need help with 802.1x debugging
in [Cisco]
|
Prev: Cisco VPN Client 4.0.5
Next: Brad Reese?
From: apsolar on 16 Aug 2006 00:15 Hello Gurus, I am trying to implement 802.1x port authentication for a small company. Here is the test setup: Client : Windows 2000 Prof SP4 Switch : Cisco 2950 Authenticator : Microsoft IAS I have read the documentation for setting up the IAS and the Windows 2000 supplicant. No matter what type of authentication I use, PEAP or MD5, I am unable to authenticate the port. I have synchronised the IAS server with Active Directory. After checking the debug logs on the switch, here is what I found : I have marked the debug event which I think could be the reason. I have also tried checking IAS logs but they dont help, neither does the event log for windows. I am not sure if this is the right group but I decided to post it, 006645: 9w2d: dot1x-ev:EAP-code=REQUEST 006646: 9w2d: dot1x-ev:EAP Type= IDENTITY 006647: 9w2d: dot1x-ev:ID=0 006648: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called 006649: 9w2d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/16 006650: 9w2d: dot1x-ev:Received pkt saddr =xxxx.xxxx.xxxx, daddr = xxxx.xxxx.xxxx,pae-ether-type = 34958 006651: 9w2d: dot1x-ev:Found a supplicant block for mac 0010.a4e4.f1e3 80D86C64 006652: 9w2d: dot1x-packet:Received an EAP packet on interface FastEthernet0/16 006653: 9w2d: dot1x_auth Fa0/16: during state auth_connecting, got event 6(r xRespId) 006654: 9w2d: @@@ dot1x_auth Fa0/16: auth_connecting -> auth_authenticating 006655: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_exit alled 006656: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_authenticating_enter called 006657: 9w2d: dot1x-ev:sending AUTH_START to BEND for supp_info=80D86C64 006658: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_authenticating_acti on called 006659: 9w2d: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D86 C64 006660: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_idle, got event 1(a uth_start) 006661: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_idle -> dot1x_bend_response 006662: 9w2d: dot1x-sm:Dot1x Response State Entered for supp_info=80D86C64 hwidb =807B1B18, swidb=807B2E6C on intf=Fa0/16 006663: 9w2d: dot1x-ev:Managed Timer in sub-block attached as leaf to master 006664: 9w2d: dot1x-sm:Started the ServerTimeout Timer 006665: 9w2d: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 19 006666: 9w2d: dot1x-ev:Got a Request from SP to send it to Radius with id 116 006667: 9w2d: dot1x-ev:Couldn't Find a process thats already handling the reques t for this id 0 006668: 9w2d: dot1x-ev:Inserted the request on to list of pending requests 006669: 9w2d: dot1x-ev:Found a free slot at slot 0 006670: 9w2d: dot1x-ev:Found a free slot at slot 0 006671: 9w2d: dot1x-ev:Request id = 116 and length = 19 006672: 9w2d: dot1x-ev:The Interface on which we got this AAA Request is FastEth ernet0/16 006673: 9w2d: dot1x-ev:Username is domain\username 006674: 9w2d: dot1x-ev:MAC Address is xxxx.xxxx.xxxx 006675: 9w2d: dot1x-ev:RemAddr is xxxx.xxxx.xxxx/xxxx.xxxx.xxxx ********************************************************************************************************* The authentication information is being recvd by the switch, I can't understand this error. 006676: 9w2d: dot1x-err:EAP packet not recvd ******************************************************************************************************* 006677: 9w2d: dot1x-ev:going to send to backend on SP, length = 4 006678: 9w2d: dot1x-ev:Received VLAN is No Vlan 006679: 9w2d: dot1x-ev:Enqueued the response to BackEnd 006680: 9w2d: dot1x-ev:Received QUEUE EVENT in response to AAA Request 006681: 9w2d: dot1x-ev:Dot1x matching request-response found 006682: 9w2d: dot1x-ev:Length of recv eap packet from radius = 4 006683: 9w2d: dot1x-ev:Received VLAN Id -1 006684: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_response, got event 3(afail) 006685: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_response -> dot1x_bend_fail 006686: 9w2d: dot1x-sm:Dot1x Failure State Entered 006687: 9w2d: dot1x-ev:dot1x_bend_fail_enter:xxxx.xxxx.xxxx: Current ID=0 006688: 9w2d: dot1x-ev:dot1x_bend: Sending Radius Response to Supplicant of