticated > > on AP: > > AP5475.d063.f8aa#sh dot1x > Sysauthcontrol Disabled > Dot1x Protocol Version 2 > > > *Debug on the switch: * > > > *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa > , daddr = 5475.d0e3.1403, > pae-ether-type = 888e.0200.003b > *Mar 1 01:33:54.870: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response > sent to the server from 0xFF000015 (5475.d063.f8aa) > *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending EAPOL packet to > 5475.d063.f8aa > *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Role determination not required > *Mar 1 01:33:54.895: dot1x-ev(Gi0/3): Sending out EAPOL packet > *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Role determination not required > *Mar 1 01:33:54.911: dot1x-ev:Enqueued the eapol packet to the global > authenticator queue > *Mar 1 01:33:54.911: EAPOL pak dump rx > *Mar 1 01:33:54.911: EAPOL Version: 0x2 type: 0x0 length: 0x006B > *Mar 1 01:33:54.911: dot1x-ev: > dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 107 > > *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa > , daddr = 5475.d0e3.1403, > pae-ether-type = 888e.0200.006b > *Mar 1 01:33:54.911: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response > sent to the server from 0xFF000015 (5475.d063.f8aa) > *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending EAPOL packet to > 5475.d063.f8aa > *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Role determination not required > *Mar 1 01:33:54.920: dot1x-ev(Gi0/3): Sending out EAPOL packet > *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Role determination not required > *Mar 1 01:33:54.937: dot1x-ev:Enqueued the eapol packet to the global > authenticator queue > *Mar 1 01:33:54.937: EAPOL pak dump rx > *Mar 1 01:33:54.937: EAPOL Version: 0x2 type: 0x0 length: 0x002B > *Mar 1 01:33:54.937: dot1x-ev: > dot1x_auth_queue_event: Int Gi0/3 CODE= 2,TYPE= 43,LEN= 43 > > *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): Received pkt saddr =5475.d063.f8aa > , daddr = 5475.d0e3.1403, > pae-ether-type = 888e.0200.002b > *Mar 1 01:33:54.937: dot1x-ev(Gi0/3): dot1x_sendRespToServer: Response > sent to the server from 0xFF000015 (5475.d063.f8aa) > *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received an EAP Fail > *Mar 1 01:33:54.945: %DOT1X-5-FAIL: Authentication failed for client > (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID > *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Sending event (2) to Auth Mgr for > 5475.d063.f8aa > *Mar 1 01:33:54.945: %AUTHMGR-7-RESULT: Authentication result 'fail' from > 'dot1x' for client (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID > 0A01FA020000001300550D51 > *Mar 1 01:33:54.945: %AUTHMGR-5-FAIL: Authorization failed for client > (5475.d063.f8aa) on Interface Gi0/3 AuditSessionID > 0A01FA020000001300550D51ogg > 3k-access(config)#no epm logging > 3k-access(config)# > *Mar 1 01:33:54.945: dot1x-ev(Gi0/3): Received Authz fail for the client > 0xFF000015 (5475.d063.f8aa) > *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending EAPOL packet to > 5475.d063.f8aa > *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Role determination not required > *Mar 1 01:33:54.953: dot1x-ev(Gi0/3): Sending out EAPOL packet > > > --------------------------------------------------------------------------------------------------------------------- > > *on AP console :* > > *Mar 1 00:06:41.325: dot1x-packet:Received an EAP packet on the > GigabitEthernet0 from mac 5475.d0e3.1403 > *Mar 1 00:06:41.325: dot1x-ev: > dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT > > *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state > supp_bend_receive, got event 7(eapolEap) > *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_receive -> > supp_bend_request > *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit > called > *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter > called > *Mar 1 00:06:41.325: > dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action called > *Mar 1 00:06:41.325: dot1x-packet:Received an EAP response packet from > EAP for mac 5475.d0e3.1403 > *Mar 1 00:06:41.325: dot1x-ev: > dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Sending EAP_RESPONSE > > *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: during state > supp_bend_request, got event 2(eapResp) > *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_request -> > supp_bend_response > *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_response_enter > called > *Mar 1 00:06:41.325: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x2 > id: 0x5A length: 0x002B type: 0x2B data: > *Mar 1 00:06:41.325: dot1x-ev:GigabitEthernet0:Sending EAPOL packet to > 5475.d0e3.1403 > *Mar 1 00:06:41.325: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role > determination not required on GigabitEthernet0. > *Mar 1 00:06:41.325: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL > packet on GigabitEthernet0 > *Mar 1 00:06:41.325: EAPOL pak dump Tx > *Mar 1 00:06:41.325: EAPOL Version: 0x2 type: 0x0 length: 0x002B > *Mar 1 00:06:41.325: EAP code: 0x2 id: 0x5A length: 0x002B type: 0x2B > *Mar 1 00:06:41.325: > dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_response_action called > *Mar 1 00:06:41.325: dot1x_supp_bend Gi0: idle during state > supp_bend_response > *Mar 1 00:06:41.325: @@@ dot1x_supp_bend Gi0: supp_bend_response -> > supp_bend_receive > *Mar 1 00:06:41.325: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_enter > called > *Mar 1 00:06:41.338: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role > determination not required on GigabitEthernet0. > *Mar 1 00:06:41.338: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an > EAPOL pkt on Supplicant Q > *Mar 1 00:06:41.338: dot1x-ev:Enqueued the eapol packet to the global > supplicant queue > > *Mar 1 00:06:41.338: dot1x-packet:Received an EAPOL frame on interface > GigabitEthernet0 > *Mar 1 00:06:41.338: dot1x-ev:Received pkt saddr =5475.d0e3.1403 , daddr > = 5475.d063.f8aa, > pae-ether-type = 888e.0300.0004 > *Mar 1 00 > Translating "CISCO-CAPWAP-CONTROLLER.demo.local"...domain server > (10.1.100.10) > :06:41.338: dot1x-err:Protocol version != 2 :version of received eapol = 3 > on interface GigabitEthernet0 > *Mar 1 00:06:41.338: dot1x-ev:Found an authenticator for mac > 5475.d0e3.1403 2AE3AF0 > > *Mar 1 00:06:41.338: dot1x-packet:Received an EAP packet on interface > GigabitEthernet0 > *Mar 1 00:06:41.338: EAPOL pak dump rx > *Mar 1 00:06:41.338: EAPOL Version: 0x3 type: 0x0 length: 0x0004 > *Mar 1 00:06:41.338: dot1x-packet:Received an EAP packet on the > GigabitEthernet0 from mac 5475.d0e3.1403 > *Mar 1 00:06:41.338: dot1x-ev: > dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_PKT > > *Mar 1 00:06:41.338: dot1x_supp_bend Gi0: during state > supp_bend_receive, got event 7(eapolEap) > *Mar 1 00:06:41.338: @@@ dot1x_supp_bend Gi0: supp_bend_receive -> > supp_bend_request > *Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_exit > called > *Mar 1 00:06:41.338: dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_request_enter > called > *Mar 1 00:06:41.338: > dot1x-sm:Gi0:5475.d0e3.1403:supp_bend_receive_request_action called > *Mar 1 00:06:41.338: dot1x-packet:Received an EAP Fail packet on the > GigabitEthernet0 for mac 5475.d0e3.1403 > *Mar 1 00:06:41.338: dot1x-ev: > dot1x_post_message_to_supp_bend_sm:5475.d0e3.1403: Received EAP_FAIL > > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc