Solution

Verify that you have already applied the correct configuration. Below is an example of what I have done in my lab (truncated with only the RADIUS part)

authentication
  auth-order dot1x mac-auth
  auth-default-vlan 20
  dot1x enable
  dot1x enable all
  dot1x port-control auto all
aaa authentication dot1x default radius
aaa authorization commands 0 default none
aaa accounting dot1x default start-stop radius
aaa accounting system default start-stop radius
radius-server host 172.17.18.90 auth-port 1812 acct-port 1813 default key $demokey$ dot1x
Verify that the RADIUS server had been configured
ICX-Switch# show radius servers
---------------------------------------------------------------------------------------------------
Server                                     Type      Opens     Closes   Timeouts   Status  
---------------------------------------------------------------------------------------------------
172.17.18.90                               any       212        216          4    active  
Auth Servers: available
Acct Servers: available
Verify the authentication status
ICX-Switch# show dot1x sessions all
-----------------------------------------------------------------------------------
Port   MAC             IP          User    Vlan  Auth     ACL     Age   PAE
       Addr            Addr        Name          State                  State
------------------------------------------------------------------------------------
1/1/1  xxxx.xxxx.xxxx  172.17.18.1  User1  100   permit  Yes    Ena   AUTHENTICATED
1/1/3 xxxx.xxxx.xxxx 172.17.18.3 User2 100 permit Yes Ena AUTHENTICATED
1/1/5 xxxx.xxxx.xxxx 172.17.18.12 User3 200 permit Yes Ena AUTHENTICATED
1/1/8 xxxx
.xxxx.xxxx 172.17.18.18 User4 200 permit Yes Ena AUTHENTICATED
Use ptrace aaa command to debug the authentication. Verify that access request and access accept packet can be seen from the output.
ICX-Switch#Debug: Jan 31 17:06:23 Tracing the outgoing Radius Authentication packet..
Debug: Jan 31 17:06:23 UDP packet source IP=172.17.18.1, port=1406, destination IP=172.17.18.90, port=1812
Debug: Jan 31 17:06:23 Radius Header : ACCESS-REQ Identifier =21 Length = 120
Authenticator (HEX):7A8126F7249CE1F76EBE21DA50942C0F Attribute Type (Length) = User-Name ( 14) Value(ASCII) = Attribute Type (Length) = User-Password ( 18) Value(HEX) = 360F3831B87534EBEEED6650B4FCE1F2 Attribute Type (Length) = Service-Type ( 6) Value(ASCII) = Callcheck (Dot1x) Attribute Type (Length) = Framed-MTU ( 6) Value(ASCII) = 1500 Attribute Type (Length) = NAS-IP-Address ( 6) Value(ASCII) = 10.176.166.142 Attribute Type (Length) = NAS-Port-Type ( 6) Value(ASCII) = Ethernet (FlexAuth) Attribute Type (Length) = NAS-Port ( 6) Value(ASCII) = 1/1/1 Attribute Type (Length) = NAS-Port-Id ( 7) Value(ASCII) = 1/1/1 Attribute Type (Length) = NAS-Identifier ( 12) Value(ASCII) = ICX-Switch Attribute Type (Length) = Calling-Station-Id ( 19) Value(ASCII) = XX-XX-XX-XX-XX-XX Debug: Jan 31 17:06:23 Tracing the received Radius packet..
Debug: Jan 31 17:06:23 Radius Header : ACCESS-ACPT Identifier =21 Length = 237
Authenticator (HEX): Attribute Type (Length) = Session-Timeout ( 6) Value(ASCII) = 3020399 Attribute Type (Length) = Reply-Message (131) Value(ASCII) = type=MacRegistration, mac=XX:XX:XX:XX:XX:XX, registrationDb=IP Phone, registrationPk=361, enrollmentPk=986, registrationDbIndex=0 Attribute Type (Length) = User-Name ( 22) Value(ASCII) = Khairulanam Hassan Attribute Type (Length) = Tunnel-Type ( 6) Value(ASCII) = 13 Attribute Type (Length) = Tunnel-Medium-Type ( 6) Value(ASCII) = 6 Attribute Type (Length) = Tunnel-group-ID ( 8) Value(ASCII) = T:3000 Attribute Type (Length) = Fdry-Voice-Phone-Cfg ( 20) Value(ASCII) = dscp:46;priority:4 Attribute Type (Length) = Filter-ID ( 12) Value(ASCII) = ip.acl1.in

Additional commands

#show log     >> See the process of the dot1x authentication

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *