dot1x-ev(Gi0/7): Dot1x authentication started for 0xC300005B (0026.55d0.0d56)
%AUTHMGR-5-START: Starting 'dot1x' for client (0026.55d0.0d56) on Interface Gi0/7 AuditSessionID 0A010A070000003100EE1DEA
// you may see more dot1x reties here. It depends on configured tx-period and how quickly you provide username and password to the supplicant.
dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56 dot1x-ev(Gi0/7): Role determination not required dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56 dot1x-ev(Gi0/7): Role determination not required dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev:Enqueued the eapol packet to the global authenticator queue EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x0 length: 0x000E
dot1x-ev: dot1x_auth_queue_event: Int Gi0/7 CODE= 2,TYPE= 1,LEN= 14
dot1x-ev(Gi0/7): Received pkt saddr =0026.55d0.0d56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000e
dot1x-ev(Gi0/7): dot1x_sendRespToServer: Response sent to the server from 0xC300005B (0026.55d0.0d56)
RADIUS/ENCODE(00000036):Orig. component type = DOT1X RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000036): acct_session_id: 54 RADIUS(00000036): sending
// RADIUS authentication message is sent. It includes provided username and Service-Type=2 and NAS-Port-Type=15 which should be matched by ISE to the correct authentication rule. Note that the ISE is configured with Allowed Protocols where only PEAP/MS-CHAPv2 is selected. This will trigger another set of RADIUS messages to negotiate and build TLS tunnel and authenticate securely over that tunnel.
RADIUS(00000036): Send Access-Request to 172.31.1.20:1812 id 1645/162, len 204
RADIUS: authenticator 07 CE 7D 37 DF DA B8 D6 - 00 16 97 E8 97 BC 0F 4F RADIUS: User-Name [1] 11 "employee1"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Framed-MTU [12] 6 1500 RADIUS: Called-Station-Id [30] 19 "C4-64-13-6C-E8-07"
RADIUS: Calling-Station-Id [31] 19 "00-26-55-D0-0D-56"
RADIUS: EAP-Message [79] 16
RADIUS: 02 01 00 0E 01 65 6D 70 6C 6F 79 65 65 31 [ employee1]
RADIUS: Message-Authenticato[80] 18
RADIUS: 9C 1F 81 CF 9F 9E 64 34 E5 DA AC 68 D2 57 C1 41 [ d4hWA]
RADIUS: EAP-Key-Name [102] 2 * RADIUS: Vendor, Cisco [26] 49
RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A010A070000003100EE1DEA"
RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
RADIUS: NAS-Port [5] 6 50007 RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/7"
RADIUS: NAS-IP-Address [4] 6 10.1.10.7 RADIUS(00000036): Started 5 sec timeout
// RADIUS challenge message is to negotiate PEAP and build TLS tunnel.
RADIUS: Received from id 1645/162 172.31.1.20:1812, Access-Challenge, len 119 RADIUS: authenticator 5B FB D9 3A 4B B5 74 93 - 4C 54 58 C8 BC A1 08 56
RADIUS: Message-Authenticato[80] 18
RADIUS: 48 01 CE 89 9D 3B 52 D4 77 5C 83 63 A8 16 D2 31 [ H;Rw\c1]
RADIUS(00000036): Received from id 1645/162
RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56 dot1x-ev(Gi0/7): Role determination not required dot1x-ev(Gi0/7): Sending out EAPOL packet
dot1x-ev(Gi0/7): Role determination not required
dot1x-ev:Enqueued the eapol packet to the global authenticator queue EAPOL pak dump rx
EAPOL Version: 0x1 type: 0x0 length: 0x007B
dot1x-ev: dot1x_auth_queue_event: Int Gi0/7 CODE= 2,TYPE= 25,LEN= 123
dot1x-ev(Gi0/7): Received pkt saddr =0026.55d0.0d56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.007b
dot1x-ev(Gi0/7): dot1x_sendRespToServer: Response sent to the server from 0xC300005B (0026.55d0.0d56)
RADIUS/ENCODE(00000036):Orig. component type = DOT1X RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000036): acct_session_id: 54
RADIUS(00000036): sending
// another RADIUS request is sent. Note that RADIUS message does NOT contain any password. There is just username. The username/password will be carried securely by EAP which is sent using RADIUS AVP/79.
