Hi,
On the C9x00 Series, you need to create Policy Maps and assign them to the port. Here is an example of what we have deployed:
policy-map type control subscriber CLEARPASS_POLICY_MAP
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
Then, in the interface, the configuration looks something like this:
interface GigabitEthernet1/0/1
description None
switchport access vlan 999
switchport mode access
switchport voice vlan
XYZdevice-tracking attach-policy policy-og
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber CLEARPASS_POLICY_MAP
------------------------------
Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |
------------------------------
Original Message:
Sent: Mar 20, 2022 06:09 PM
From: Michael McNeely
Subject: Clearpass Cisco 9300 Client timeout
Over the last 2 days, I swapped out an older Cisco switch with a new Cisco 9300. I have added the config for dot1x authentication. When I add the config to the switch ports for client auth, I am getting authentication failed due to client timeout, no response from the client.
I have verified the config for the switch on the Clearpass server is correct. I have checked my config on the switch so many times. I deleted the config and re-added with no change. Here is my switch config:
Global config
aaa group server radius RASERV
server name RASERV-1
server name RASERV-6
aaa authentication dot1x default group RASERV
aaa authorization network default group RASERV
aaa accounting dot1x default start-stop group RASERV
aaa server radius dynamic-author
client 10.15.64.218 server-key Aruba123!
client 10.8.8.84 server-key Aruba123!
port 3799
auth-type all
radius server RASERV-1
address ipv4 10.15.64.218 auth-port 1645 acct-port 1646
key Aruba123!
radius server RASERV-6
address ipv4 10.8.8.84 auth-port 1645 acct-port 1646
key Aruba123!
Port config
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
storm-control broadcast level 5.00
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10
Do any of you smart people have any suggestions? Also I have searched everything I can and have not found where anyone else has posted same issue.
Thanks in advance
------------------------------
Michael McNeely
------------------------------