Knowledge Search


×
 

[ScreenOS] How to interpret the output of debug dot1x all logs

  [KB20903] Show Article Properties


Summary:
This article provides information on how to interpret the output of 'debug dot1x all' logs.
Symptoms:
The messages we should look for while debugging 802.1x authentication issues.

Environment:

A customer has configured 802.1x, for passing EAP-TLS messages in Ethernet frames, for authentication. The customer is using RADIUS server to authenticate users.

set auth-server "RADIUS" radius port 1812
set auth-server "RADIUS" radius secret <secret>
set auth radius accounting port 1646
set auth-server "RADIUS" account-type xauth 802.1X
set interface ethernet0/2 dot1x
set interface ethernet0/2 dot1x control-mode interface
set interface ethernet0/2 dot1x max-user 1
set interface ethernet0/2 dot1x reauth-period 10
set interface ethernet0/2 dot1x auth-server RADIUS

Solution:
Below is the output of debug dot1x all and debug auth radius.
## 2011-04-07 21:53:41 : [1X] eap signal enqueue success. type 1
## 2011-04-07 21:53:41 : [1X] eap low layer event trigger
## 2011-04-07 21:53:41 : [1X] eap signal dequeue success. type 1
## 2011-04-07 21:53:41 : [1X|PAK] rx eap packet, code 2 id 7
   len 1492 type 13--> EAP packet being received
## 2011-04-07 21:53:41 : [1X|SESS] search if ethernet0/2 host 0016d4ee17e1 nsrp_id 0 in db-> searching for the dot1x session
## 2011-04-07 21:53:41 : [1X|FSM] state IDLE2->RECEIVED2, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
## 2011-04-07 21:53:41 : [1X|FSM] state RECEIVED2->AAA_REQUEST, eap_sess 1 host
   0016d4ee17e1 if ethernet0/2--> request for authentication being received from the client
## 2011-04-07 21:53:41 : [1x|AS] aaa client tx q enqueue, eap_sess 1
## 2011-04-07 21:53:41 : [1X|AS] aaac tx event trigger
## 2011-04-07 21:53:41 : [1X|AS] start to build radius packet,
   eap_sess 1--> authentication module is triggered

[1X|PAK] Radius packet built
code 1 id 7 length 1663
## 2011-04-07 21:53:41 : [1X|AS] radius packet sent to
   10.10.10.122:1812--> request sent to radius
## 2011-04-07 21:53:41 : [1X|AS] radius client send to 10.10.10.122:1812. sock 91 ret 0
## 2011-04-07 21:53:41 : [1X|AS] recv radius packet from 10.10.10.122, len 69
## 2011-04-07 21:53:41 : [1X|PAK] radius recv a packet,
   len 69 type ACCESS_CHALLENGE--> receiving Response from the server
04306c10: 0b 07 00 45 1a 38 20 a4 6f db 7f db 18 55 d2 8b ...E.8.. o....U..
04306c20: 1b 54 4e 1d 18 11 53 42 52 2d 43 48 20 31 33 31 .TN...SB R-CH.131
04306c30: 34 37 7c 37 00 4f 08 01 08 00 06 0d 00 1b 06 00 47|7.O.. ........
04306c40: 00 00 1e 50 12 e1 d5 93 ad 9e 31 b2 11 d7 4e 69 ...P.... ..1...Ni
04306c50: 00 b6 11 1a 52 ....R
## 2011-04-07 21:53:41 : [1X|AV] rc_avpair_gen: received attribute 24
## 2011-04-07 21:53:41 : [1X|AV] rc_avpair_gen: received attribute 79
+++++++++++++++++++++++++++
RADIUS packet recv attributes:
State:(SBR-CH 13147|7\00)
EAP-Message:(\01\08\00\06\0D\00)
Session-Timeout:(30)
Message-Authenticator:(\E1\D5\93\AD\9E\31\B2\11\D7\4E\69\00\B6\11\1A\52)
+++++++++++++++++++++++++++
## 2011-04-07 21:53:41 : [1X|FSM] state AAA_IDLE->AAA_RESPONSE, eap_sess 1 host
   0016d4ee17e1 if ethernet0/2--> sending respond to the client
## 2011-04-07 21:53:41 : [1X|FSM] state AAA_RESPONSE->SEND_REQUEST2, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
## 2011-04-07 21:53:41 : [1X|FSM] state SEND_REQUEST2->IDLE2, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
## 2011-04-07 21:53:41 : [1X|PAK] Rx EAPOL packet, ver 1 type 0 len 253
.

Related Links: