Troubleshooting DOT1X and Radius in IOS and IOS-XE

• To verify the status of RADIUS server from NAD, use the command show aaa server

 

4507#sh aaa servers 

 

RADIUS: id 3, priority 1, host 10.10.22.30, auth-port 1812, acct-port 1813

     State: current UP, duration 10862s, previous duration 0s

     Dead: total time 0s, count 0

     Quarantined: No

     Authen: request 1, timeouts 0, failover 0, retransmission 0

             Response: accept 0, reject 1, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 16ms

             Transaction: success 1, failure 0

             Throttled: transaction 0, timeout 0, failure 0

     Author: request 0, timeouts 0, failover 0, retransmission 0

             Response: accept 0, reject 0, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 0ms

             Transaction: success 0, failure 0

             Throttled: transaction 0, timeout 0, failure 0

     Account: request 0, timeouts 0, failover 0, retransmission 0

             Request: start 0, interim 0, stop 0

             Response: start 0, interim 0, stop 0

             Response: unexpected 0, server error 0, incorrect 0, time 0ms

             Transaction: success 0, failure 0

             Throttled: transaction 0, timeout 0, failure 0

     Elapsed time since counters last cleared: 3h1m

     Estimated Outstanding Access Transactions: 0

     Estimated Outstanding Accounting Transactions: 0

     Estimated Throttled Access Transactions: 0

     Estimated Throttled Accounting Transactions: 0

     Maximum Throttled Transactions: access 0, accounting 0

     Requests per minute past 24 hours:

             high - 1 hours, 23 minutes ago: 1

             low  - 3 hours, 1 minutes ago: 0

             average: 0

 

 

• The command show authentication session interface x/x shows the status of the interface

 

4507#sh authentication sessions interface g1/27

            Interface:  GigabitEthernet1/27

          MAC Address:  b8ca.3aca.8f8f

           IP Address:  10.11.1.71

            User-Name:  B8-CA-3A-CA-8F-8F

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

      Session timeout:  3600s (local), Remaining: 2549s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0AAA00020001F45660C7C74C

      Acct Session ID:  0x00020413

               Handle:  0x0E000486

 

Runnable methods list:

       Method   State

       mab      Authc Success

 

• Since the authentication is using MAB, you can check MAB details using the command show mab interface x/x

 

4507#sh mab interface g1/27 details 

MAB details for GigabitEthernet1/27

-------------------------------------

Mac-Auth-Bypass           = Enabled

 

MAB Client List

---------------

Client MAC                = b8ca.3aca.8f8f

Session ID                = 0AAA00020001F45660C7C74C

MAB SM state              = TERMINATE

Authen Status             = SUCCESS

 

• You can clear the current authentication using clear authentication session interface x/x or shutdown the interface
• Navigate to ISE > Operations > RADIUS > Live Logs to see the current logs
• Navigate to ISE > Operations > RADIUS > Live Sessions to see the current active sessions
• Navigate to ISE > Operations > Troubleshoot Diagnostics to check the current logs from NAD devices (Pass/Fail)
• Navigate to ISE > Operations > Troubleshoot Diagnostics > Endpoint Debugging 
• Enter endpoint MAC address and start debugging
• This will generate a log file for all actions taken in ISE related to endpoint
• Navigate to ISE > Context Visibility > Endpoint > filter by Mac address to check the status of endpoint (Connected, Disconnected, Rejected)
• Be aware of endpoints in rejected state due of Suppression of Failed Requests feature
• You can release the endpoints in rejected state 
• You can test radius authentication from NAD using the command test aaa group radius radtest #radius-key# new-code (this is hidden but should be entered)
• To very dot1x EAP messages use the command debug dot1x packets

 

Jul 27 14:29:13.268 GST: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0 

Jul 27 14:29:13.268 GST: dot1x-packet: length: 0x0005

Jul 27 14:29:13.268 GST: dot1x-packet:EAP code: 0x1  id: 0x1  length: 0x0005

Jul 27 14:29:13.268 GST: dot1x-packet: type: 0x1 

Jul 27 14:29:13.268 GST: dot1x-packet:[d4be.d974.0d4c, Gi1/0/25] EAPOL packet sent to client 0xBB0001EC

 

• To verify MAB messages use the command debug mab all
• For windows 7 implementation, you need to install the following hotfixes

https://supportforums.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109

 

 

In IOS-XE, debug radius command won't show the output of dot1x and authentication messages. These has change and can be seen as traces from session manager process (SMD).

 

request platform software trace rotate all       …. To rotate the traces in memory to files in crashinfo directory

 

Change the trace level from notice (default) to info

 

set platform software trace smd switch active R0 aaa verbos 

set platform software trace smd switch active R0 dot1x-all verbos

set platform software trace smd switch active R0 radius verbos 

set platform software trace smd switch active R0 mab verbos 

 

View the traces (you can combine the outputs with pipe)

 

show platform software trace message smd switch active R0 | i radius|dot1|mab|aaa

 

To reset the trace levels for all modules, use the command 

 

set platform software trace smd switch active R0 all-modules