leng th 4 006689: 9w2d: dot1x-ev:dot1x_tx_eap: EAP Ptk 006690: 9w2d: dot1x-ev:EAP-code=FAILURE 006691: 9w2d: dot1x-ev:EAP Type= Unknown 006692: 9w2d: dot1x-ev:ID=0 006693: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called 006694: 9w2d: dot1x_bend Fa0/16: idle during state dot1x_bend_fail 006695: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_fail -> dot1x_bend_idle 006696: 9w2d: dot1x-sm:Dot1x Idle State Entered 006697: 9w2d: dot1x_auth Fa0/16: during state auth_authenticating, got event 8(authFail) 006698: 9w2d: @@@ dot1x_auth Fa0/16: auth_authenticating -> auth_held 006699: 9w2d: dot1x-sm:Fa0/16xxxx.xxxx.xxxx:auth_held_enter called 006700: 9w2d: dot1x-sm: dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZE D 006701: 9w2d: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface Fa stEthernet0/16 006702: 9w2d: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state U NAUTHORIZED thanks Ankit
From: "S. Pidgorny MVP>" on 16 Aug 2006 07:19 IAS logs don't help, so doesn't Windows - what is actually logged in the System log? Any trail of the incoming authentication request? Any events from IAS at all? I also suggest using IAS log analyser like one at http://deepsoftware.ru/iasviewer/ for advanced troubleshooting. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- <apsolar(a)gmail.com> wrote in message news:1155701741.428225.316860(a)74g2000cwt.googlegroups.com... > Hello Gurus, > > I am trying to implement 802.1x port authentication for a small > company. Here is the test setup: > Client : Windows 2000 Prof SP4 > Switch : Cisco 2950 > Authenticator : Microsoft IAS > > > > I have read the documentation for setting up the IAS and the Windows > 2000 supplicant. No matter what type of authentication I use, PEAP or > MD5, I am unable to authenticate the port. I have synchronised the IAS > server with Active Directory. > After checking the debug logs on the switch, here is what I found : > I have marked the debug event which I think could be the reason. > I have also tried checking IAS logs but they dont help, neither does > the event log for windows. > I am not sure if this is the right group but I decided to post it, > > 006645: 9w2d: dot1x-ev:EAP-code=REQUEST > 006646: 9w2d: dot1x-ev:EAP Type= IDENTITY > 006647: 9w2d: dot1x-ev:ID=0 > > 006648: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called > 006649: 9w2d: dot1x-packet:Received an EAPOL frame on interface > FastEthernet0/16 > > 006650: 9w2d: dot1x-ev:Received pkt saddr =xxxx.xxxx.xxxx, daddr = > xxxx.xxxx.xxxx,pae-ether-type = 34958 > 006651: 9w2d: dot1x-ev:Found a supplicant block for mac 0010.a4e4.f1e3 > 80D86C64 > > 006652: 9w2d: dot1x-packet:Received an EAP packet on interface > FastEthernet0/16 > 006653: 9w2d: dot1x_auth Fa0/16: during state auth_connecting, got > event 6(r > xRespId) > 006654: 9w2d: @@@ dot1x_auth Fa0/16: auth_connecting -> > auth_authenticating > 006655: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_exit alled > 006656: 9w2d: dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_authenticating_enter > called > 006657: 9w2d: dot1x-ev:sending AUTH_START to BEND for > supp_info=80D86C64 > > 006658: 9w2d: > dot1x-sm:Fa0/16:xxxx.xxxx.xxxx:auth_connecting_authenticating_acti > on called > 006659: 9w2d: dot1x-ev:Received AuthStart from Authenticator for > supp_info=80D86 > C64 > 006660: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_idle, got > event 1(a > uth_start) > 006661: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_idle -> > dot1x_bend_response > 006662: 9w2d: dot1x-sm:Dot1x Response State Entered for > supp_info=80D86C64 hwidb > =807B1B18, swidb=807B2E6C on intf=Fa0/16 > > 006663: 9w2d: dot1x-ev:Managed Timer in sub-block attached as leaf to > master > 006664: 9w2d: dot1x-sm:Started the ServerTimeout Timer > 006665: 9w2d: dot1x-ev:Going to Send Request to AAA Client on RP for id > = 0 and > length = 19 > 006666: 9w2d: dot1x-ev:Got a Request from SP to send it to Radius with > id 116 > 006667: 9w2d: dot1x-ev:Couldn't Find a process thats already handling > the reques > t for this id 0 > 006668: 9w2d: dot1x-ev:Inserted the request on to list of pending > requests > 006669: 9w2d: dot1x-ev:Found a free slot at slot 0 > 006670: 9w2d: