The problem areas of an AAA implementation on a switch may be categorized as follows:
Switch management troubleshooting
Identity-based Network Services (IBNSs) troubleshooting
Switch Management Troubleshooting
TACACS+ Protocol is more desirable for configuring AAA for switch management, although RADIUS and Kerberos are the other two options available. The local user database is primarily used for console authentication or as a fall-back method for Telnet or SSH access to the switch. The primary focus of this section is on configuring and troubleshooting AAA implementation using TACACS+ along with the local user database.
Table 11-3 shows AAA features introduced on different versions of the switch code.
Table 11-3. AAA Features Available Based on CatOS Release AAA Method
CatOS 2.2-5.1
CatOS 5.1-5.4.1
CatOS 5.4.1-7.5.1
CatOS 7.5.1 and later
TACACS+ Authentication
Yes
Yes
Yes
Yes
RADIUS Authentication
No
Yes
Yes
Yes
Kerberos Authentication
No
No
Yes
Yes
Local Username Authentication/Authorization
No
No
No
Yes
TACACS+ Command Authorization
No
No
Yes
Yes
TACACS+ Exec Authorization
No
No
Yes
Yes
RADIUS Exec Authorization
No
No
Yes
Yes
Accounting - TACACS+/RADIUS
No
No
Yes
Yes
TACACS+ Enable Authorization
Yes
Yes
Yes
Yes
RADIUS Enable Authorization
No
Yes
Yes
Yes
TACACS+ Enable Authorization
No
No
Yes
Yes
Login Authentication
This section steps through the configuration and discusses some of the common issues that you may encounter, and how to troubleshoot them.
Configuration Steps
To configure AAA authentication, perform the following tasks:
Step 1. Create local user database
If you are running CatOS version 7.5.1 or above, configure the local user database as follows:
Example 11-11. Sample Output of Local User Database
Switch> (enable) set localuser user admin password powerpass privilege 15
Switch> (enable) set localuser user basic password nonenable
It is important to note that there are only two privilege levels (0 and 15) for the authentication of local users as shown in example 11-12, where admin has a privilege level 15 (enable access privilege), but the user basic has privilege level 0, which is exec privilege. So, when admin uses Telnet or console, it can get to the enable mode but the username basic will be in the user mode. User basic needs to know the enable password to reach the enable mode, which can be configured with the set, enable password command. The local user database can be configured as the only user authentication method, or it can be configured as a backup for the external AAA server authentication so that users are not locked out.
Step 2. Turn on and verify the local authentication as a fallback (back door) or only method for authentication, as Example 11-12 shows.
Example 11-12. Turning on Local User Authentication
Switch> (enable) set authentication login local enable
Switch> (enable) show aaa authentication
Switch> (enable)
Step 3. Define the TACACS+ server and shared secret key on switch.
Configure the communication parameters between the switch and AAA server (TACACS+ or RADIUS) by providing the IP address and the shared secret key (optional) for encryption, as Example 11-13 shows.
Example 11-13. Configuration Required for Communicating with AAA Server
Switch> (enable) set tacacs server 10.1.1.40
Switch> (enable) set tacacs key cisco
Switch> (enable)
Step 4. Define the AAA client on the AAA Server.
Configure switch as an AAA client on the Cisco Secure ACS by browsing to Network Configuration > Add AAA client > Add Entry (Define Switch IP address and shared secret key) > Stop/Restart the service.
Note that the Switch IP address and shared secret key must be defined on the switch.
Step 5. Create the user database on the Cisco Secure.
After login to Cisco Secure ACS, go to User Setup > Create a user with username and password > Map the user to a group on ACS unconfigured. No special parameters need to be defined for simple user authentication to the switch.
Step 6. Turn on TACACS+ authentication, as Example 11-14 shows.
Example 11-14. Turning on TACACS+ Authentication on the Switch
Switch> (enable) set authentication login tacacs enable
Switch> (enable)
Troubleshooting Steps
Troubleshooting authentication needs to be done on both switches, and on the TACACS+ server side. It is, however, recommended to troubleshoot the AAA issue for the switch with the CS ACS server itself. You can turn on debug with the set trace tacacs 4 on the switch. It is worth examining a successful authentication debug on the switch before you go through some of the common issues that you may encounter. Example 11-15 walks through the debug output on the switch.
