| It is important to become familiar with and use the diagnostic commands on the switch to troubleshoot the AAA implementation on the switch. The following sections describe how to utilize the show and debug commands for switch management and port authentication. Switch Management If a switch is in Native IOS, and is configured for AAA, the show and debug commands are the same as those shown in AAA implementation on the IOS router in Chapter 9, "Troubleshooting AAA on IOS Routers." Therefore, the discussion is skipped here. However, for hybrid mode in which the switch is running the Cat OS, show commands are used primarily to verify the configuration. Example 11-1 shows the output of the show authentication output with local and enable password authentication turned on. Example 11-1. show authentication Command Output CAT6509-Hybrid> (enable) show authentication Login Authentication: Console Session Telnet Session Http Session --------------------- ---------------- ---------------- ---------------- tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled !The following line shows that local authentication is turned on for all types of access !for login authentication local enabled(primary) enabled(primary) enabled(primary) attempt limit 3 3 - lockout timeout (sec) disabled disabled - Enable Authentication: Console Session Telnet Session Http Session ---------------------- ----------------- ---------------- ---------------- tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled !The following line shows enable authentication is turned on to use local user database !for all methods local enabled(primary) enabled(primary) enabled(primary) attempt limit 3 3 - lockout timeout (sec) disabled disabled - CAT6509-Hybrid> (enable)
|
The show localusers command is used to verify the creation of local user accounts. It also shows the privilege level as illustrated in Example 11-2. Example 11-2. show localusers Command Output CAT6509-Hybrid> (enable) set localuser user cisco password cisco123 privilege 15 Adde d local user picard. CAT6509-Hybrid > (enable) show localusers Local User Authentication: disabled Username Privilege Level --------- ------------- cisco 15 CAT6509-Hybrid> (enable)
|
To verify the Terminal Access Controller Access Control System (TACACS+) configuration, you can execute the command shown in Example 11-3. Example 11-3. show tacacs Command Output CAT6509-Hybrid> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 10.1.1.1 10.1.1.2 primary 10.1.1.3 CAT6509-Hybrid> (enable)
|
Just like show tacacs output, show radius provides the configuration for radius protocol. Example 11-4 shows the output of radius server configuration. Example 11-4. show radius Command Output CAT6509-Hybrid> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: 2 Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 20.1.1.1 primary 1812 CAT6509-Hybrid> (enable)
|
show authorization is used to verify the TACACS+ authorization configuration, as Example 11-5 illustrates. Example 11-5. show authorization Command Output CAT6509-Hybrid> (enable) show authorization Telnet: ------- Primary Fallback ------- -------- exec: tacacs+ deny enable: tacacs+ deny commands: config: tacacs+ deny all: - - Console: -------- Primary Fallback ------- -------- exec: tacacs+ deny enable: tacacs+ deny commands: config: tacacs+ deny all: - - CAT6509-Hybrid> (enable)
|
Example 11-6 shows how to verify the configuration: Example 11-6. show accounting Command Output CAT6509-Hybrid> (enable) show accounting Event Method Mode ----- ------- ---- exec: tacacs+ stop-only connect: tacacs+ stop-only system: tacacs+ stop-only commands: config: - - all: tacacs+ stop-only TACACS+ Suppress for no username: enabled Update Frequency: periodic, Interval = 120 Accounting information: ----------------------- Active Accounted actions on tty0, User (null) Priv 0 Active Accounted actions on tty288091924, User (null) Priv 0 Overall Accounting Traffic: Starts Stops Active ----- ----- ------ Exec 0 0 0 Connect 0 0 0 Command 0 0 0 System 1 0 0 CAT6509-Hybrid> (enable)
|
As we have seen so far, the show commands are primarily used for the configuration verifications. The set trace command on the switch is similar to debug commands on the router, which are very useful in troubleshooting AAA-related issues. However, before enabling debugging on the catalyst, analyze the AAA server logs to find the reasons for failure. This is easier and less disruptive to the switch. The following is the general form of the debug command on the switch: set trace tacacs | radius | kerberos 4
To turn off debugging, you need to execute the following command: set trace tacacs | radius | kerberos 0
Identity-Based Network Services (IBNSs) The show commands shown in the preceding section should be used in conjunction with the specific show commands that will be discussed in this section to troubleshoot port authentication issue. On Native IOS, to display various statistics pertaining to the dot1x, you can use the following command: show dot1x [all] | [interface interface-id] | [statistics [interface interface-id]] [ | {begin | exclude | include} expression]
