Diagnostic Commands and Tools

Diagnostic Commands and Tools
It is important to become familiar with and use the diagnostic commands on the switch to troubleshoot the AAA implementation on the switch. The following sections describe how to utilize the show and debug commands for switch management and port authentication.

Switch Management
If a switch is in Native IOS, and is configured for AAA, the show and debug commands are the same as those shown in AAA implementation on the IOS router in Chapter 9, "Troubleshooting AAA on IOS Routers." Therefore, the discussion is skipped here. However, for hybrid mode in which the switch is running the Cat OS, show commands are used primarily to verify the configuration. Example 11-1 shows the output of the show authentication output with local and enable password authentication turned on.

Example 11-1. show authentication Command Output
CAT6509-Hybrid> (enable) show authentication

Login Authentication: Console Session Telnet Session Http Session
--------------------- ---------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
!The following line shows that local authentication is turned on for all types of access
!for login authentication
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 3 3 -
lockout timeout (sec) disabled disabled -

Enable Authentication: Console Session Telnet Session Http Session
---------------------- ----------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
!The following line shows enable authentication is turned on to use local user database
!for all methods
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 3 3 -
lockout timeout (sec) disabled disabled -
CAT6509-Hybrid> (enable)





The show localusers command is used to verify the creation of local user accounts. It also shows the privilege level as illustrated in Example 11-2.


Example 11-2. show localusers Command Output
CAT6509-Hybrid> (enable) set localuser user cisco password cisco123 privilege 15
Adde
d local user picard.
CAT6509-Hybrid > (enable) show localusers
Local User Authentication: disabled
Username Privilege Level
--------- -------------
cisco 15
CAT6509-Hybrid> (enable)





To verify the Terminal Access Controller Access Control System (TACACS+) configuration, you can execute the command shown in Example 11-3.

Example 11-3. show tacacs Command Output
CAT6509-Hybrid> (enable) show tacacs
Login Authentication: Console Session Telnet Session
--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Enable Authentication: Console Session Telnet Session
---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Tacacs key:
Tacacs login attempts: 3
Tacacs timeout: 5 seconds
Tacacs direct request: disabled
Tacacs-Server Status
---------------------------------------- -------
10.1.1.1
10.1.1.2 primary
10.1.1.3
CAT6509-Hybrid> (enable)





Just like show tacacs output, show radius provides the configuration for radius protocol. Example 11-4 shows the output of radius server configuration.

Example 11-4. show radius Command Output
CAT6509-Hybrid> (enable) show radius
Login Authentication: Console Session Telnet Session
--------------------- ---------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)
Enable Authentication: Console Session Telnet Session
---------------------- ----------------- ----------------
tacacs disabled disabled
radius disabled disabled
local enabled(primary) enabled(primary)

Radius Deadtime: 0 minutes
Radius Key:
Radius Retransmit: 2
Radius Timeout: 5 seconds

Radius-Server Status Auth-port
----------------------------- ------- ------------
20.1.1.1 primary 1812
CAT6509-Hybrid> (enable)





show authorization is used to verify the TACACS+ authorization configuration, as Example 11-5 illustrates.

Example 11-5. show authorization Command Output
CAT6509-Hybrid> (enable) show authorization
Telnet:
-------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -

Console:
--------
Primary Fallback
------- --------
exec: tacacs+ deny
enable: tacacs+ deny
commands:
config: tacacs+ deny
all: - -
CAT6509-Hybrid> (enable)





Example 11-6 shows how to verify the configuration:

Example 11-6. show accounting Command Output
CAT6509-Hybrid> (enable) show accounting
Event Method Mode
----- ------- ----
exec: tacacs+ stop-only
connect: tacacs+ stop-only
system: tacacs+ stop-only
commands:
config: - -
all: tacacs+ stop-only
TACACS+ Suppress for no username: enabled
Update Frequency: periodic, Interval = 120

Accounting information:
-----------------------
Active Accounted actions on tty0, User (null) Priv 0
Active Accounted actions on tty288091924, User (null) Priv 0
Overall Accounting Traffic:
Starts Stops Active
----- ----- ------
Exec 0 0 0
Connect 0 0 0
Command 0 0 0
System 1 0 0
CAT6509-Hybrid> (enable)





