In previous chapters, you learned about the EoU logging capabilities on the Cisco IOS routers running NAC-L3-IP and Cisco Catalyst switches running NAC-L2-IP. EoU logging still applies when troubleshooting NAC-L3-IP and NAC-L2-IP in large organizations. However, in case of NAC-L2-802.1X, the debug dot1x events is a very useful command when troubleshooting 802.1X-related problems. Example 15-2 shows the output of the debug dot1x events for a quarantined host.
00:55:00: dot1x-ev:auth_initialize_enter:000d.32ac.1234: Current ID=0 00:55:00: dot1x-ev:dot1x_update_port_direction: Updating oper direction for Ge3/8
(admin=Both, current oper=Both) 00:55:00: dot1x-ev:dot1x_update_port_direction: New oper direction for Ge3/8 is Both 00:55:00: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface GigabitEthernet3/8
00:55:00: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUTHORIZED
00:55:00: dot1x-ev:dot1x_update_port_status: using mac 000d.32ac.1234 to send port to unauthorized on vlan 15 00:55:00: dot1x-ev:Found a supplicant block for mac 000d.32ac.1234 1E113F0 00:55:00: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=15 on GigabitEthernet3/8
In the shaded lines in Example 15-2, you can see that the client machine has been placed in the UNAUTHORIZED state and is placed in the quarantined VLAN (VLAN 15).
NOTE Use caution when enabling debugs in busy switches because they can impact performance.
Other debug commands mentioned in Chapter 4, "Configuring Layer 2 NAC on Network Access Devices," such as debug aaa authentication and debug radius, are also good for authentication problems in large organizations. However, they need to be enabled with caution.
Cisco Secure ACS provides robust NAC logging capabilities through the Passed Authentications and Failed Attempts log files. You can enable and configure ACS logging from System Configuration > Logging.
NOTE For detailed steps on configuring logging in Cisco Secure ACS, refer to the "Enabling Logging" section in Chapter 8.
ACS log files contain a long list of attributes and other information about the end host and the network access device. This information can be very overwhelming in large environments. Consequently, it is recommended that you use a monitoring tool, such as CS-MARS, to correlate these events. Chapter 17, "Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System," details how to integrate CS-MARS with ACS and each different network access device.
Was this article helpful?