RADIUS(00000036): Send Access-Request to 172.31.1.20:1812 id 1645/163, len 386 RADIUS: authenticator F0 57 7F CA 9E 1E DE B0 - 69 9F 41 77 5C 32 EC CE RADIUS: User-Name [1] 11 "employee1"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Framed-MTU [12] 6 1500 RADIUS: Called-Station-Id [30] 19 "C4-64-13-6C-E8-07"
RADIUS: Calling-Station-Id [31] 19 "00-26-55-D0-0D-56"
RADIUS: EAP-Message [79] 125
RADIUS: Message-Authenticato[80] 18
RADIUS: 24 89 84 4A A5 44 1A 9A CC AA 7F 82 07 25 5E 03 [ $JD?^]
RADIUS: EAP-Key-Name [102] 2 * RADIUS: Vendor, Cisco [26] 49
RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A010A070000003100EE1DEA"
RADIUS: NAS-Port-Type [61] 6 Ethernet [15] RADIUS(00000036): Started 5 sec timeout
// This RADIUS challenge message is for ISE authentication. PEAP uses server side authentication using digital certificate. This is why that message is so long – it contains ISE certificate.
RADIUS: Received from id 1645/163 172.31.1.20:1812, Access-Challenge, len 1131 RADIUS: authenticator F0 C8 1D 6C 96 CE 6F 38 - 6D DD 18 94 6A 57 24 5C
RADIUS: 64 01 19 16 05 6C 6F 63 61 6C 31 19 30 17 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 09 6D 69 63 72 6F [dlocal10&,dmicro]
RADIUS: Message-Authenticato[80] 18
RADIUS: A1 DC DF 16 43 95 CA 9C B4 3C 55 31 71 31 41 01 [ C<U1q1A]
RADIUS(00000036): Received from id 1645/163
RADIUS/DECODE: EAP-Message fragments, 253+253+253+253, total 1012 bytes
<snip>
dot1x-ev(Gi0/7): Received pkt saddr =0026.55d0.0d56 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.002b
dot1x-ev(Gi0/7): dot1x_sendRespToServer: Response sent to the server from 0xC300005B (0026.55d0.0d56)
RADIUS/ENCODE(00000036):Orig. component type = DOT1X RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS/ENCODE(00000036): acct_session_id: 54 RADIUS(00000036): sending
RADIUS(00000036): Send Access-Request to 172.31.1.20:1812 id 1645/171, len 306 RADIUS: authenticator 3F 59 C2 9B F2 19 B0 62 - 48 B9 7F 62 62 24 C0 46 RADIUS: User-Name [1] 11 "employee1"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Framed-MTU [12] 6 1500 RADIUS: Called-Station-Id [30] 19 "C4-64-13-6C-E8-07"
RADIUS: Calling-Station-Id [31] 19 "00-26-55-D0-0D-56"
RADIUS: EAP-Message [79] 45
RADIUS: 02 4F 00 2B 19 00 17 03 01 00 20 37 07 D7 71 29 9D 4D 7D 5B C6 3D 7C 85 4A 3F 4F 83 2A 08 77 [O+ 7q)M}[=|J?O*w]
RADIUS: 39 7C 4A E6 44 13 12 04 AE C3 16 13 [ 9|JD]
RADIUS: Message-Authenticato[80] 18
RADIUS: 87 6A 31 76 49 99 00 6F 6E 59 EB 04 26 99 F0 F5 [ j1vIonY&]
RADIUS: EAP-Key-Name [102] 2 * RADIUS: Vendor, Cisco [26] 49
RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A010A070000003100EE1DEA"
RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
RADIUS: NAS-Port [5] 6 50007
RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/7" RADIUS(00000036): Started 5 sec timeout
// RADIUS Access-Accept message after successful authentication. It contains additional authorization attributes like dACL name.
