802.1x failing but radius authentication succeeded
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-02-2018 10:29 AM
Hello,
I'm testing 802.1x authentication on extreme XOS. I'm running XOS 16.2.4.5 patch1-5 on x440-8t switch. I've completed the setup based on the documentation provided by extreme. The problem is that I'm receiving Authentication failed for Network Login 802.1x user host/xxxxxx Mac xxxxxxx port x, although if I run a wireshark on my radius server, I see authentication successful for host/xxxxxx. I'm wondering why the switch is considering it as failed. My radius server is a Microsoft 2008R2 NPS server.
Thanks
Mario
I'm testing 802.1x authentication on extreme XOS. I'm running XOS 16.2.4.5 patch1-5 on x440-8t switch. I've completed the setup based on the documentation provided by extreme. The problem is that I'm receiving Authentication failed for Network Login 802.1x user host/xxxxxx Mac xxxxxxx port x, although if I run a wireshark on my radius server, I see authentication successful for host/xxxxxx. I'm wondering why the switch is considering it as failed. My radius server is a Microsoft 2008R2 NPS server.
Thanks
Mario
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-05-2018 08:25 AM
Hi Stefan,
X440-8t.8 # sh netlogin port 1
Port : 1
Port Restart : Disabled
Allow Egress : None
Vlan : nt_login
Authentication : 802.1x
Port State : Enabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
Guest Vlan : Disabled
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
00:24:e8:d9:5d:ec 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated : 0
X440-8t.8 # sh netlogin port 1
Port : 1
Port Restart : Disabled
Allow Egress : None
Vlan : nt_login
Authentication : 802.1x
Port State : Enabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
Guest Vlan : Disabled
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
00:24:e8:d9:5d:ec 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated : 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-02-2018 06:34 PM
Also it would be useful output of: sh netlogin port XX, where XX is port when netlogin is enabled and "successful".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-02-2018 03:37 PM
Hi Jason,
X440-8t.7 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Legend: An asterisk (*) indicates a global value is in use.
X440-8t.8 #
X440-8t.8 #
X440-8t.8 # restart ports 1
X440-8t.9 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 1 Access Accepts : 1
Access Rejects : 0 Access Challenges : 3
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Legend: An asterisk (*) indicates a global value is in use.
X440-8t.11 # show conf eaps
#
# Module eaps configuration.
#
X440-8t.12 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.13 # show config | include radius
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.14 #
---
Edited by CM to remove the shared secret
X440-8t.7 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Legend: An asterisk (*) indicates a global value is in use.
X440-8t.8 #
X440-8t.8 #
X440-8t.8 # restart ports 1
X440-8t.9 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds
Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 1 Access Accepts : 1
Access Rejects : 0 Access Challenges : 3
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Legend: An asterisk (*) indicates a global value is in use.
X440-8t.11 # show conf eaps
#
# Module eaps configuration.
#
X440-8t.12 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.13 # show config | include radius
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.14 #
---
Edited by CM to remove the shared secret
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-02-2018 03:32 PM
Mario
show radius screen shot may help as well as
show conf eaps
show config aaa
show config | include radius
show radius screen shot may help as well as
show conf eaps
show config aaa
show config | include radius
