Trying to configure a 2960c switch to do port-based 802.1X for wired clients. Switch has the so-called 'lan lite' license.
Global configuration commands include:
aaa new-model dot1x system-auth-control radius server CiscoISE24 address ipv4 10.X.XX.XX auth-port 1812 acct-port 1813 key 0 XXXXXXXX aaa group server radius 802.1X_Auth server name CiscoISE24 aaa authentication dot1x default group 802.1X_Auth
My ISE instance is configured to deliver a VLAN assignment if authentication succeeds. Test AAA group indicates a successful authentication from 2960c to ISE:
cisco2960c#test aaa group radius vpnuser@int.mydomian.net XXXXX new-code User successfully authenticated USER ATTRIBUTES username 0 "vpnuser@int.mydomain.net" tunnel-type 1 13 [vlan] tunnel-medium-type 1 6 [ALL_802] tunnel-private-group 1 "102" security-group-tag 0 "0004-00"
And I can see the successful authentications in the ISE RADIUS Live Logs and the proper/desired Policy Set on ISE is triggering.
However, when trying to configure the interface on the 2960c something is going sideways. Here's the config:
interface FastEthernet0/3 description 802.1XclientAccessToVLAN102 switchport mode access access-session port-control auto dot1x pae authenticator
The switch is running SW Version 15.2(7)E. I'm trying to authenticate a macOS client via configuration profile for 'any ethernet' interface on the MacBook testing client.
dot1x all + radius + aaa authentication debugging tells me the following when I connect the cable to the port and then attempt to authenticate:
*Jan 23 13:13:41.832: dot1x-ev:[Fa0/3] Interface state changed to UP *Jan 23 13:13:41.840: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/3 *Jan 23 13:13:43.828: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up *Jan 23 13:13:44.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up *Jan 23 13:13:55.958: dot1x-packet:[d0a6.37e4.9581, Fa0/3] queuing an EAPOL pkt on Auth Q *Jan 23 13:13:55.958: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1 *Jan 23 13:13:55.958: dot1x-packet: length: 0x0000 *Jan 23 13:13:55.958: dot1x-ev:[Fa0/3] Dequeued pkt: Int Fa0/3 CODE= 0,TYPE= 0,LEN= 0 *Jan 23 13:13:55.958: dot1x-ev:[Fa0/3] Received pkt saddr =d0a6.37e4.9581 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000 *Jan 23 13:13:55.958: dot1x-ev:[Fa0/3] Couldn't find the supplicant in the list *Jan 23 13:13:55.958: dot1x-ev:[d0a6.37e4.9581, Fa0/3] New client detected, sending session start event for d0a6.37e4.9581 *Jan 23 13:14:00.958: dot1x-packet:[d0a6.37e4.9581, Fa0/3] queuing an EAPOL pkt on Auth Q *Jan 23 13:14:00.966: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1 *Jan 23 13:14:00.966: dot1x-packet: length: 0x0000 *Jan 23 13:14:00.966: dot1x-ev:[Fa0/3] Dequeued pkt: Int Fa0/3 CODE= 0,TYPE= 0,LEN= 0
Been scouring all the Cisco forums, trying to figure out the error of my ways. No minor config tweak seems to make a difference.
Q1) Am I limited by the license on the 2960c and therefore unable to do dot1x?
Q2) Or have I just configured the 2960c incorrectly?
Q3) Do I have to do additional config to get the switch to handle the returned VLAN ID from ISE?
I've tried explicitly assigning 'switchport vlan 102' on the interface as well. But the client obtains a DHCP address, can route traffic, and essentially doesn't appear to need the 802.1X authentication.
Thanks for having a look.
No comments:
Post a Comment