8021.x authentication problem

[selcuks2001]

Hello everybody,
Iam facing an authentication problem with my 802.1x configuration. Whenever I turn on the dot1x debugging on the switch (Cisco 3550) I am getting the following debug outputs. It seems that the switch cannot talk with the IAS. But I think that I made the configurations correct. (I just followed the instructions which I've found on the internet.) What can be the cause of the problem?

The 802.1x debug output is as follows:

22:43:14: dot1x-backend(Fa0/5): [64] starting aaa sequence
22:43:14: dot1x-backend(Fa0/5): [64] relaying EAP data from supplicant
22:43:14: dot1x-backend(Fa0/5): [64] starting login
22:43:14: dot1x-backend(Fa0/5): [64] login user ABCDE\Administrator, client ID A0-12-73-46-00-62
22:43:14: dot1x-backend(Fa0/5): [64] start_login returned FAIL
22:43:14: dot1x-backend(Fa0/5): [64] cleaning up AAA context

The configuration of the switch is as follows:

aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.1.111 auth-port 1812 acct-port 1813
radius-server retransmit 5
radius-server timeout 6
radius-server key MagawlA

interface FastEthernet0/2
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
spanning-tree guard root

Can somebody put a light on my way?
Regards
b^2-4ac

 

[North323]

if its anything like tacacs+

i dont see

aaa new-model

and add
aaa authentication dot1x default group radius local
aaa authorization network default group radius enable

 

[selcuks2001]

Hi North323,
aaa new-model has been already added to the configuration. The other lines you've typed were also added.

I am getting the following line from the Event Viewer of the IAS:

Access request for user ABCDE\user2 was discarded.
Fully-Qualified-User-Name = ABCDE.gov.tr/Users/user2
NAS-IP-Address = 192.168.2.250
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-0F-EA-BF-5A-67
Client-Friendly-Name = anahtar
Client-IP-Address = 192.168.2.250
NAS-Port-Type = Ethernet
NAS-Port = 50004
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

Can it depend on the IOS version of my switch which I am using as the authenticatior?



Regards
b^2-4ac

 

[North323]

no...looks like its how the username is defined in radius. is this active directory? have you tried using the FQUN? ABCDE.gov.tr/Users/user2 is the a gpo that is able to access?
Reason = Unexpected error. Possible error in server or client configuration.

 

[selcuks2001]

Hello North323,
Yes, the username "user2" is defined in the active directory. What do u mean with "have you tried using the FQUN?" and "ABCDE.gov.tr/Users/user2 is the a gpo that is able to access?"
I am not so experienced in the Windows things. I've just installed a Windows 2003 Server with active directory and IAS on it.


Regards
b^2-4ac

 

[unclerico]

Add:

dot1x system-auth-control

Also, double check your supplicant as well as your RADIUS config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[selcuks2001]

Hello underico,
I cannot enter that command. The switch doesn't support this command. Do you think that is the problem?


Regards
b^2-4ac

 

[rbradely]

'dot1x system-auth-control' you need this to enable dot1x on the switch. you will need to update your IOS.

 

[selcuks2001]

Hello everybody,
Well after some time the new problem seems to be a bit different right now. (Yeah, right. I'm still struggling with that 802.1x thing.) I could let the 802.1x concept work on my system. But thid time my only and only problem is that I cannot achieve dynamic vlan assignment. I've investigated tones of documents on the line about this topic. (Dynamic VLAN assignment using IAS.) The dynamic VLAN configurations in the documents which I've found on the line are almost the same. But I cannot let my IAS assign the VLAN to the swtich ports though I am doing the same things what in those documents says.
I am using a Cisco 3550 switch (WS-C3550-48-SMI). Can it be the reason maybe that Cisco 3550 doesn't support dynamic vlan assignment? I've downloaded the most updated IOS for the switch (c3550-ipservicesk9-mz.122-50.SE.bin) and also tried some other IOS's. But it didn't work.
Summary:
802.1x works with the following port configuration where I assign the port to VLAN 8 manually: (Easy way)
interface FastEthernet0/34
switchport access vlan 8
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
spanning-tree guard root

But it doesn't work with the following configuration where I want that IAS determines the VLAN number of the port:
interface FastEthernet0/33
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
spanning-tree guard root

I am going nuts!


Regards
b^2-4ac

 

[unclerico]

What attributes have you added into your remote access policy in IAS??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[selcuks2001]

Attributes are as follows:
Service-Type : Framed
Tunnel-Medium-Type : 802 (includes all 802 media plus Ethernet canonical format)
Tunnel-Pvt-Group-ID : 0x000008
Tunnel-Type : Virtual LANs (VLAN)

A note: After I listened the IAS port with Wireshark I noticed an error about the attribute value Tunnel-Pvt-Group-ID which was saying "too short tag" or something like that. I've just entered there 8 as the VLAN number. After I typed it as 008 I didn't see that error message again. I tried too many values for that atribute. (VLAN names, integer numbers, hexadecimal numbers, etc..)

I still think that the IOS of my Cisco switch doesn't have 802.1x dynamic VLAN support. (Well hope so.)



Regards
b^2-4ac

 

[unclerico]

What image are you running on the 3550??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[selcuks2001]

The IOS version is as follows. The latest IOS I've found in the web site of Cisco:
c3550-ipservicesk9-mz.122.44.SE6.bin

Below is the "show version" output. Maybe it can help also:

SWITCH#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(11)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 28-Aug-02 09:33 by antonino
Image text-base: 0x00003000, data-base: 0x005C6390

ROM: Bootstrap program is C3550 boot loader

BSG_8021X uptime is 1 week, 1 day, 23 hours, 49 minutes
System returned to ROM by power-on
System restarted at 17:21:49 SSS Wed May 6 2009
System image file is "flash:/c3550-i9q3l2-mz.121-11.EA1/c3550-i9q3l2-mz.121-11.EA1.bin"

cisco WS-C3550-48 (PowerPC) processor (revision G0) with 65526K/8192K bytes of memory.
Processor board ID CAT0644X0M7
Last reset from warm-reset
Running Layer2/3 Switching Image

Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface

Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

The password-recovery mechanism is enabled.
384K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0B:5F:18:80:00
Motherboard assembly number: 73-5701-07
Power supply part number: 34-0967-01
Motherboard serial number: CAT06440A98
Power supply serial number: DCA06412GCL
Model revision number: G0
Motherboard revision number: A0
Model number: WS-C3550-48-SMI
System serial number: CAT0644X0M7
Configuration register is 0x10F

Regards
b^2-4ac

 

[unclerico]

Yeah, I believe you would need at a minimum 12.1(22)EA to support VLAN assignment via RADIUS. Your 3550 looks like it has enough resources to support 12.2(44) like you noted above.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)