RADIUS: Received from id 1645/171 172.31.1.20:1812, Access-Accept, len 409 RADIUS: authenticator 04 9F 01 D2 2B 18 12 C3 - 69 57 CC 9E EB C4 BE 7F
RADIUS: Message-Authenticato[80] 18
RADIUS: E5 83 8E 2B 05 75 3F B9 2F 1B 48 A3 17 A7 A4 FA [ +u?/H]
RADIUS: EAP-Key-Name [102] 67 * RADIUS: Vendor, Cisco [26] 75
RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4f57e406"
RADIUS: Vendor, Microsoft [26] 58 RADIUS: MS-MPPE-Send-Key [16] 52 * RADIUS: Vendor, Microsoft [26] 58 RADIUS: MS-MPPE-Recv-Key [17] 52 * RADIUS(00000036): Received from id 1645/171
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
%DOT1X-5-SUCCESS: Authentication successful for client (0026.55d0.0d56) on Interface Gi0/7 AuditSessionID
dot1x-ev(Gi0/7): Sending event (2) to Auth Mgr for 0026.55d0.0d56
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.55d0.0d56) on Interface Gi0/7 AuditSessionID 0A010A070000003100EE1DEA
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.55d0.0d56| AuditSessionID 0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.55d0.0d56| AuditSessionID 0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.55d0.0d56) on Interface Gi0/7 AuditSessionID 0A010A070000003100EE1DEA
// Note that there is no ACL download in this case. This is because the ACL of the same name has been already downloaded in the previous steps (IP Phone authorization).
dot1x-ev(Gi0/7): Received Authz Success for the client 0xC300005B (0026.55d0.0d56) dot1x-ev(Gi0/7): Sending EAPOL packet to 0026.55d0.0d56
dot1x-ev(Gi0/7): Role determination not required dot1x-ev(Gi0/7): Sending out EAPOL packet
RADIUS/ENCODE(00000036):Orig. component type = DOT1X RADIUS(00000036): Config NAS IP: 10.1.10.7
RADIUS(00000036): sending
// RADIUS accounting message is sent
RADIUS(00000036): Send Accounting-Request to 172.31.1.20:1813 id 1646/27, len 282 RADIUS: authenticator 7F 96 5F 1E FA 14 C5 4A - 7F 46 CA 57 CD 62 E1 46
RADIUS: Acct-Session-Id [44] 10 "00000036"
RADIUS: Vendor, Cisco [26] 49
RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A010A070000003100EE1DEA"
RADIUS: User-Name [1] 11 "employee1"
RADIUS: Called-Station-Id [30] 19 "C4-64-13-6C-E8-07"
RADIUS: Calling-Station-Id [31] 19 "00-26-55-D0-0D-56"
RADIUS: Class [25] 50 RADIUS(00000036): Started 5 sec timeout
RADIUS: Received from id 1646/27 172.31.1.20:1813, Accounting-response, len 20 RADIUS: authenticator 10 CE B8 8F 9C 12 10 FA - A5 76 EF 72 17 01 E7 94 RADIUS/ENCODE(00000036):Orig. component type = DOT1X
RADIUS(00000036): Config NAS IP: 10.1.10.7 RADIUS(00000036): sending
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID 0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
%EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID 0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID 0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-WAIT
%EPM-6-IPEVENT: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID 0A010A070000003100EE1DEA| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
%EPM-6-POLICY_APP_SUCCESS: IP 10.1.10.104| MAC 0026.55d0.0d56| AuditSessionID
0A010A070000003100EE1DEA| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
// check out authentication sessions on the port. You should see two separate domains (VOICE and DATA) each authenticated separately.
SW1#sh auth sess int g0/7
Interface: GigabitEthernet0/7
Common Session ID: 0A010A070000003100EE1DEA Acct Session ID: 0x00000036
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406 Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A010A070000002F00ED9839 Acct Session ID: 0x00000034
Handle: 0x3500002F
Runnable methods list:
Method State dot1x Failed over mab Authc Success