need help with 802.1x debugging

Discussion in 'Cisco' started by apsolar, Aug 16, 2006.

  1. apsolar

    apsolar Guest

    Hello Gurus,

    I am trying to implement 802.1x port authentication for a small
    company. Here is the test setup:
    Client : Windows 2000 Prof SP4
    Switch : Cisco 2950
    Authenticator : Microsoft IAS



    I have read the documentation for setting up the IAS and the Windows
    2000 supplicant. No matter what type of authentication I use, PEAP or
    MD5, I am unable to authenticate the port. I have synchronised the IAS
    server with Active Directory.
    After checking the debug logs on the switch, here is what I found :
    I have marked the debug event which I think could be the reason.
    I have also tried checking IAS logs but they dont help, neither does
    the event log for windows.
    I am not sure if this is the right group but I decided to post it,

    006645: 9w2d: dot1x-ev:EAP-code=REQUEST
    006646: 9w2d: dot1x-ev:EAP Type= IDENTITY
    006647: 9w2d: dot1x-ev:ID=0

    006648: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called
    006649: 9w2d: dot1x-packet:Received an EAPOL frame on interface
    FastEthernet0/16

    006650: 9w2d: dot1x-ev:Received pkt saddr =xxxx.xxxx.xxxx, daddr =
    xxxx.xxxx.xxxx,pae-ether-type = 34958
    006651: 9w2d: dot1x-ev:Found a supplicant block for mac 0010.a4e4.f1e3
    80D86C64

    006652: 9w2d: dot1x-packet:Received an EAP packet on interface
    FastEthernet0/16
    006653: 9w2d: dot1x_auth Fa0/16: during state auth_connecting, got
    event 6(r
    xRespId)
    006654: 9w2d: @@@ dot1x_auth Fa0/16: auth_connecting ->
    auth_authenticating
    006655: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_exit alled
    006656: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_authenticating_enter
    called
    006657: 9w2d: dot1x-ev:sending AUTH_START to BEND for
    supp_info=80D86C64

    006658: 9w2d:
    dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_authenticating_acti
    on called
    006659: 9w2d: dot1x-ev:Received AuthStart from Authenticator for
    supp_info=80D86
    C64
    006660: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_idle, got
    event 1(a
    uth_start)
    006661: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_idle ->
    dot1x_bend_response
    006662: 9w2d: dot1x-sm:Dot1x Response State Entered for
    supp_info=80D86C64 hwidb
    =807B1B18, swidb=807B2E6C on intf=Fa0/16

    006663: 9w2d: dot1x-ev:Managed Timer in sub-block attached as leaf to
    master
    006664: 9w2d: dot1x-sm:Started the ServerTimeout Timer
    006665: 9w2d: dot1x-ev:Going to Send Request to AAA Client on RP for id
    = 0 and
    length = 19
    006666: 9w2d: dot1x-ev:Got a Request from SP to send it to Radius with
    id 116
    006667: 9w2d: dot1x-ev:Couldn't Find a process thats already handling
    the reques
    t for this id 0
    006668: 9w2d: dot1x-ev:Inserted the request on to list of pending
    requests
    006669: 9w2d: dot1x-ev:Found a free slot at slot 0
    006670: 9w2d: dot1x-ev:Found a free slot at slot 0
    006671: 9w2d: dot1x-ev:Request id = 116 and length = 19
    006672: 9w2d: dot1x-ev:The Interface on which we got this AAA Request
    is FastEth
    ernet0/16
    006673: 9w2d: dot1x-ev:Username is domain\username
    006674: 9w2d: dot1x-ev:MAC Address is xxxx.xxxx.xxxx
    006675: 9w2d: dot1x-ev:RemAddr is xxxx.xxxx.xxxx/xxxx.xxxx.xxxx
    *********************************************************************************************************
    The authentication information is being recvd by the switch, I can't
    understand this error.
    006676: 9w2d: dot1x-err:EAP packet not recvd
    *******************************************************************************************************
    006677: 9w2d: dot1x-ev:going to send to backend on SP, length = 4
    006678: 9w2d: dot1x-ev:Received VLAN is No Vlan
    006679: 9w2d: dot1x-ev:Enqueued the response to BackEnd
    006680: 9w2d: dot1x-ev:Received QUEUE EVENT in response to AAA Request
    006681: 9w2d: dot1x-ev:Dot1x matching request-response found
    006682: 9w2d: dot1x-ev:Length of recv eap packet from radius = 4
    006683: 9w2d: dot1x-ev:Received VLAN Id -1
    006684: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_response,
    got event
    3(afail)
    006685: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_response ->
    dot1x_bend_fail
    006686: 9w2d: dot1x-sm:Dot1x Failure State Entered
    006687: 9w2d: dot1x-ev:dot1x_bend_fail_enter:xxxx.xxxx.xxxx: Current
    ID=0

