This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

802.1x failing but radius authentication succeeded

802.1x failing but radius authentication succeeded

Mario_Salhab
New Contributor II

‎02-02-2018 10:29 AM

Hello,

I'm testing 802.1x authentication on extreme XOS. I'm running XOS 16.2.4.5 patch1-5 on x440-8t switch. I've completed the setup based on the documentation provided by extreme. The problem is that I'm receiving Authentication failed for Network Login 802.1x user host/xxxxxx Mac xxxxxxx port x, although if I run a wireshark on my radius server, I see authentication successful for host/xxxxxx. I'm wondering why the switch is considering it as failed. My radius server is a Microsoft 2008R2 NPS server.

Thanks
Mario
13 REPLIES 13

Mario_Salhab
New Contributor II

‎02-05-2018 08:25 AM

Hi Stefan,

X440-8t.8 # sh netlogin port 1
Port : 1
Port Restart : Disabled
Allow Egress : None
Vlan : nt_login
Authentication : 802.1x
Port State : Enabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
Guest Vlan : Disabled
------------------------------------------------
Netlogin Clients
------------------------------------------------

MAC IP address Authenticated Type ReAuth-Timer User
00:24:e8:d9:5d:ec 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated : 0

0 Kudos

Jaroslav_Stefan
New Contributor II

‎02-02-2018 06:34 PM

Also it would be useful output of: sh netlogin port XX, where XX is port when netlogin is enabled and "successful".
0 Kudos

Mario_Salhab
New Contributor II

‎02-02-2018 03:37 PM

Hi Jason,

X440-8t.7 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds

Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Legend: An asterisk (*) indicates a global value is in use.
X440-8t.8 #
X440-8t.8 #
X440-8t.8 # restart ports 1
X440-8t.9 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds

Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 1 Access Accepts : 1
Access Rejects : 0 Access Challenges : 3
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Legend: An asterisk (*) indicates a global value is in use.

X440-8t.11 # show conf eaps
#
# Module eaps configuration.
#
X440-8t.12 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.13 # show config | include radius
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.14 #

---
Edited by CM to remove the shared secret
0 Kudos

Jason_Parker
Contributor

‎02-02-2018 03:32 PM

Mario
show radius screen shot may help as well as
show conf eaps
show config aaa
show config | include radius
0 Kudos
GTM-P2G8KFN