1. Home
  2. Cisco Systems
  3. need help with 802.1x debugging

need help with 802.1x debugging

Hello Gurus,

I am trying to implement 802.1x port authentication for a small company. Here is the test setup: Client : Windows 2000 Prof SP4 Switch : Cisco 2950 Authenticator : Microsoft IAS

I have read the documentation for setting up the IAS and the Windows

2000 supplicant. No matter what type of authentication I use, PEAP or MD5, I am unable to authenticate the port. I have synchronised the IAS server with Active Directory. After checking the debug logs on the switch, here is what I found : I have marked the debug event which I think could be the reason. I have also tried checking IAS logs but they dont help, neither does the event log for windows. I am not sure if this is the right group but I decided to post it,

006645: 9w2d: dot1x-ev:EAP-code=REQUEST

006646: 9w2d: dot1x-ev:EAP Type= IDENTITY 006647: 9w2d: dot1x-ev:ID=0

006648: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called

006649: 9w2d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/16

006650: 9w2d: dot1x-ev:Received pkt saddr =xxxx.xxxx.xxxx, daddr = xxxx.xxxx.xxxx,pae-ether-type = 34958

006651: 9w2d: dot1x-ev:Found a supplicant block for mac 0010.a4e4.f1e3 80D86C64

006652: 9w2d: dot1x-packet:Received an EAP packet on interface FastEthernet0/16

006653: 9w2d: dot1x_auth Fa0/16: during state auth_connecting, got event 6(r xRespId) 006654: 9w2d: @@@ dot1x_auth Fa0/16: auth_connecting ->

auth_authenticating

006655: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_exit alled 006656: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_authenticating_enter called 006657: 9w2d: dot1x-ev:sending AUTH_START to BEND for supp_info=80D86C64

006658: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_authenticating_acti on called

006659: 9w2d: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D86 C64 006660: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_idle, got event 1(a uth_start) 006661: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_idle ->

dot1x_bend_response

006662: 9w2d: dot1x-sm:Dot1x Response State Entered for supp_info=80D86C64 hwidb =807B1B18, swidb=807B2E6C on intf=Fa0/16

006663: 9w2d: dot1x-ev:Managed Timer in sub-block attached as leaf to master

006664: 9w2d: dot1x-sm:Started the ServerTimeout Timer 006665: 9w2d: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 19 006666: 9w2d: dot1x-ev:Got a Request from SP to send it to Radius with id 116 006667: 9w2d: dot1x-ev:Couldn't Find a process thats already handling the reques t for this id 0 006668: 9w2d: dot1x-ev:Inserted the request on to list of pending requests 006669: 9w2d: dot1x-ev:Found a free slot at slot 0 006670: 9w2d: dot1x-ev:Found a free slot at slot 0 006671: 9w2d: dot1x-ev:Request id = 116 and length = 19 006672: 9w2d: dot1x-ev:The Interface on which we got this AAA Request is FastEth ernet0/16 006673: 9w2d: dot1x-ev:Username is domain\\username 006674: 9w2d: dot1x-ev:MAC Address is xxxx.xxxx.xxxx 006675: 9w2d: dot1x-ev:RemAddr is xxxx.xxxx.xxxx/xxxx.xxxx.xxxx ********************************************************************************************************* The authentication information is being recvd by the switch, I can't understand this error. 006676: 9w2d: dot1x-err:EAP packet not recvd ******************************************************************************************************* 006677: 9w2d: dot1x-ev:going to send to backend on SP, length = 4 006678: 9w2d: dot1x-ev:Received VLAN is No Vlan 006679: 9w2d: dot1x-ev:Enqueued the response to BackEnd 006680: 9w2d: dot1x-ev:Received QUEUE EVENT in response to AAA Request 006681: 9w2d: dot1x-ev:Dot1x matching request-response found 006682: 9w2d: dot1x-ev:Length of recv eap packet from radius = 4 006683: 9w2d: dot1x-ev:Received VLAN Id -1 006684: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_response, got event 3(afail) 006685: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_response ->

dot1x_bend_fail

006686: 9w2d: dot1x-sm:Dot1x Failure State Entered 006687: 9w2d: dot1x-ev:dot1x_bend_fail_enter:xxxx.xxxx.xxxx: Current ID=0

006688: 9w2d: dot1x-ev:dot1x_bend: Sending Radius Response to Supplicant of leng th 4

006689: 9w2d: dot1x-ev:dot1x_tx_eap: EAP Ptk 006690: 9w2d: dot1x-ev:EAP-code=FAILURE 006691: 9w2d: dot1x-ev:EAP Type= Unknown 006692: 9w2d: dot1x-ev:ID=0

006693: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called

006694: 9w2d: dot1x_bend Fa0/16: idle during state dot1x_bend_fail 006695: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_fail -> dot1x_bend_idle 006696: 9w2d: dot1x-sm:Dot1x Idle State Entered 006697: 9w2d: dot1x_auth Fa0/16: during state auth_authenticating, got event 8(authFail) 006698: 9w2d: @@@ dot1x_auth Fa0/16: auth_authenticating -> auth_held 006699: 9w2d: dot1x-sm:Fa0/16xxxx.xxxx.xxxx:auth_held_enter called 006700: 9w2d: dot1x-sm: dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE D 006701: 9w2d: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface Fa stEthernet0/16 006702: 9w2d: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state U NAUTHORIZED

thanks Ankit

Reply to
apsolar
Loading thread data ...

IAS logs don't help, so doesn't Windows - what is actually logged in the System log? Any trail of the incoming authentication request? Any events from IAS at all?

I also suggest using IAS log analyser like one at

formatting link
for advanced troubleshooting.

Reply to
S. Pidgorny

Hello Svyatoslav,

The IAS viewer just get shows the IAS logs files in a table format. I had checked those logs and the system logs too. There are no incoming authentication requests. As I have mentioned the problem is with windows 2000 supplicant. It isn't sending the EAP packet to the switch, that gets forwarded to the IAS server to initiate authentication.

What could be wrong here?

Ankit

Reply to
apsolar

The supplicant itself? As an elimination step in troubleshooting, try Windows XP client - I did have 802.1x going with Cisco 2950. Or try another supplicant.

Frankly I didn't know that Windows 2000 suports 802.1x for wired networks.

Reply to
S. Pidgorny

Windows XP is not an option. I read on the microsoft website about

802.1x being supported on Windows 2000. I have also tried thrid party supplicants but the result's the same. I get the same debug log and the same dot1x error event.

This is proving to be a nightmare. Can somebody, who has successfully tested 802.1x authentication with windows 2000, help me.

Ankit

Reply to
apsolar

You need to try XP to conclusively prove that the issue you're experiencing is client-related. What third-party supplicants did you try?

Reply to
S. Pidgorny

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.