need help with 802.1x debugging

Discussion in 'Cisco' started by apsolar, Aug 16, 2006.

  1. apsolar

    apsolar Guest

    Hello Gurus,

    I am trying to implement 802.1x port authentication for a small
    company. Here is the test setup:
    Client : Windows 2000 Prof SP4
    Switch : Cisco 2950
    Authenticator : Microsoft IAS

    I have read the documentation for setting up the IAS and the Windows
    2000 supplicant. No matter what type of authentication I use, PEAP or
    MD5, I am unable to authenticate the port. I have synchronised the IAS
    server with Active Directory.
    After checking the debug logs on the switch, here is what I found :
    I have marked the debug event which I think could be the reason.
    I have also tried checking IAS logs but they dont help, neither does
    the event log for windows.
    I am not sure if this is the right group but I decided to post it,

    006645: 9w2d: dot1x-ev:EAP-code=REQUEST
    006646: 9w2d: dot1x-ev:EAP Type= IDENTITY
    006647: 9w2d: dot1x-ev:ID=0

    006648: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called
    006649: 9w2d: dot1x-packet:Received an EAPOL frame on interface

    006650: 9w2d: dot1x-ev:Received pkt saddr =xxxx.xxxx.xxxx, daddr =
    xxxx.xxxx.xxxx,pae-ether-type = 34958
    006651: 9w2d: dot1x-ev:Found a supplicant block for mac 0010.a4e4.f1e3

    006652: 9w2d: dot1x-packet:Received an EAP packet on interface
    006653: 9w2d: dot1x_auth Fa0/16: during state auth_connecting, got
    event 6(r
    006654: 9w2d: @@@ dot1x_auth Fa0/16: auth_connecting ->
    006655: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_exit alled
    006656: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_authenticating_enter
    006657: 9w2d: dot1x-ev:sending AUTH_START to BEND for

    006658: 9w2d:
    on called
    006659: 9w2d: dot1x-ev:Received AuthStart from Authenticator for
    006660: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_idle, got
    event 1(a
    006661: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_idle ->
    006662: 9w2d: dot1x-sm:Dot1x Response State Entered for
    supp_info=80D86C64 hwidb
    =807B1B18, swidb=807B2E6C on intf=Fa0/16

    006663: 9w2d: dot1x-ev:Managed Timer in sub-block attached as leaf to
    006664: 9w2d: dot1x-sm:Started the ServerTimeout Timer
    006665: 9w2d: dot1x-ev:Going to Send Request to AAA Client on RP for id
    = 0 and
    length = 19
    006666: 9w2d: dot1x-ev:Got a Request from SP to send it to Radius with
    id 116
    006667: 9w2d: dot1x-ev:Couldn't Find a process thats already handling
    the reques
    t for this id 0
    006668: 9w2d: dot1x-ev:Inserted the request on to list of pending
    006669: 9w2d: dot1x-ev:Found a free slot at slot 0
    006670: 9w2d: dot1x-ev:Found a free slot at slot 0
    006671: 9w2d: dot1x-ev:Request id = 116 and length = 19
    006672: 9w2d: dot1x-ev:The Interface on which we got this AAA Request
    is FastEth
    006673: 9w2d: dot1x-ev:Username is domain\username
    006674: 9w2d: dot1x-ev:MAC Address is xxxx.xxxx.xxxx
    006675: 9w2d: dot1x-ev:RemAddr is xxxx.xxxx.xxxx/xxxx.xxxx.xxxx
    The authentication information is being recvd by the switch, I can't
    understand this error.
    006676: 9w2d: dot1x-err:EAP packet not recvd
    006677: 9w2d: dot1x-ev:going to send to backend on SP, length = 4
    006678: 9w2d: dot1x-ev:Received VLAN is No Vlan
    006679: 9w2d: dot1x-ev:Enqueued the response to BackEnd
    006680: 9w2d: dot1x-ev:Received QUEUE EVENT in response to AAA Request
    006681: 9w2d: dot1x-ev:Dot1x matching request-response found
    006682: 9w2d: dot1x-ev:Length of recv eap packet from radius = 4
    006683: 9w2d: dot1x-ev:Received VLAN Id -1
    006684: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_response,
    got event
    006685: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_response ->
    006686: 9w2d: dot1x-sm:Dot1x Failure State Entered
    006687: 9w2d: dot1x-ev:dot1x_bend_fail_enter:xxxx.xxxx.xxxx: Current

    006688: 9w2d: dot1x-ev:dot1x_bend: Sending Radius Response to
    Supplicant of leng
    th 4
    006689: 9w2d: dot1x-ev:dot1x_tx_eap: EAP Ptk
    006690: 9w2d: dot1x-ev:EAP-code=FAILURE
    006691: 9w2d: dot1x-ev:EAP Type= Unknown
    006692: 9w2d: dot1x-ev:ID=0

    006693: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called
    006694: 9w2d: dot1x_bend Fa0/16: idle during state dot1x_bend_fail
    006695: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_fail -> dot1x_bend_idle
    006696: 9w2d: dot1x-sm:Dot1x Idle State Entered
    006697: 9w2d: dot1x_auth Fa0/16: during state auth_authenticating,
    got event
    006698: 9w2d: @@@ dot1x_auth Fa0/16: auth_authenticating -> auth_held
    006699: 9w2d: dot1x-sm:Fa0/16xxxx.xxxx.xxxx:auth_held_enter called
    006700: 9w2d: dot1x-sm:
    dot1x_update_port_status called with port_status =
    006701: 9w2d: dot1x-ev:dot1x_port_cleanup_author: cleanup author on
    interface Fa
    006702: 9w2d: dot1x-ev:dot1x_update_port_status: Called with
    host_mode=0 state U

    apsolar, Aug 16, 2006
    1. Advertisements

  2. apsolar

    S. Pidgorny Guest

    IAS logs don't help, so doesn't Windows - what is actually logged in the
    System log? Any trail of the incoming authentication request? Any events
    from IAS at all?

    I also suggest using IAS log analyser like one at for advanced troubleshooting.
    S. Pidgorny, Aug 16, 2006
    1. Advertisements

  3. apsolar

    apsolar Guest

    Hello Svyatoslav,

    The IAS viewer just get shows the IAS logs files in a table format. I
    had checked those logs and the system logs too. There are no incoming
    authentication requests. As I have mentioned the problem is with
    windows 2000 supplicant. It isn't sending the EAP packet to the switch,
    that gets forwarded to the IAS server to initiate authentication.

    What could be wrong here?

    apsolar, Aug 16, 2006
  4. apsolar

    S. Pidgorny Guest

    The supplicant itself? As an elimination step in troubleshooting, try
    Windows XP client - I did have 802.1x going with Cisco 2950. Or try another

    Frankly I didn't know that Windows 2000 suports 802.1x for wired networks.
    S. Pidgorny, Aug 17, 2006
  5. apsolar

    apsolar Guest

    Windows XP is not an option. I read on the microsoft website about
    802.1x being supported on Windows 2000. I have also tried thrid party
    supplicants but the result's the same. I get the same debug log and the
    same dot1x error event.

    This is proving to be a nightmare. Can somebody, who has successfully
    tested 802.1x authentication with windows 2000, help me.

    apsolar, Aug 18, 2006
  6. apsolar

    S. Pidgorny Guest

    You need to try XP to conclusively prove that the issue you're experiencing
    is client-related.
    What third-party supplicants did you try?
    S. Pidgorny, Aug 18, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.