Hi all,
I have a possible client which has mixed Cisco - HPE switches insfrastucture.
I got 3 cisco switches from client and all Cisco switches fail with Clearpass MAC autentication.
Clearpass throw 209 error
| Error Code: | 209 |
| Error Category: | Authentication failure |
| Error Message: | No password in request |
Alerts for this Request | RADIUS | MAC_AUTH: No password in request. Not attempting MAC authentication
Cannot select appropriate authentication method |
|
Cisco 3750X configuration
Switch#show running-config
Building configuration...
Current configuration : 4281 bytes
!
! Last configuration change at 12:01:50 UTC Fri Feb 23 2018 by admin
! NVRAM config last updated at 10:06:05 UTC Fri Feb 23 2018 by admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ykzb$3mQhJsjo/dCTptF5AN5j40
!
username admin privilege 15 password 0 admin
!
!
aaa new-model
!
!
aaa authentication login testas local
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
aaa session-id common
switch 2 provision ws-c3750x-24
system mtu routing 1500
!
!
ip domain-lookup source-interface Vlan177
ip name-server 8.8.8.8
!
!
crypto pki trustpoint TP-self-signed-4086047360
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4086047360
revocation-check none
rsakeypair TP-self-signed-4086047360
!
!
crypto pki certificate chain TP-self-signed-4086047360
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303836 30343733 3630301E 170D3933 30333031 30303031
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30383630
34373336 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ADD8 21B767E5 7B4BDB3B F4F6DBE3 E4EF7D22 80F440CF EC6A3412 AE5DC72E
8AD6CE76 84D8C9DC B19664C6 6D677143 FE1EF96D C544A3AE F29C99F6 E508F11E
CD1CC649 ED610A15 0CFCEE8F 05B1CE32 1C0EB3B4 18B673F3 A5F08512 89FBBF9E
5D3FD3D3 CCC19BDA E7D81BBD 520F189B 32471928 9F096AAD A7171EAA A3418E71
B6770203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 144DE7D5
C032F8D6 6D038B0E 26BE1F5B 827C338B 2F301D06 03551D0E 04160414 4DE7D5C0
32F8D66D 038B0E26 BE1F5B82 7C338B2F 300D0609 2A864886 F70D0101 04050003
81810009 25834ED0 40D5E759 B7830546 619C7EE3 F2404CA4 95B436DE 2A391A44
3E9EC6EF DC8A86CB 83EEE40F 562FC198 38669771 972BC08D B4728177 80788EBA
1878114B FB87B175 E86024B3 FCA46B3F 266E35E3 6DAD1C60 BEE10020 BDDA022A
951E996C 17C9CA7E A1DFB1ED 7C1BC8C6 46F3F871 603942F5 5C18F03D 7E114819 C4AB86
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet2/0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface GigabitEthernet2/0/2
switchport mode access
authentication port-control auto
mab eap
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan177
ip address 192.168.77.94 255.255.255.0
!
ip default-gateway 192.168.77.1
ip classless
ip http server
ip http secure-server
!
snmp-server community testas RW
radius-server host 192.168.77.80 auth-port 1812 acct-port 1813 key testas
!
!
line con 0
line vty 0 4
login authentication testas
transport input telnet
transport output telnet
line vty 5 15
!
ntp clock-period 36027705
ntp server 91.207.136.55
end
Clearpass configuration
Maybe anyone have some ideas how to resolve this, maybe my cisco switches configuration is bad or clearpass configuratio need any addtional configuration?
Maybe MAB request format should be changed?
Please help, its possible large deal form me :)
If someone have any ideas I can add full clearpass configuration