Example 11-15. The debug Output for Successful User Authentication with TACACS+ protocol
Switch> (enable) set trace tacacs 4
AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146'
rem_addr='10.1.1.20' authen_type=1 service=LOGIN priv=12005 Mar 26 22:10:08.510
AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN
TAC+: send AUTHEN/START packet ver=192 id=224470576
! Opening connection with tacacs+ server
TAC+: Opening TCP/IP connection to 10.1.1.40
TAC+: ver=192 id=224470576 received AUTHEN status = GETUSER2005 Mar 26 22:10:09.
520
! Getting username input from the user
AAA/AUTHEN (224470576): status = GETUSER
User Access Verification
Username:
2005 Mar 26 22:10:16.590
! Got the username administrator
AAA/AUTHEN: update_user user='administrator' ruser='(null)' port='telnet146' rem
_addr='10.1.1.20' authen_type=1 service=LOGIN priv=12005 Mar 26 22:10:16.590
AAA/AUTHEN/CONT (224470576): continue_login2005 Mar 26 22:10:16.590
AAA/AUTHEN (224470576): status = GETUSER
TAC+: send AUTHEN/CONT packet id=224470576
! Here asking for the password
TAC+: ver=192 id=224470576 received AUTHEN status = GETPASS
2005 Mar 26 22:10:17.090
AAA/AUTHEN (224470576): status = GETPASSPassword:
2005 Mar 26 22:10:19.980 AAA/AUTHEN/CONT (224470576): continue_login
2005 Mar 26 22:10:19.980 AAA/AUTHEN (224470576): status = GETPASS
TAC+: send AUTHEN/CONT packet id=224470576
! Here shows authentication successful
TAC+: ver=192 id=224470576 received AUTHEN status = PASS
2005 Mar 26 22:10:20.480 AAA/AUTHEN (224470576): status = PASS
Switch> (enable)
Now take a look at some of the common problems you may encounter with the TACACS+ authentication.
TACACS+ server is unreachable or mismatch in the shared secret key If the TACACS+ server is unreachable or the shared secret key is mismatched between the TACACS+ server and the switch, an error message will be reported, as in Example 11-16. If an alternate method (for example, local user database) is configured as a backup method, the switch will try to authenticate the user with the backup method.
Example 11-16. The ERROR Message When TACACS+ Server Is Unreachable
2005 Mar 29 15:29:22.430
AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.25.
35.229' authen_type=1 service=LOGIN priv=12005 Mar 29 15:29:22.430
AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN
TAC+: send AUTHEN/START packet ver=192 id=340001563
TAC+: no tacacs server definedTACACS: Unable to contact Server
!The following line shows the ERROR message when TACACS+ server is unreachable
2005 Mar 29 15:29:22.430 AAA/AUTHEN (340001563): status = ERROR
2005 Mar 29 15:29:22.430 AAA/AUTHEN/START (340001563): failed to authenticate
2005 Mar 29 15:29:22.430 %AAA: enable: Internal error.
Trying Local Login Authentication
Bad Username or Password If the username or password is invalid, then authentication will fail. This is different than an error message, as we have seen earlier. For example, as with bad username or password, the backup method is not tried. Example 11-17 shows the debug output for a bad username or password authentication.
Example 11-17. Debug Output for AAA When Bad Username or Password Is Entered
2005 Mar 29 15:39:14.490 AAA/AUTHEN: update_user user='' ruser='(null)'
port='telnet146' rem_addr='10.1.1.20' authen_type=1 service=LOGIN priv=1
2005 Mar 29 15:39:14.490 AAA/AUTHEN/START (0): port='telnet146' list='(null)'
action=LOGIN service=LOGIN
TAC+: send AUTHEN/START packet ver=192 id=599265646
TAC+: Opening TCP/IP connection to 10.1.1.40
TAC+: ver=192 id=599265646 received AUTHEN status = GETUSER
2005 Mar 29 15:39:15.490 AAA/AUTHEN (599265646): status = GETUSER
User Access Verification
Username:
2005 Mar 29 15:39:17.800 AAA/AUTHEN: update_user user='admin123' ruser='(null)'
port='telnet146' rem_addr='10.25.35.229' authen_type=1 service=LOGIN priv=1
2005 Mar 29 15:39:17.800 AAA/AUTHEN/CONT (599265646): continue_login
2005 Mar 29 15:39:17.800 AAA/AUTHEN (599265646): status = GETUSER
TAC+: send AUTHEN/CONT packet id=599265646
TAC+: ver=192 id=599265646 received AUTHEN status = GETPASS
2005 Mar 29 15:39:18.300 AAA/AUTHEN (599265646): status = GETPASSPassword:
2005 Mar 29 15:39:20.890 AAA/AUTHEN/CONT (599265646): continue_login
2005 Mar 29 15:39:20.890 AAA/AUTHEN (599265646): status = GETPASS
TAC+: send AUTHEN/CONT packet id=599265646
!The FAIL message indicates the either bad username or password invalid.