As we have seen so far, the show commands are primarily used for the configuration verifications. The set trace command on the switch is similar to debug commands on the router, which are very useful in troubleshooting AAA-related issues. However, before enabling debugging on the catalyst, analyze the AAA server logs to find the reasons for failure. This is easier and less disruptive to the switch. The following is the general form of the debug command on the switch:

set trace tacacs | radius | kerberos 4



To turn off debugging, you need to execute the following command:

set trace tacacs | radius | kerberos 0



Identity-Based Network Services (IBNSs)
The show commands shown in the preceding section should be used in conjunction with the specific show commands that will be discussed in this section to troubleshoot port authentication issue. On Native IOS, to display various statistics pertaining to the dot1x, you can use the following command:

show dot1x [all] | [interface interface-id] | [statistics [interface interface-id]]
[ | {begin | exclude | include} expression]



To display the 802.1x administrative and operational status for the switch, use the show dot1x all privileged EXEC command (see Example 11-7). To display the 802.1x administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command (see example 11-8). show dot1x, as Example 11-7 shows, reveals if the dot1x is globally enabled or not.


Example 11-7. show dot1x all Command Output
Switch# show dot1x
! Shows that authentication control is enabled.
Sysauthcontrol = Enabled
Dot1x Protocol Version = 1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both

Switch# show dot1x all
Dot1x Info for interface FastEthernet0/3
----------------------------------------------------
Supplicant MAC 00d0.b71b.35de
AuthSM State = CONNECTING
BendSM State = IDLE
! Following line indicates that Supplicant is not authenticated yet
PortStatus = UNAUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Dot1x Info for interface FastEthernet0/7
----------------------------------------------------
!Following line indicates that Supplicant is not authenticated yet
PortStatus = UNAUTHORIZED
MaxReq = 2
!Following line indicates that port is configured for multihost mode. So, a single MAC
!is not locked for the port after successful authentication. This is one of the options
!to get around the problem with hub environment where multiple hosts are possible to be
!connected.
HostMode = Multi
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Switch#





Example 11-8. show dot1x interface fastethernet0/3 Command Output
Switch# show dot1x interface fastethernet 0/3
Supplicant MAC 00d0.b71b.35de
AuthSM State = AUTHENTICATED
BendSM State = IDLE
!This indicates that the authentication is successful
PortStatus = AUTHORIZED
MaxReq = 2
!The hostmode is set to single, which means only authenticated MAC address is allowed to
!this port. Other machines connected via hub or phone will be considered as security
!violation.
HostMode = Single
Port Control = Auto
!Following are various times relating to dot1x operations
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Switch#





To display 802.1x statistics for all interfaces, you can use the show dot1x all statistics privileged EXEC command. To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command, as Example 11-9 shows.

Example 11-9. show dot1x statistics interface fastethernet 0/3 Command Output
Switch# show dot1x statistics interface fastethernet 0/3
PortStatistics Parameters for Dot1x
--------------------------------------------
TxReqId = 15 TxReq = 0 TxTotal = 15
RxStart = 4 RxLogoff = 0 RxRespId = 1 RxResp = 1
RxInvalid = 0 RxLenErr = 0 RxTotal= 6
RxVersion = 1 LastRxSrcMac 00d0.b71b.35de
Switch#





Table 11-2 explains all the statistical output shown in Example 11-9.

Table 11-2. show dot1x statistics Field Descriptions Field
Description

TxReqId
Number of Extensible Authentication Protocol (EAP)-request/identity frames that have been sent

TxReq
Number of EAP-request frames (other than request/identity frames) that have been sent

TxTotal
Number of Extensible Authentication Protocol over LAN (EAPOL) frames of any type that have been sent

RxStart
Number of valid EAPOL-start frames that have been received

RxLogoff
Number of EAPOL-logoff frames that have been received

RxRespId
Number of EAP-response/identity frames that have been received

RxResp
Number of valid EAP-response frames (other than response/identity frames) that have been received

RxInvalid
Number of EAPOL frames that have been received and have an unrecognized frame type

RxLenErr
Number of EAPOL frames that have been received in which the packet body length field is invalid

RxTotal
Number of valid EAPOL frames of any type that have been received

RxVersion
Received packets in the 802.1x version 1 format

LastRxSrcMac
Source MAC address carried in the most recently received EAPOL frame





To check to which VLAN the port belongs, show vlan brief can be used as shown in Example 11-10.

Example 11-10. show vlan brief Command Output
switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
2 ACS active Fa0/24
10 Cisco active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12
99 Guest active Fa0/20
100 Machine active
Switch#