https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157762#M137858 <P>Hi,</P><P></P><P>I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.</P><P></P><P>Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. </P><P></P><P>The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication. </P><P></P><P>When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should.</P><P></P><P>Anyone has seen this before and/or have some insight on how this should work?</P><P></P><P>I know this probably is a client/supplicant problem.</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/9/7/132796-monitor%20mode.png" alt="monitor mode.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /><IMG src="https://community.cisco.com/legacyfs/online/legacy/1/0/8/132801-mm3.png" alt="mm3.png" class="jive-image" /></P><P></P><P><STRONG>Port config:</STRONG></P><P></P><P>interface GigabitEthernet0/2</P><P> description 802.1x port PC lab</P><P> switchport access vlan 8</P><P> switchport mode access</P><P> authentication host-mode multi-auth</P><P> authentication open</P><P> authentication port-control auto</P><P> authentication violation restrict</P><P> mab</P><P> dot1x pae authenticator</P><P></P><P>----------------------------------</P><P>sw#sh auth sess int gi0/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Interface:&nbsp; GigabitEthernet0/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MAC Address:&nbsp; 000d.9d90.c96d</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IP Address:&nbsp; 192.168.50.30</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User-Name:&nbsp; 000d9d90c96d</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status:&nbsp; Authz Failed</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain:&nbsp; DATA</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Oper host mode:&nbsp; multi-auth</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Oper control dir:&nbsp; both</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Session timeout:&nbsp; N/A</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Idle timeout:&nbsp; N/A</P><P>&nbsp;&nbsp;&nbsp; Common Session ID:&nbsp; C0A8320900000CF4DC2FDA59</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Acct Session ID:&nbsp; 0x00000D2A</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Handle:&nbsp; 0xA0000CF5</P><P></P><P>Runnable methods list:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method&nbsp;&nbsp; State</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dot1x&nbsp;&nbsp;&nbsp; Failed over</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mab&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Failed over</P> Mon, 11 Mar 2019 03:13:41 GMT Mikael Gustafsson 2019-03-11T03:13:41Z https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157762#M137858 <P>Hi,</P><P></P><P>I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.</P><P></P><P>Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. </P><P></P><P>The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication. </P><P></P><P>When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should.</P><P></P><P>Anyone has seen this before and/or have some insight on how this should work?</P><P></P><P>I know this probably is a client/supplicant problem.</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/9/7/132796-monitor%20mode.png" alt="monitor mode.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /><IMG src="https://community.cisco.com/legacyfs/online/legacy/1/0/8/132801-mm3.png" alt="mm3.png" class="jive-image" /></P><P></P><P><STRONG>Port config:</STRONG></P><P></P><P>interface GigabitEthernet0/2</P><P> description 802.1x port PC lab</P><P> switchport access vlan 8</P><P> switchport mode access</P><P> authentication host-mode multi-auth</P><P> authentication open</P><P> authentication port-control auto</P><P> authentication violation restrict</P><P> mab</P><P> dot1x pae authenticator</P><P></P><P>----------------------------------</P><P>sw#sh auth sess int gi0/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Interface:&nbsp; GigabitEthernet0/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MAC Address:&nbsp; 000d.9d90.c96d</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IP Address:&nbsp; 192.168.50.30</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User-Name:&nbsp; 000d9d90c96d</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status:&nbsp; Authz Failed</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Domain:&nbsp; DATA</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Oper host mode:&nbsp; multi-auth</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Oper control dir:&nbsp; both</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Session timeout:&nbsp; N/A</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Idle timeout:&nbsp; N/A</P><P>&nbsp;&nbsp;&nbsp; Common Session ID:&nbsp; C0A8320900000CF4DC2FDA59</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Acct Session ID:&nbsp; 0x00000D2A</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Handle:&nbsp; 0xA0000CF5</P><P></P><P>Runnable methods list:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method&nbsp;&nbsp; State</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dot1x&nbsp;&nbsp;&nbsp; Failed over</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mab&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Failed over</P> Mon, 11 Mar 2019 03:13:41 GMT https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157762#M137858 Mikael Gustafsson 2019-03-11T03:13:41Z https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157763#M137881 <HTML><HEAD></HEAD><BODY><P>You need a configured ip access-group with the ACL of permit ip any any hardcoded on the interface.</P></BODY></HTML> Tue, 30 Apr 2013 20:51:32 GMT https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157763#M137881 gschmitt.ngit 2013-04-30T20:51:32Z https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157764#M137931 <HTML><HEAD></HEAD><BODY><P>While checking the authenticating the sessions, please also verify all&nbsp; the dACLs which are enforced. This will help obtain more input and&nbsp; narrow down the problem.&nbsp; Please make sure that the Web-auth ACL has no&nbsp; errors</P></BODY></HTML> Tue, 30 Apr 2013 21:51:59 GMT https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157764#M137931 askhuran 2013-04-30T21:51:59Z https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157765#M137960 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Please check if you configured <STRONG>Fallback to unauthorized network access</STRONG> under you Windows NIC dot1x settings.</P><P>If not, you won't get network access when dot1x fails. </P></BODY></HTML> Wed, 01 May 2013 07:49:01 GMT https://community.cisco.com/t5/network-access-control/doit1x-monitor-mode/m-p/2157765#M137960 Octavian Szolga 2013-05-01T07:49:01Z