TAC+: ver=192 id=599265646 received AUTHEN status = FAIL
2005 Mar 29 15:39:21.400
AAA/AUTHEN (599265646): status = FAIL
% Authentication failed.
2005 Mar 29 15:39:21.400
Enable Password Authentication
To authenticate enable access to the switch after the user logs into the switch, set this up on the switch and on the Cisco Secure ACS Server.
Configuration Steps
The following steps are required on the switch:
Step 1. Turn on enable password authentication with local user database. This means that the enable access for the user will be authenticated with the enable password defined on the switch. If TACACS+ is configured as a primary method for authentication, then enable password will be used in case the TACACS+ server is unreachable. Example 11-18 shows how to turn on enable authentication with a local user database.
Example 11-18. Turning on Enable Authentication with a Local User Database on Switch
Switch> (enable) set authentication enable local enable
Switch (enable) set enable
Enter old password:
Enter new password: cisco
Retype new password: cisco
Password changed.
Switch (enable)
Step 2. Configure Enable parameters for users and groups on CS ACS.
Turn on Advanced TACACS+ Features by browsing to Interface Configuration and selecting TACACS+ (Cisco IOS). Then check Advanced TACACS+ Features under Advanced Configuration Options setting. Click Submit. Under the Enable Options of User/group setup, deselect No Enable Privilege and select the desired enable privilege level either based on AAA client or Network Device Group (NDG).
To authenticate the enable password with a separate password other than the login password, you can go to the TACACS+ Enable Password section of user setup and set up a password that differs from the user's actual login password.
Step 3. Configure TACACS+ for enable password authentication as shown in Example 11-19.
Example 11-19. Configuration to Turn on Enable Authentication
Switch (enable) set authentication enable tacacs enable
Switch (enable)
Troubleshooting Steps
Troubleshooting steps for the Enable password authentication are the same as for login authentication. Following are some of the important points to be aware of when using enable password authentication:
Enable Authentication is not turned on on the switch Turn on enable authentication on the switch to use the TACACS+ server. By default, enable authentication with the enable password is turned on. If the TACACS+ server is down, enable password is used as a backup if the enable login with enable password is enabled.
Enable Password is not defined on the CS ACS When configuring a user profile, either use the same password as the login or define a separate password for enable access under the "TACACS+ Enable Password" section. Also, you must define "Max Privilege for any AAA Client" under "Advanced TACACS+ Settings."
Authorization
Authorization comes after successful user authentication. There are two ways to perform authorization. The following sections explain how to perform the configuration and how to troubleshoot.
Configuration Steps
Two types of authorization can be configured on the switch. The first is TACACS+ Exec Authorization:
TACACS+ Exec Authorization Just as with a router, it's possible to send the authorization request for the enable access before the switch allows the users to log in so that the user doesn't need to enter the enable password to get to the enable mode (the user will be taken directly to the enable mode). This applies to both the console and the Telnet session. Example 11-20 shows how to turn on exec authorization using TACACS+ protocol.
Example 11-20. Turning on Exec Authorization
Switch (enable) set authorization exec enable tacacs+ none both
Switch (enable)
You must configure shell/exec for the user profile under TACACS+ server.
This is especially useful when you want to bypass the enable password authentication either locally or via the AAA server. It is also useful if you want to prevent users, such as PPP users, from logging into the switch without shell/exec service configured on the server. PPP users will get the following message:
Exec mode authorization failed.
