Basic throubleshooting dot1x via CLI

Throubleshooting dot1x can be done via Cisco ISE GUI (generally more simple), but there are some cases where switch show commands can be useful and faster.

My preferred are two:

show authentication sessions

You can find information like:

  • Authentication method (dot1x, mab, …)
  • Domain type: Data or Voice
  • Authentication status: Unauth or Auth
Ciscozine-sw#sh authentication sessions 
 Interface    Identifier     Method  Domain  Status Fg Session ID
 Gi1/0/15     98e7.f4be.ebcb dot1x   DATA    Auth      0A000A0B000002B91FBE82F2
 Gi1/0/17     583a.7952.a3fd mab     DATA    Auth      0A000A0B000004E53472885B
 Gi1/0/18     9cab.ef0c.13f2 dot1x   DATA    Auth      0A000A0B000005B146FEBCE8
 Gi1/0/7      2ca1.38a0.9310 dot1x   DATA    Auth      0A000A0B000005AE44E2BFE9
 Gi1/0/34     3812.e2f0.ae65 mab     DATA    Auth      0A000A0B0000000E0001A1C0
 Gi1/0/2      d026.5000.14e0 N/A     UNKNOWN Auth      0A000A0B0000000B00019F39
 Gi1/0/42     e447.49a4.8300 mab     DATA    Auth      0A000A0B000006664D636353
 Gi1/0/24     0040.9fe2.f70d mab     VOICE   Auth      0A000A0B0000055343313F91
 Gi1/0/43     80ec.2c04.1c65 dot1x   DATA    Auth      0A000A0B000005A543E85D13
 Gi1/0/8      8d2a.fd77.6dd5 mab     DATA    Auth      0A000A0B000004FB41CCFEB0
 Session count = 10
 Key to Session Events Blocked Status Flags:
 A - Applying Policy (multi-line status for details)
   D - Awaiting Deletion
   F - Final Removal in progress
   I - Awaiting IIF ID allocation
   N - Waiting for AAA to come up
   P - Pushed Session
   R - Removing User Profile (multi-line status for details)
   U - Applying User Profile (multi-line status for details)
   X - Unknown Blocker
 Ciscozine-sw#

show authentication sessions interface <interface> details

It gives more informations than the previous commands:

  • IP-address.
  • The username used by the authentication process; in this case, the username is the pc hostname due to the EAP-TLS authentication.
  • Status of authentication.
  • Domain type.
  • The session timeout. The word “server” means that the Radius server (for instance Cisco ISE) sends this value to the authenticator (switch).
  • Accounting timeout; it can be defined only via the switch command.
  • Common Session ID; useful to find the session via Cisco ISE.
  • Methos status list; it gives information like authentication method used and result of the authentication process.

Example of Dot1X authorization (notice the “Method status list”):

Ciscozine-sw#show authentication sessions interface gigabitEthernet 1/0/43 details 
             Interface:  GigabitEthernet1/0/43
           MAC Address:  010e8.2cd4.1ca5
          IPv6 Address:  Unknown
          IPv4 Address:  10.0.50.10
             User-Name:  Fabio-PC.ciscozine.local
                Status:  Authorized
                Domain:  DATA
        Oper host mode:  multi-auth
      Oper control dir:  in
       Session timeout:  3600s (server), Remaining: 693s
        Timeout action:  Reauthenticate
       Restart timeout:  N/A
 Periodic Acct timeout:  172800s (local), Remaining: 166225s
        Session Uptime:  2914s
     Common Session ID:  0A000A0B000005A543E85D13
       Acct Session ID:  0x00000086
                Handle:  0xE1000588
        Current Policy:  POLICY_Gi1/0/43
 Local Policies:
         Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
 Server Policies:
          Idle timeout:  1800 sec
            Vlan Group:  Vlan: 2020
 Method status list: 
       Method            State 
   dot1x              Authc Success
 Ciscozine-sw#

Example of MAB authorization (notice the “Method status list”):

Ciscozine-sw#sh authentication sessions interface  gigabitEthernet 1/0/8 details 
            Interface:  GigabitEthernet1/0/8
          MAC Address:  5838.794d.8b41
         IPv6 Address:  Unknown
         IPv4 Address:  10.0.60.37
            User-Name:  58-38-79-4D-8B-41
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  1800s (server), Remaining: 1798s
       Timeout action:  Reauthenticate
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 172798s
       Session Uptime:  31s
    Common Session ID:  0A000A0A00001BD79D0A4D2E
      Acct Session ID:  0x00001791
               Handle:  0xDE000AD8
       Current Policy:  POLICY_Gi1/0/8

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 2060

Method status list: 
      Method            State 

      dot1x              Stopped
      mab                Authc Success

Ciscozine-sw#

And what happens if the radius server goes down?

If the radius server is down and a device is conntected to the network later, two things happen:

  • If the command “authentication event server dead action authorize voice” is present in the interface configuration, the voice vlan is authorized (in the example below, vlan 2070).
  • If the command “authentication event server dead action authorize vlan” is present in the interface configuration, the device will be placed to the “critical vlan” (in the example below, vlan 2029).
Ciscozine-sw#show authentication sessions int gigabitEthernet 1/0/19 details 
            Interface:  GigabitEthernet1/0/19
          MAC Address:  487a.5517.0a78
         IPv6 Address:  Unknown
         IPv4 Address:  10.0.70.26
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 172713s
       Session Uptime:  117s
    Common Session ID:  0A000A26000001BD08B4F85E
      Acct Session ID:  0x00000065
               Handle:  0xAB0001AA
       Current Policy:  POLICY_Gi1/0/19

Local Policies:
        Service Template: CRITICAL_AUTH_VLAN_Gi1/0/19 (priority 150)
           Vlan Group:  Vlan: 2029
        Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
           Voice Vlan:  2070

Method status list: 
      Method            State 

      dot1x              Stopped
      mab                Authc Failed

----------------------------------------
            Interface:  GigabitEthernet1/0/19
          MAC Address:  9c7b.ef53.0c6a
         IPv6 Address:  Unknown
         IPv4 Address:  10.0.29.53
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
          
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 172684s
       Session Uptime:  117s
    Common Session ID:  0A000A26000001BC08B4F697
      Acct Session ID:  0x00000063
               Handle:  0x670001A9
       Current Policy:  POLICY_Gi1/0/19

Local Policies:
        Service Template: CRITICAL_AUTH_VLAN_Gi1/0/19 (priority 150)
           Vlan Group:  Vlan: 2029
        Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
           Voice Vlan:  2070

Method status list: 
      Method            State 

      dot1x              Authc Failed

Ciscozine-sw#

Note: If a device is in the critical vlan and the radius server comes up again, the device will be reauthenticated again.
Note: If a device is already authorized and the radius server goes down later, the device will remain authorized until the session timeout.

How can you reset an authentication session?

  • shut/no shut interface
  • clear authentication sessions (if you want clear all authenticated sessions).
    If you want clear device/user by mac address or by interface use the commands:
    • clear authentication sessions interface interfcace
    • clear authentication sessions mac mac address

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.