dot1x-ev:Found a free slot at slot 0 > 006671: 9w2d: dot1x-ev:Request id = 116 and length = 19 > 006672: 9w2d: dot1x-ev:The Interface on which we got this AAA Request > is FastEth > ernet0/16 > 006673: 9w2d: dot1x-ev:Username is domain\username > 006674: 9w2d: dot1x-ev:MAC Address is xxxx.xxxx.xxxx > 006675: 9w2d: dot1x-ev:RemAddr is xxxx.xxxx.xxxx/xxxx.xxxx.xxxx > ********************************************************************************************************* > The authentication information is being recvd by the switch, I can't > understand this error. > 006676: 9w2d: dot1x-err:EAP packet not recvd > ******************************************************************************************************* > 006677: 9w2d: dot1x-ev:going to send to backend on SP, length = 4 > 006678: 9w2d: dot1x-ev:Received VLAN is No Vlan > 006679: 9w2d: dot1x-ev:Enqueued the response to BackEnd > 006680: 9w2d: dot1x-ev:Received QUEUE EVENT in response to AAA Request > 006681: 9w2d: dot1x-ev:Dot1x matching request-response found > 006682: 9w2d: dot1x-ev:Length of recv eap packet from radius = 4 > 006683: 9w2d: dot1x-ev:Received VLAN Id -1 > 006684: 9w2d: dot1x_bend Fa0/16: during state dot1x_bend_response, > got event > 3(afail) > 006685: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_response -> > dot1x_bend_fail > 006686: 9w2d: dot1x-sm:Dot1x Failure State Entered > 006687: 9w2d: dot1x-ev:dot1x_bend_fail_enter:xxxx.xxxx.xxxx: Current > ID=0 > > 006688: 9w2d: dot1x-ev:dot1x_bend: Sending Radius Response to > Supplicant of leng > th 4 > 006689: 9w2d: dot1x-ev:dot1x_tx_eap: EAP Ptk > 006690: 9w2d: dot1x-ev:EAP-code=FAILURE > 006691: 9w2d: dot1x-ev:EAP Type= Unknown > 006692: 9w2d: dot1x-ev:ID=0 > > 006693: 9w2d: dot1x-registry:registry:dot1x_ether_macaddr called > 006694: 9w2d: dot1x_bend Fa0/16: idle during state dot1x_bend_fail > 006695: 9w2d: @@@ dot1x_bend Fa0/16: dot1x_bend_fail -> dot1x_bend_idle > 006696: 9w2d: dot1x-sm:Dot1x Idle State Entered > 006697: 9w2d: dot1x_auth Fa0/16: during state auth_authenticating, > got event > 8(authFail) > 006698: 9w2d: @@@ dot1x_auth Fa0/16: auth_authenticating -> auth_held > 006699: 9w2d: dot1x-sm:Fa0/16xxxx.xxxx.xxxx:auth_held_enter called > 006700: 9w2d: dot1x-sm: > dot1x_update_port_status called with port_status = > DOT1X_PORT_STATUS_UNAUTHORIZE > D > 006701: 9w2d: dot1x-ev:dot1x_port_cleanup_author: cleanup author on > interface Fa > stEthernet0/16 > 006702: 9w2d: dot1x-ev:dot1x_update_port_status: Called with > host_mode=0 state U > NAUTHORIZED > > > > > thanks > Ankit >
From: apsolar on 16 Aug 2006 17:48 Hello Svyatoslav, The IAS viewer just get shows the IAS logs files in a table format. I had checked those logs and the system logs too. There are no incoming authentication requests. As I have mentioned the problem is with windows 2000 supplicant. It isn't sending the EAP packet to the switch, that gets forwarded to the IAS server to initiate authentication. What could be wrong here? Ankit
From: "S. Pidgorny MVP>" on 17 Aug 2006 05:38 The supplicant itself? As an elimination step in troubleshooting, try Windows XP client - I did have 802.1x going with Cisco 2950. Or try another supplicant. Frankly I didn't know that Windows 2000 suports 802.1x for wired networks. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- <apsolar(a)gmail.com> wrote in message news:1155764908.415979.122820(a)i3g2000cwc.googlegroups.com... > Hello Svyatoslav, > > The IAS viewer just get shows the IAS logs files in a table format. I > had checked those logs and the system logs too. There are no incoming > authentication requests. As I have mentioned the problem is with > windows 2000 supplicant. It isn't sending the EAP packet to the switch, > that gets forwarded to the IAS server to initiate authentication. > > What could be wrong here? > > Ankit >
From: apsolar on 17 Aug 2006 19:13
Windows XP is not an option. I read on the microsoft website about 802.1x being supported on Windows 2000. I have also tried thrid party supplicants but the result's the same. I get the same debug log and the same dot1x error event. This is proving to be a nightmare. Can somebody, who has successfully tested 802.1x authentication with windows 2000, help me. Ankit |