In addition to permitting/denying exec mode for users, users can be forced into enable mode when entering by having privilege level 15 assigned on the server. It is important to note that this feature is available on version 5.5(3), 6.1(1), and above.
As stated previously, two types of authorization can be configured on the switch. The second is TACACS+ Command Authorization, which is discussed next:
TACACS+ Command Authorization Command authorization is also possible on the switch just as it is with routers. Example 11-21 shows the configuration required for command authorization using TACACS+. In the event that the TACACS+ server is down, authentication is configured as none. Both keywords signify that command authorization is turned on for both console and Telnet sessions.
Example 11-21. Configuration Required for Command Authorization
Switch (enable) set authorization commands enable config tacacs none both
Switch (enable)
Once you turn on command authorization on the switch, you must configure the TACACS+ server for the command authorization to allow set port enable 2/8.
Troubleshooting Steps
Troubleshooting steps for authorization are the same as for authentication. If authorization fails, you must turn on the set trace tacacs 4 command to see the debug on the switch. You also need to analyze the log of the AAA server. This section explains the problems you may encounter specifically with the authorization configured on the switch:
User is not taken directly to the Enable Mode On the switch, the authorization exec command must be turned on. Also, you must ensure that your switch version supports the privilege level download feature from the AAA server you are running, so that you can be taken directly to the enable mode after authentication. (See Table 11-3 for the version information of the TACACS+ Exec Authorization feature.) On the CS ACS, you must have the Exec turned on for the user/group profile with privilege level set to greater than 1.
Command Authorization is not working First you need to be sure that the authorization is turned on either for exec or commands. Then check the configuration of the CS ACS to see if the system is properly configured for the commands. Run the trace command to identify the commands that are being parsed by the CS ACS server. Finally, match the command authorization syntax defined on the CS ACS server.
Accounting
Accounting can be turned on for authentication and for authorization. The section that follows has configuration and troubleshooting steps for accounting.
Configuration Steps
To turn on accounting on the switch with TACACS+ protocol, use the following options:
To collect exec level log (for instance, user getting switch prompt), execute set accounting exec enable start-stop tacacs+.
To collect the information about connection/disconnection information (for example, users' disconnection out of the switch), configure set accounting connect enable start-stop tacacs+.
To capture system-related messages (for instance, a reboot of the switch), turn on set accounting system enable start-stop tacacs+.
To capture which commands users are executing on the switch, issue the following command: set accounting commands enable all start-stop tacacs+.
To remind the server of a task (for example, to update records once every minute to make sure a user is still logged in), configure set accounting update periodic 1.
Troubleshooting Steps
Accounting problems arise mostly if certain attributes are not being logged to the CS ACS server. For this, turn on trace to see what information is being sent as a form of accounting to the CS ACS server. Examining the log on the CS ACS server will reveal if the problem lies there or not.
Identity-Based Network Services (IBNSs)
Turning on dot1x protocol on the switch port also enables user authentication and machine authentication for the Microsoft Windows Networking environment. You can avoid machine authentication, but when using Microsoft AD, it's not recommended, as this may break the GPO model for AD.
Here are some important points to note when turning on machine authentication:
The computer must be a member of the domain.
If using TLS, the computer must obtain a certificate, either through auto-enrollment (see the case study) or manually.
If using PEAP or TLS, be sure that the certificate of the certificate authority (CA) is in the local machine store; typically, it is added if the CA is up when the machine is added to the domain. If not, you can force the certificate to be in the local machine store via auto-enrollment (see the "Case Studies" section).
Click the check box for the Authenticate as Computer option.
There are two ways to turn on machine authentication:
Machine Auth Using PEAP Uses account information for the computer created at the time the machine is added to the domain. Hence, the computer must be a member of the domain. If doing mutual authentication, the computer must trust the signing CA of the RADIUS server's certificate.
Machine authentication using EAP-TLS Authenticates the computer using certificates. The computer must have a valid certificate. If doing mutual authentication, the computer must trust the signing CA of the RADIUS server's certificate. The easiest way to implement machine authentication is by using MS-CA and Windows GPOs. This may require a DHCP lease renewal after authentication.