    006688: 9w2d: dot1x-ev:dot1x_bend: Sending Radius Response to
    Supplicant of leng
    th 4
    006689: 9w2d: dot1x-ev:dot1x_tx_eap: EAP Ptk
    006690: 9w2d: dot1x-ev:EAP-code=FAILURE
    006691: 9w2d: dot1x-ev:EAP Type= Unknown
    006692: 9w2d: dot1x-ev:ID=0

    006693: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called
    006694: 9w2d: dot1x_bend Fa0/16: idle during state dot1x_bend_fail
    006695: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_fail -> dot1x_bend_idle
    006696: 9w2d: dot1x-sm:Dot1x Idle State Entered
    006697: 9w2d: dot1x_auth Fa0/16: during state auth_authenticating,
    got event
    8(authFail)
    006698: 9w2d: @@@ dot1x_auth Fa0/16: auth_authenticating -> auth_held
    006699: 9w2d: dot1x-sm:Fa0/16xxxx.xxxx.xxxx:auth_held_enter called
    006700: 9w2d: dot1x-sm:
    dot1x_update_port_status called with port_status =
    DOT1X_PORT_STATUS_UNAUTHORIZE
    D
    006701: 9w2d: dot1x-ev:dot1x_port_cleanup_author: cleanup author on
    interface Fa
    stEthernet0/16
    006702: 9w2d: dot1x-ev:dot1x_update_port_status: Called with
    host_mode=0 state U
    NAUTHORIZED




    thanks
    Ankit
     
    apsolar, Aug 16, 2006
    #1
    1. Advertisements

  2. apsolar

    S. Pidgorny Guest

    IAS logs don't help, so doesn't Windows - what is actually logged in the
    System log? Any trail of the incoming authentication request? Any events
    from IAS at all?

    I also suggest using IAS log analyser like one at
    http://deepsoftware.ru/iasviewer/ for advanced troubleshooting.
     
    S. Pidgorny, Aug 16, 2006
    #2
    1. Advertisements

  3. apsolar

    apsolar Guest

    Hello Svyatoslav,

    The IAS viewer just get shows the IAS logs files in a table format. I
    had checked those logs and the system logs too. There are no incoming
    authentication requests. As I have mentioned the problem is with
    windows 2000 supplicant. It isn't sending the EAP packet to the switch,
    that gets forwarded to the IAS server to initiate authentication.

    What could be wrong here?

    Ankit
     
    apsolar, Aug 16, 2006
    #3
  4. apsolar

    S. Pidgorny Guest

    The supplicant itself? As an elimination step in troubleshooting, try
    Windows XP client - I did have 802.1x going with Cisco 2950. Or try another
    supplicant.

    Frankly I didn't know that Windows 2000 suports 802.1x for wired networks.
     
    S. Pidgorny, Aug 17, 2006
    #4
  5. apsolar

    apsolar Guest

    Windows XP is not an option. I read on the microsoft website about
    802.1x being supported on Windows 2000. I have also tried thrid party
    supplicants but the result's the same. I get the same debug log and the
    same dot1x error event.

    This is proving to be a nightmare. Can somebody, who has successfully
    tested 802.1x authentication with windows 2000, help me.

    Ankit
     
    apsolar, Aug 18, 2006
    #5
  6. apsolar

    S. Pidgorny Guest

    You need to try XP to conclusively prove that the issue you're experiencing
    is client-related.
    What third-party supplicants did you try?
     
    S. Pidgorny, Aug 18, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.