Throubleshooting dot1x can be done via Cisco ISE GUI (generally more simple), but there are some cases where switch show commands can be useful and faster.
My preferred are two:
show authentication sessions
You can find information like:
- Authentication method (dot1x, mab, …)
- Domain type: Data or Voice
- Authentication status: Unauth or Auth
Ciscozine-sw#sh authentication sessions Interface Identifier Method Domain Status Fg Session ID Gi1/0/15 98e7.f4be.ebcb dot1x DATA Auth 0A000A0B000002B91FBE82F2 Gi1/0/17 583a.7952.a3fd mab DATA Auth 0A000A0B000004E53472885B Gi1/0/18 9cab.ef0c.13f2 dot1x DATA Auth 0A000A0B000005B146FEBCE8 Gi1/0/7 2ca1.38a0.9310 dot1x DATA Auth 0A000A0B000005AE44E2BFE9 Gi1/0/34 3812.e2f0.ae65 mab DATA Auth 0A000A0B0000000E0001A1C0 Gi1/0/2 d026.5000.14e0 N/A UNKNOWN Auth 0A000A0B0000000B00019F39 Gi1/0/42 e447.49a4.8300 mab DATA Auth 0A000A0B000006664D636353 Gi1/0/24 0040.9fe2.f70d mab VOICE Auth 0A000A0B0000055343313F91 Gi1/0/43 80ec.2c04.1c65 dot1x DATA Auth 0A000A0B000005A543E85D13 Gi1/0/8 8d2a.fd77.6dd5 mab DATA Auth 0A000A0B000004FB41CCFEB0 Session count = 10 Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker Ciscozine-sw#
show authentication sessions interface <interface> details
It gives more informations than the previous commands:
- IP-address.
- The username used by the authentication process; in this case, the username is the pc hostname due to the EAP-TLS authentication.
- Status of authentication.
- Domain type.
- The session timeout. The word “server” means that the Radius server (for instance Cisco ISE) sends this value to the authenticator (switch).
- Accounting timeout; it can be defined only via the switch command.
- Common Session ID; useful to find the session via Cisco ISE.
- Methos status list; it gives information like authentication method used and result of the authentication process.
Example of Dot1X authorization (notice the “Method status list”):
Ciscozine-sw#show authentication sessions interface gigabitEthernet 1/0/43 details
Interface: GigabitEthernet1/0/43
MAC Address: 010e8.2cd4.1ca5
IPv6 Address: Unknown
IPv4 Address: 10.0.50.10
User-Name: Fabio-PC.ciscozine.local
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 3600s (server), Remaining: 693s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 166225s
Session Uptime: 2914s
Common Session ID: 0A000A0B000005A543E85D13
Acct Session ID: 0x00000086
Handle: 0xE1000588
Current Policy: POLICY_Gi1/0/43
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Idle timeout: 1800 sec
Vlan Group: Vlan: 2020
Method status list:
Method State
dot1x Authc Success
Ciscozine-sw#
Example of MAB authorization (notice the “Method status list”):
Ciscozine-sw#sh authentication sessions interface gigabitEthernet 1/0/8 details Interface: GigabitEthernet1/0/8 MAC Address: 5838.794d.8b41 IPv6 Address: Unknown IPv4 Address: 10.0.60.37 User-Name: 58-38-79-4D-8B-41 Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: in Session timeout: 1800s (server), Remaining: 1798s Timeout action: Reauthenticate Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 172798s Session Uptime: 31s Common Session ID: 0A000A0A00001BD79D0A4D2E Acct Session ID: 0x00001791 Handle: 0xDE000AD8 Current Policy: POLICY_Gi1/0/8 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Vlan Group: Vlan: 2060 Method status list: Method State dot1x Stopped mab Authc Success Ciscozine-sw#
And what happens if the radius server goes down?
If the radius server is down and a device is conntected to the network later, two things happen:
- If the command “authentication event server dead action authorize voice” is present in the interface configuration, the voice vlan is authorized (in the example below, vlan 2070).
- If the command “authentication event server dead action authorize vlan” is present in the interface configuration, the device will be placed to the “critical vlan” (in the example below, vlan 2029).
Ciscozine-sw#show authentication sessions int gigabitEthernet 1/0/19 details Interface: GigabitEthernet1/0/19 MAC Address: 487a.5517.0a78 IPv6 Address: Unknown IPv4 Address: 10.0.70.26 Status: Authorized Domain: UNKNOWN Oper host mode: multi-auth Oper control dir: in Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 172713s Session Uptime: 117s Common Session ID: 0A000A26000001BD08B4F85E Acct Session ID: 0x00000065 Handle: 0xAB0001AA Current Policy: POLICY_Gi1/0/19 Local Policies: Service Template: CRITICAL_AUTH_VLAN_Gi1/0/19 (priority 150) Vlan Group: Vlan: 2029 Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150) Voice Vlan: 2070 Method status list: Method State dot1x Stopped mab Authc Failed ---------------------------------------- Interface: GigabitEthernet1/0/19 MAC Address: 9c7b.ef53.0c6a IPv6 Address: Unknown IPv4 Address: 10.0.29.53 Status: Authorized Domain: UNKNOWN Oper host mode: multi-auth Oper control dir: in Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 172684s Session Uptime: 117s Common Session ID: 0A000A26000001BC08B4F697 Acct Session ID: 0x00000063 Handle: 0x670001A9 Current Policy: POLICY_Gi1/0/19 Local Policies: Service Template: CRITICAL_AUTH_VLAN_Gi1/0/19 (priority 150) Vlan Group: Vlan: 2029 Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150) Voice Vlan: 2070 Method status list: Method State dot1x Authc Failed Ciscozine-sw#
Note: If a device is in the critical vlan and the radius server comes up again, the device will be reauthenticated again.
Note: If a device is already authorized and the radius server goes down later, the device will remain authorized until the session timeout.
How can you reset an authentication session?
- shut/no shut interface
- clear authentication sessions (if you want clear all authenticated sessions).
If you want clear device/user by mac address or by interface use the commands:- clear authentication sessions interface interfcace
- clear authentication sessions mac mac address