Machine authentication using EAP-TLS is not automatic and must be scripted or done manually.
Configuration Steps
You need to configure several devices for successful PEAP Machine Authentication.
Installation of Certificate
The following are the certificates required for Machine Authentication with PEAP:
On the supplicant, install a machine certificate from Active Directory (AD) (refer to the case study), and the CA Root Certificate as shown in the "Case Studies" section. The CA used is Microsoft Enterprise CA Server.
On the ACS, install ACS Server certificate, and the CA root certificate. The procedures are shown in the "Case Studies" section.
Configuration of Authenticator (Switch)
On the Authenticator (Switch) follow these steps for Hybrid mode (Cat OS):
Step 1. Define Global Commands as shown in Example 11-22.
Example 11-22. Global Commands Required Turning on dot1x
Switch#
!RADIUS configuration
set radius server
set radius key
!Global 802.1x configuration
set dot1x system-auth-control enable
set dot1x quiet-period 10 (default: 30)
set dot1x tx-period 10 (default: 30)
set dot1x supp-timeout 5 (default: 30)
set dot1x server-timeout 5 (default: 30)
set dot1x max-req 4 (default: 2)
set dot1x re-authperiod
!Global 802.1x Guest VLAN (CatOS 7.6+)
set dot1x guest-vlan
Step 2. Define per-port commands on the switch as shown in Example 11-23.
Example 11-23. Per-Port command to Turn on dot1x
Switch#
!Port Level 802.1x configuration
set port dot1x
set port dot1x
set port dot1x
set port dot1x
!Port Level 802.1x Guest VLAN (CatOS 8.3+)
set port dot1x
The following configuration is needed on the Native IOS:
Step 3. The Global Commands needed are shown in Example 11-24.
Example 11-24. Global Configuration needed with Native IOS
Switch#
!RADIUS configuration
radius-server host
radius-server key
aaa new-model
aaa authentication dot1x default group radius
aaa authorization default group radius
aaa authorization config-commands
!802.1x Global Commands
dot1x system-auth-control
dot1x max-req
dot1x timeout quiet-period
dot1x timeout tx-period
dot1x timeout re-authperiod
dot1x re-authentication
IOS Commands based on Per-Port are shown below for Native IOS
Switch#
!IOS Per-port configuration
dot1x port-control auto
!IOS Per-port Guest VLAN
dot1x guest-vlan
Switch#
Configuration of Supplicant
The following steps are used to configure supplicant:
Step 1. Open Network Connections.
Step 2. Right-click Local Area Connection and then click Properties.
Step 3. Click Authentication, and then check Enable IEEE 802.1x authentication for this network. For EAP type, select PEAP, check Authenticate as computer when Computer Information is Available.
Step 4. Click PEAP Properties. On the next window under When Connecting, select Validate Server Certificate. Under Trusted Root Certificate Authorities, check the Root CA you have installed on the client. Under Select Authentication Method, choose Secure Password (EAP-MSCHAP v2). Click on Configure and choose Automatically Use my Windows Logon name and password (and domain if any).
Configuration of ACS Server
The following are step-by-step procedures for ACS configuration for the PEAP Authentication:
Step 1. Install the ACS Server Certificate and the CA Server Certificate on the ACS Server (refer to the "Case Studies" section towards the end of this chapter).
Step 2. Log in to ACS, and then browse to Network Configuration. Click Add Entry.
Step 3. Enter a Network Device Group Name and click Submit.
Step 4. Click on the new created Network Device Group and click on Add Entry.
Step 5. Fill in the switch name, IP address, and key (shared secret you've entered on switch). Also, under Authenticate Using, select RADIUS (Cisco Aironet) which includes RADIUS Internet Engineering Task Force (IETF) attributes.
Step 6. Click on the Submit+ Restart button.
Step 7. Click on External User Database > Database Configuration > Windows Database > Configure.
Step 8. In the "Windows User Database Configuration" page under the Configure Domain List, move Domains from Available Domains to Domain List.
Step 9. In the same pages as Step 8, under the Windows EAP Settings, enter a check to indicate if the password change inside PEAP is allowed. This setting does not apply to PEAP-GTC. Note that you should not change the machine authentication name prefix. Currently MS uses host/ to distinguish between user and machine authentication.
