Troubleshooting 802.1X Issues
This chapter describes how to identify and resolve problems related to 802.1x configuration.
This chapter includes the following sections:
VSM Debugs
Following debug commands can be used on VSM to enable debugs for 802.1x module:
Table 30-1 list VSM debug commands.
Table 30-1 VSM Debug Commands
|
|
debug dot1x config-trace |
Configure debugging of dot1x configuration trace. |
debug dot1x demux |
Configure debugging of dot1x message demux |
debug dot1x deque |
Configure debugging of dot1x message deque |
debug dot1x errors |
Configure debugging of dot1x error |
debug dot1x events |
Configure debugging of system events |
debug dot1x ha |
Configure debugging of dot1x HA |
debug dot1x mts |
Configure Tx/Rx packets of MTS |
debug dot1x packets |
Configure debugging of dot1x packets |
debug dot1x state-machine |
Configure debugging of dot1x FSM and Events |
debug dot1x trace |
Configure debugging of dot1x trace |
debug dot1x warnings |
Configure debugging of dot1x warning |
debug dot1x all |
Configures debuggging for ALL of above debugs in a single shot |
Note Debugs can be redirected to a file by using debug logfile filename command. The file is stored in log: directory. Make sure you enable log file first before enabling debug commands. Otherwise the debugs are re-directed to the terminal if terminal monitor is enabled.
Note Optionally, increase the syslog level for Dot1X process using config command logging level dot1x <>. Logs can be viewed by using show logging command.
Host and VEM Debugs and Logging
Table 30-2 list Host and VEM debug and logging commands.
Table 30-2 Host/VEM Debugs and Logging Commands
|
|
echo debug sfdot1x_agent all > /tmp/dpafifo |
Enables debug for Dot1X DPA |
echo debug sfportagent all > /tmp/dpafifo |
Enables debug Port DPA |
echo debug sfcdmagent all > /tmp/dpafifo |
Enables debug for CDM DPA |
echo debug sfbdagent all > /tmp/dpafifo |
Enables debug for Bridge-Domain DPA |
vemlog debug sfdot1x all |
Enables debugs for Dot1x and Auth processing in DP |
vemlog debug sfdot1x_pod all |
Enables debugging for Dot1x internal port opaque data processing in DP |
vemlog debug sfbase all |
Enables debugging for base APIs |
vemlog debug sfbd all vemlog debug sfport all vemlog debug sfporttable all vemlog debug sfnotify all vemlog debug sfattachnotify all vemlog debug sfattach all vemlog debug sfportnotify all vemlog debug sfport_orch all vemcmd show dot1x |
Set of commands to enable debugs for port events, attach/detach notifications, bridge domain |
vemcmd show dot1x |
Show dot1x information for all Dot1x enabled ports |
vemcmd show dot1x ltl <> |
Show dot1x information detail for specified LTL |
vemcmd show dot1x stats ltl <> |
Show dot1x statistics for specified LTL |
Note To enable DPA logs, at the beginning, use echo logfile enable > /tmp/dpafifo. All DPA outputs redirected to /var/log/vemdpa.log file.
Note To enable DP logs, at the beginning use vemlog start command. Use the command, vemlog show all, to show all the outputs. You may clear old logs by using vemlog clear command and stop logging by using the vemlog stop command.
VSM Show and Test Commands
Table 30-3 list VSM debug commands.
Table 30-3 VSM Show and Test Commands
|
|
show feature |
Displays feature details with status in system. Helps in checking if 'Dot1X' feature is enabled or not |
show dot1x |
Displays dot1x global information |
show dot1x interface vethernet <> [details|statistics|summary] |
Displays dot1x information on specified vEth interface |
show dot1x all [details|statistics|summary] |
Displays dot1x information on all 802.1x enabled vEth interfaces |
show running-config dot1x [all] |
Displays dot1x running configuration |
show startup-config dot1x [all] |
Displays dot1x startup configuration |
show radius-server [groups|statistics <IP>] |
Displays radius server details configured in system for specified options |
show aaa authentication |
Displays AAA authentication info |
show aaa authorization |
Displays AAA authorization info |
show aaa accounting |
Displays AAA accounting info |
show running-config aaa |
Displays AAA running configuration |
show running-config radius |
Displays RADIUS running configuration |
test aaa group <AAA GROUP> <AAA USERNAME> <AAA PASSWORD> |
Test command to check AAA User and Group are getting authenticating from VSM |
test aaa server radius <DNS or IP addr of Server> <AAA USERNAME> <AAA PASSWORD> |
Test command to check AAA User and Group from specified Radius Server getting authenticating from VSM |
Some common problem scenarios with 802.1X and basic troubleshooting
This section includes symptoms, possible causes and solutions for the following problems with 802.1X on Nexus 1000v. Table 30-4 list basic 802.1X troubleshooting scenarios:
Table 30-4 Basic Troubleshooting Scenarios
|
|
Verification and Solution
|
802.1x enabled vEth port is not coming up |
Supplicant is not running on connected VM |
Check if 802.1x Supplicant is running on interface connected to this vEth on Virtual Machine (VM). Typically, on Linux based VMs, 'wpa_supplicant' is the application for Supplicant and /etc/wpa_supplicant/wpa_supplicant.conf is the default config file. Make sure that supplicant process is running. On Windows, enable 802.1X authentication on corresponding port. Whenever Supplicant configuration file is changed, please make sure you restart the Supplicant process with new configuration to take effect. |
|
AAA Credentials |
Check if credentials are correct on VM supplicant configurations. Also, check if credentials are correct for particular AAA group and User by using test aaa group < AAA GROUP> <AAA-USERNAME> <AAA-PASSWORD> command. If the test command fails, then it’s an issue with AAA/Radius configuration on VSM or Server |
|
Radius Server Reachability |
Check syslogs if any error with respect to reachability or problem in getting response from Radius Server. “%RADIUS-3-RADIUS_ERROR_MESSAGE: RADIUS server <> failed to respond”. If the logs are showing above messages, then there is some issue with proper connectivity OR radius server is not responding to the request within expected time. Check if Radius server is reachable and test the credentials from VSM using test aaa server radius < DNS or IP address of Server> <AAA -USERNAME> <AAA-PASSWORD> command. If the test command fails, then it is an issue with AAA/Radius configuration on VSM or Server. |
Dot1x port status shows UNAUTHORIZED |
Credentials and Configuration |
a) Check the details by using command show dot1x interface vethernet details. b) Check credentials are correct for the supplicant. You may also check the credentials of supplicant User(s) by using test aaa command from VSM. Recover - (1) Try manual re-authenticating the port using dot1x re-authenticate interface vethernet <> command check if port is getting recovered (2) Try manual re-initializing the Dot1X state machine on port using dot1x initialize interface vethernet <> command and check is port is getting recovered (3) Perform a shutdown and no shutdown on the interface Refer the N1000v Configuration Guide, and check if any 802.1X related configuration is missing in the system. If port is still not getting recovered, temporarily move the particular vEthernet port to non-802.1x port-profile which comes UP without 802.1x, collect the output for dot1x show commands and reach out to Cisco Support team for assistance. |
Traffic not passing through 802.1x enabled port |
Port may be in blocking state |
a) Check the Port is in UP and AUTHORIZED state on VSM b) Check that VEM port status is in FWD state. Login to Host for corresponding vEth port and run the vemcmd show port, vemcmd show port vlans, vemcmd show dot1x commands. Verify that corresponding vEthernet interface is in FWD state and Authorized. c) Check that the respective VLAN is active in the system If traffic is still not passing, please try some recovery methods mentioned in above case and reach out to Cisco Support team for assistance |