NEAT configuration issue

amin.amor — Mon, 11 Mar 2019 01:58:25 GMT

Hi,

I´m currently setting a LAB in order to test NEAT feature. The Supplicant switch (sSW) is able to authenticate toward the Authenticator Switch (aSW).

sSW#sh cisp summary

CISP is running on the following interface(s):

----------------------------------------------

Fa0/8 (supplicant)

When I connect a PC with X.509 certificate to the sSW, I see the EAPOL request coming from the PC to the sSW on Fa0/1:

*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): Role determination not required

*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): New client detected, issuing Start Request to AuthMgr

But the sSW does not forward the packet to the aSW.

sSW#sh cisp interface fastEthernet 0/1

CISP not enabled on specified interface

Do I need additional configuration on the port toward the PC?

Why the CISP is not enabled on the Fa0/1?

Topology and config is below:

Topolgy:

PC-------------0/1|sSW|0/8--------------4/10|aSW|

Configuration:

-----------------------------------------

aSW: WS-C4510R-E

System image file is "bootflash:cat4500e-entservicesk9-mz.150-2.SG3.bin"

interface GigabitEthernet4/10

description toward sSW

switchport trunk native vlan 332

switchport mode trunk

switchport voice vlan 335

logging event link-status

authentication host-mode multi-domain

authentication open

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast trunk

----------------------------------------------

sSW> 2960

"flash:c2960-lanbasek9-mz.150-1.SE2.bin"

dot1x credentials cisco

username cisco

password 0 cisco

cisp enable

dot1x supplicant force-multicast

interface FastEthernet0/8

description toward 4/10-aSW

switchport trunk native vlan 332

switchport mode trunk

duplex full

dot1x pae supplicant

dot1x credentials cisco

interface FastEthernet0/1

description toward PC

switchport access vlan 332

switchport mode access

speed 100

duplex full

spanning-tree portfast

sh cisp interface fastEthernet 0/1

CISP not enabled on specified interface

*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): Role determination not required

*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): New client detected, issuing Start Request to AuthMgr

sSW#sh cisp summary

CISP is running on the following interface(s):

----------------------------------------------

Fa0/8 (supplicant)

sSW#sh cisp clients

Supplicant Client Table:

------------------------

MAC Address VLAN Interface

---------------------------------

0000.0c07.ac01 332 Fa0/8

0024.14af.3e09 1 Fa0/8

8cb6.4fab.c7c1 332 Vl332

0022.9031.53ff 332 Fa0/8

0024.14af.3e09 332 Fa0/8

8cb6.4fab.c7c0 1 Vl1

sSW#sh cisp interface fastEthernet 0/1

CISP not enabled on specified interface

NEAT configuration issue

networkguy13111 — Wed, 19 Dec 2012 23:07:43 GMT

Hi Amin,

Please have a look on the brief of CISP:

http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=9434

In my understanding, the CISP is only working on the switch to switch port.

----------

Which can win the race: increasing bandwidth with new technologies VS QoS?

NEAT configuration issue

Tarik Admani — Fri, 21 Dec 2012 03:14:23 GMT

Hi,

When using neat the switch authenticates itself to the upstream switch so that the link becomes a trunking port. The switch that the client is connecting to must have the radius configuration to support dot1x much like your other switches. That switch that authenticates itself must have its ip address added to the radius server database so it can authenticate.

Let me know if that helps point you in the right direction.

Tarik Admani
*Please rate helpful posts*

topic NEAT configuration issue in Network Access Control

NEAT configuration issue

NEAT configuration issue

NEAT configuration issue