To display the 802.1x administrative and operational status for the switch, use the show dot1x all privileged EXEC command (see Example 11-7). To display the 802.1x administrative and operational status for a specific interface, use the show dot1x interface interface-id privileged EXEC command (see example 11-8). show dot1x, as Example 11-7 shows, reveals if the dot1x is globally enabled or not. Example 11-7. show dot1x all Command Output Switch# show dot1x ! Shows that authentication control is enabled. Sysauthcontrol = Enabled Dot1x Protocol Version = 1 Dot1x Oper Controlled Directions = Both Dot1x Admin Controlled Directions = Both Switch# show dot1x all Dot1x Info for interface FastEthernet0/3 ---------------------------------------------------- Supplicant MAC 00d0.b71b.35de AuthSM State = CONNECTING BendSM State = IDLE ! Following line indicates that Supplicant is not authenticated yet PortStatus = UNAUTHORIZED MaxReq = 2 HostMode = Single Port Control = Auto QuietPeriod = 60 Seconds Re-authentication = Disabled ReAuthPeriod = 3600 Seconds ServerTimeout = 30 Seconds SuppTimeout = 30 Seconds TxPeriod = 30 Seconds Guest-Vlan = 0 Dot1x Info for interface FastEthernet0/7 ---------------------------------------------------- !Following line indicates that Supplicant is not authenticated yet PortStatus = UNAUTHORIZED MaxReq = 2 !Following line indicates that port is configured for multihost mode. So, a single MAC !is not locked for the port after successful authentication. This is one of the options !to get around the problem with hub environment where multiple hosts are possible to be !connected. HostMode = Multi Port Control = Auto QuietPeriod = 60 Seconds Re-authentication = Disabled ReAuthPeriod = 3600 Seconds ServerTimeout = 30 Seconds SuppTimeout = 30 Seconds TxPeriod = 30 Seconds Guest-Vlan = 0 Switch#
|
Example 11-8. show dot1x interface fastethernet0/3 Command Output Switch# show dot1x interface fastethernet 0/3 Supplicant MAC 00d0.b71b.35de AuthSM State = AUTHENTICATED BendSM State = IDLE !This indicates that the authentication is successful PortStatus = AUTHORIZED MaxReq = 2 !The hostmode is set to single, which means only authenticated MAC address is allowed to !this port. Other machines connected via hub or phone will be considered as security !violation. HostMode = Single Port Control = Auto !Following are various times relating to dot1x operations QuietPeriod = 60 Seconds Re-authentication = Disabled ReAuthPeriod = 3600 Seconds ServerTimeout = 30 Seconds SuppTimeout = 30 Seconds TxPeriod = 30 Seconds Guest-Vlan = 0 Switch#
|
To display 802.1x statistics for all interfaces, you can use the show dot1x all statistics privileged EXEC command. To display 802.1x statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command, as Example 11-9 shows. Example 11-9. show dot1x statistics interface fastethernet 0/3 Command Output Switch# show dot1x statistics interface fastethernet 0/3 PortStatistics Parameters for Dot1x -------------------------------------------- TxReqId = 15 TxReq = 0 TxTotal = 15 RxStart = 4 RxLogoff = 0 RxRespId = 1 RxResp = 1 RxInvalid = 0 RxLenErr = 0 RxTotal= 6 RxVersion = 1 LastRxSrcMac 00d0.b71b.35de Switch#
|
Table 11-2 explains all the statistical output shown in Example 11-9. Table 11-2. show dot1x statistics Field DescriptionsField | Description |
|---|
TxReqId | Number of Extensible Authentication Protocol (EAP)-request/identity frames that have been sent | TxReq | Number of EAP-request frames (other than request/identity frames) that have been sent | TxTotal | Number of Extensible Authentication Protocol over LAN (EAPOL) frames of any type that have been sent | RxStart | Number of valid EAPOL-start frames that have been received | RxLogoff | Number of EAPOL-logoff frames that have been received | RxRespId | Number of EAP-response/identity frames that have been received | RxResp | Number of valid EAP-response frames (other than response/identity frames) that have been received | RxInvalid | Number of EAPOL frames that have been received and have an unrecognized frame type | RxLenErr | Number of EAPOL frames that have been received in which the packet body length field is invalid | RxTotal | Number of valid EAPOL frames of any type that have been received | RxVersion | Received packets in the 802.1x version 1 format | LastRxSrcMac | Source MAC address carried in the most recently received EAPOL frame |
To check to which VLAN the port belongs, show vlan brief can be used as shown in Example 11-10. Example 11-10. show vlan brief Command Output switch# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/21, Fa0/22, Fa0/23, Gi0/1 Gi0/2 2 ACS active Fa0/24 10 Cisco active Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12 99 Guest active Fa0/20 100 Machine active Switch#
|
|