Step 10. Click Submit.
Step 11. Click on External User Database > Unknown User Policy. Check the Check the following external user databases button and move the Windows Database to right under Selected Databases.
Step 12. Click Submit.
Step 13. Select Group Setup > Default Group and click on Edit Settings.
Step 14. Scroll down to Radius IETF Attributes and check Attribute 27 (Session Timeout). Set it to 60 seconds.
Step 15. Click on Submit and then Restart.
Step 16. Go to System Configuration> Global Authentication Setup.
Step 17. Select which EAP authentication will be enabled. (for example, PEAP-MS-CHAPv2 is selected.)
Step 18. Click Submit and then Restart.
Authorization
Dynamic VLAN can be assigned to the port after successful user authentication. This is accomplished with an IETF RADIUS AV pair. If the switch is running Native IOS, configure authorization with aaa authorization network default group radius to apply the dynamic VLAN downloaded from CS ACS. However, if you are running Cat OS, then you do not have to turn on authorization; authentication is sufficient. Following is the list of AV pairs used for configuring user or group profiles on CS ACS to assign dynamic VLAN to the port where the supplicant is connected:
[64] Tunnel-Type "VLAN" (13)
[65] Tunnel-Medium-Type "802" (6)
[81] Tunnel-Private-Group-ID
On CS ACS, if you do not see these attributes under user or group profile, then browse to Interface Configuration > RADIUS (IETF) and select the attributes in the previous list for a user or group or for both. Then go under the user or group setup and define the attributes as listed previously. For attribute [81] Tunnel-Private-Group-ID
Troubleshooting Steps
The following troubleshooting steps may help you in isolating a dot1x implementation on the switch.
On the Windows Client
To get the debug level logging, follow these steps on the Windows client:
Step 1. Choose Start > Run, and then type cmd in the text box, which will cause a DOS prompt to display.
Step 2. Enter netsh ras set tracing * enabled to turn on debugging.
Step 3. Run the Authentication test.
Step 4. Analyze the debug messages on the client.
The debug information on the client will go into different directories depending on whether you are using Windows XP or Windows 2000. For Windows XP, the debug information will go into
Step 5. Table 11-4 shows files and what goes into those files.
Table 11-4. Files in the Tracing Directory and Information That Goes into Those Files Files Name
Description
RASTLS.LOG
MS-PEAP phase 1TLS
CISCOEAPPEAP.LOG
Cisco-PEAP phase 1TLS
RASCHAP.LOG
MS-PEAP phase 2MS-CHAP
EAPOL.LOG
Whole EAP communication
Step 6. After you finish with the test, be sure to turn off tracing by using this commandnetsh ras set tracing * disable.
Step 7. Analyze the client logs to be sure that the EAP packet is sending the proper credentials to the switch.
Step 8. If an error condition is reported, go through the client settings to ensure that all the authentication types and parameters are set up correctly.
Step 9. Once the client log indicates that everything is set up correctly, and EAP packets are forwarding the information to the Authenticator, the next step is to look at the Authenticator debug.
For more details on how to analyze the client log, refer to: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx
On the Authenticator (Switch) Side
On the switch you can run debug commands to see the EAPOL packet exchange between the client and the switch. The debug command to capture the information on the Catalyst OS is set tracing dot1x <0-15>. Note that 15 is a full debug, including packet dump. Be sure to turn it off once you are finished.
In Native IOS, the command to turn on debug is debug dot1x
Example 11-25 shows a successful authenticated debug output on the switch.
Example 11-25. Successful debug Output Session When PEAP or EAP-TLS Is Used
2005 Mar 29 00:52:13 %PAGP-5-PORTTOSTP:Port 2/2 joined bridge port 2/2
! Authentication is starting here..
