Authentication Vlan and MAC issue

[ktan20]

Hi ,

I have a 6850E switch (ver 6.4.3)
I want to configure authenticate 802.1x and MAC to the NPS Radius server for the workstation to it.
The workstation connects to port 1/7.
I attached the Configuration file
Please help me to check which part I configure wrong

I first time use Alcatel switch, not so familiar yet

DEV-SS1-FARM_SW1# show aaa-device all-users

Slot MAC User Addr IP Authentication User Network
Port Address Name Vlan Mode Address Type Result Profile Name
-----+-----------------+---------------+----+----+---------------+----+----+---------------
1/ 7 80:e8:2c:c9:20:1b -- 131 Blk - MAC Fail -


DEV-SS1-FARM_SW1# show 802.1x non-supplicant

Slot MAC MAC Authent Classification Vlan Dynamic
Port Address Status Policy Learned UNP
-----+-----------------+----------------+-------------------+--------+--------
01/07 80:e8:2c:c9:20:1b Failed Basic-Blk 131 Disabled


DEV-SS1-FARM_SW1# show 802.1x device classification policies
Device classification policies on 802.1x port 1/7
Supplicant:
authentication:
pass: UNP Radius, default-VLAN
fail: block
Non-Supplicant:
authentication:
pass: UNP test, default-vlan
fail: block
Captive Portal:
authentication:
pass: default-vlan (default)
fail: block (default)

[ktan20]

Please help on my issue ASAP

[jaygro]

Please help on my issue ASAP

Tips for getting help (especially since this is a forum of random volunteers):

1. If you're in a hurry you should get a consultant
2. You are more likely to get help if you show understanding of the issue
3. Don't just dump an entire config file, narrow it down to relevant bits, e.g. AAA and 802.1x sections:

Code: Select all

! AAA :
aaa radius-server "SS1SECASM3" host 172.23.16.170 key f5dc1cc956c0ee9b5a6d0fb95a26bb76 retransmit 3 timeout 2 auth-port 1812 acct-port 1813 
aaa authentication console "local" 
aaa authentication ssh "local" 
aaa authentication 802.1x SS1SECASM3
aaa authentication mac SS1SECASM3
aaa accounting 802.1x SS1SECASM3
aaa accounting mac SS1SECASM3
user password-size min 6
aaa user-network-profile name "Radius" vlan 131 hic disable
aaa user-network-profile name "test" vlan 131 hic disable
aaa classification-rule mac-address 80:e8:2c:c9:20:1b user-network-profile name test
! 802.1x :
802.1x 1/7 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/7 captive-portal session-limit 12 retry-count 3
802.1x 1/7 supp-polling retry 2 
802.1x 1/7 supplicant policy authentication pass user-network-profile Radius default-vlan fail block
802.1x 1/7 non-supplicant policy authentication pass user-network-profile test default-vlan fail block
802.1x 1/7 captive-portal policy authentication pass default-vlan fail block

You can get sectional output by using

Code: Select all

show configuration snapshot

followed by the section in question, e.g.

Code: Select all

show configuration snapshot aaa

First of all:

AAA looks OK. You have "aaa radius server" and both accounting and authentication for both 802.1 and MAC addresses set up for that server. Why both though? Are you planning on using only 802.1x? Then you should remove the mac lines.

What do the logs say? From the RADIUS server and from the switch? You've put in that the default action if 802.1x fails it to block, and by golly it's not blocking for no reason.

Have you tried test credentials?

Code: Select all

aaa test-radius-server

Also, have you checked the 802.1x section of the manual? For reference, I'm using "os_nt_revF.pdf" as that's what I have lying around. Chapter 41 is essentially what you need.