Solution
Verify that you have already applied the correct configuration. Below is an example of what I have done in my lab (truncated with only the RADIUS part)
authentication
auth-order dot1x mac-auth
auth-default-vlan 20
dot1x enable
dot1x enable all
dot1x port-control auto all
aaa authentication dot1x default radius
aaa authorization commands 0 default none
aaa accounting dot1x default start-stop radius
aaa accounting system default start-stop radius
radius-server host 172.17.18.90 auth-port 1812 acct-port 1813 default key $demokey$ dot1xVerify that the RADIUS server had been configured
ICX-Switch# show radius servers
---------------------------------------------------------------------------------------------------
Server Type Opens Closes Timeouts Status
---------------------------------------------------------------------------------------------------
172.17.18.90 any 212 216 4 active
Auth Servers: available
Acct Servers: availableVerify the authentication status
ICX-Switch# show dot1x sessions all ----------------------------------------------------------------------------------- Port MAC IP User Vlan Auth ACL Age PAE Addr Addr Name State State ------------------------------------------------------------------------------------ 1/1/1 xxxx.xxxx.xxxx 172.17.18.1 User1 100 permit Yes Ena AUTHENTICATED.xxxx.xxxx 172.17.18.18 User4 200 permit Yes Ena AUTHENTICATED
1/1/3 xxxx.xxxx.xxxx 172.17.18.3 User2 100 permit Yes Ena AUTHENTICATED
1/1/5 xxxx.xxxx.xxxx 172.17.18.12 User3 200 permit Yes Ena AUTHENTICATED
1/1/8 xxxx
Use ptrace aaa command to debug the authentication. Verify that access request and access accept packet can be seen from the output.
ICX-Switch#Debug: Jan 31 17:06:23 Tracing the outgoing Radius Authentication packet..
Debug: Jan 31 17:06:23 UDP packet source IP=172.17.18.1, port=1406, destination IP=172.17.18.90, port=1812
Debug: Jan 31 17:06:23 Radius Header : ACCESS-REQ Identifier =21 Length = 120
Authenticator (HEX):7A8126F7249CE1F76EBE21DA50942C0F
Attribute Type (Length) = User-Name ( 14) Value(ASCII) =
Attribute Type (Length) = User-Password ( 18) Value(HEX) = 360F3831B87534EBEEED6650B4FCE1F2
Attribute Type (Length) = Service-Type ( 6) Value(ASCII) = Callcheck (Dot1x)
Attribute Type (Length) = Framed-MTU ( 6) Value(ASCII) = 1500
Attribute Type (Length) = NAS-IP-Address ( 6) Value(ASCII) = 10.176.166.142
Attribute Type (Length) = NAS-Port-Type ( 6) Value(ASCII) = Ethernet (FlexAuth)
Attribute Type (Length) = NAS-Port ( 6) Value(ASCII) = 1/1/1
Attribute Type (Length) = NAS-Port-Id ( 7) Value(ASCII) = 1/1/1
Attribute Type (Length) = NAS-Identifier ( 12) Value(ASCII) = ICX-Switch
Attribute Type (Length) = Calling-Station-Id ( 19) Value(ASCII) = XX-XX-XX-XX-XX-XX
Debug: Jan 31 17:06:23 Tracing the received Radius packet..
Debug: Jan 31 17:06:23 Radius Header : ACCESS-ACPT Identifier =21 Length = 237
Authenticator (HEX):
Attribute Type (Length) = Session-Timeout ( 6) Value(ASCII) = 3020399
Attribute Type (Length) = Reply-Message (131) Value(ASCII) = type=MacRegistration, mac=XX:XX:XX:XX:XX:XX, registrationDb=IP Phone, registrationPk=361, enrollmentPk=986, registrationDbIndex=0
Attribute Type (Length) = User-Name ( 22) Value(ASCII) = Khairulanam Hassan
Attribute Type (Length) = Tunnel-Type ( 6) Value(ASCII) = 13
Attribute Type (Length) = Tunnel-Medium-Type ( 6) Value(ASCII) = 6
Attribute Type (Length) = Tunnel-group-ID ( 8) Value(ASCII) = T:3000
Attribute Type (Length) = Fdry-Voice-Phone-Cfg ( 20) Value(ASCII) = dscp:46;priority:4
Attribute Type (Length) = Filter-ID ( 12) Value(ASCII) = ip.acl1.in
Additional commands
#show log >> See the process of the dot1x authentication