2005 Mar 29 00:53:05 %SECURITY-7-
DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for port 2/
2 is AUTHENTICATING
2005 Mar 29 00:53:05 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:06 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST
2005 Mar 29 00:53:08 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:08 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST
2005 Mar 29 00:53:09 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:09 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST
2005 Mar 29 00:53:09 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:10 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST
2005 Mar 29 00:53:10 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:11 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST
2005 Mar 29 00:53:11 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:12 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST
2005 Mar 29 00:53:12 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE
2005 Mar 29 00:53:13 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is SUCCESS
2005 Mar 29 00:53:13 %SECURITY-7-
DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is FINISHED
2005 Mar 29 00:53:13 %SECURITY-5-
DOT1X_AUTHENTICATION_SUCCESS:Authentication successful for port 2/2
!Port is successfully authorized here, which means actual traffic from supplicant may
!flow now
2005 Mar 29 00:53:14 %SECURITY-5-DOT1X_PORT_AUTHORIZED:DOT1X: port 2/2 authorized
2005 Mar 29 00:53:14 %SECURITY-7-
DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for port 2/
2 is AUTHENTICATED
On the Authentication Server Side
The AAA server, for instance Cisco Secure ACS on Windows, has an extensive logging facility, which allows you to analyze the failure by the server or an external user database. For more details about server-side troubleshooting, refer to Chapter 13, "Troubleshooting Cisco Secure ACS on Windows," in particular the section on "CS ACS with Active Directory Integration." In summary, you need to go under Reports and Activity and then to Failed Attempt. For a more detailed analysis of the log, analyze the auth.log file, which is explained in detail in Chapter 13. Example 11-26 shows the RDS.log file logging output.
Example 11-26. RDS.log for Successful Authentication When PEAP/EAP-TLS Is Used
! Following shows the packets and RADIUS attributes received from the Switch
Request from host 10.1.1.1:1812 code=1, id=245, length=99 on port 2341
[001] User-Name value: eaptls@acs.cisco
[004] NAS-IP-Address value: 10.1.1.1
[012] Framed-MTU value: 1000
[079] EAP-Message value: .....eaptls@acs.cisco
[080] Message-Authenticator
value: 6A 0A E3 64 4C D3 19 F2 AB 66 BB 0E 78 B5 CD 1A
ExtensionPoint: Initiating scan of configured extension points...
ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF)
], skipping...
ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]
ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [11 -
challenge]
! EXTRA STUFF REMOVED
Request from host 10.1.1.1:1812 code=1, id=251, length=112 on port 2341
[001] User-Name value: eaptls@acs.cisco
[004] NAS-IP-Address value: 10.1.1.1
[012] Framed-MTU value: 1000
[024] State value: CISCO-EAP-CHALLENGE=0.202.77.6
[079] EAP-Message value: .\Q....
[080] Message-Authenticator
value: 78 7F 6F 6E E2 65 D7 47 87 78 34 C0 3D FB 52 1A
ExtensionPoint: Initiating scan of configured extension points...
ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF)
], skipping...
ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]
ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [4 -
accept_continue]
ExtensionPoint: Start of Attribute Set
[079] EAP-Message value: .a..
[026] Vendor-Specific vsa id: 311
[016] MS-MPPE-Send-Key
value: ).5.__~._Lá_2ûQ.à.._.>¢m_Æ_ä_#"....å.T_,__M_...¿_.
[026] Vendor-Specific vsa id: 311
[017] MS-MPPE-Recv-
Key value: #Hï$N=XÄ._..u_ì.Uá_8.Éí ...ñ_..._..__>__xë
ExtensionPoint: End of Attribute Set
AuthorExtensionPoint: Initiating scan of configured extension points...
AuthorExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS
(IETF)], skipping...
AuthorExtensionPoint: Supplier [Cisco Downloadable ACLs] not associated with vendo
r [RADIUS (IETF)], skip
ping...
! The following lines are the RADIUS response packet with AV pair after successful
! authentication
Sending response code 2, id 251 to 10.1.1.1 on port 2341
[064] Tunnel-Type value: [T1] 13
[081] Tunnel-Private-Group-ID value: [T1] 2
[008] Framed-IP-Address value: 255.255.255.255
[079] EAP-Message value: .a..
[026] Vendor-Specific vsa id: 311
[016] MS-MPPE-Send-key
value: ).5.__~._Lá_2ûQ.à.._.>¢m_Æ_ä_#"....å.T_,__M_...¿_.
[026] Vendor-Specific vsa id: 311
[017] MS-MPPE-Recv-Key
value: #Hï$N=XÄ._..u_ì.Uá_8.Éí ...ñ_..._..___(_>__xë