topic Re: dot1X and multi-domain in Network Access Control

dot1X and multi-domain

MAGNUS SVENSSON — Mon, 11 Mar 2019 00:27:05 GMT

I have an C4506 with a WS-X4548-GB-RJ45V module. I am running version Version 12.2(54)SG, I have implementet 802.1X on the access-ports but I can´t get multi-domain configuration to work.

Mostly the PC-client is connected to the phone and the phone is connected to the switchport. In the ACS5.1 loggs the client and telephone are authenticated correctly, The client runns EAP-TLS and the phone does MAB. The PC gets an IP address but it can´t reach anything, not even his default gateway.

When I switch to multi-host it works and the client , and phone is able to communicate, but then I have security issues and timeout problems.

DOES ANY ONE OUT THERE HAVE THE SAME PROBLEM ??

Below is my portconfiguration.

interface GigabitEthernet6/40
description 802.1X enablad port ANC70101D03
switchport mode access
switchport voice vlan 94
qos trust device cisco-phone
authentication event fail action authorize vlan 229
authentication event server dead action authorize vlan 229
authentication event no-response action authorize vlan 229
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
service-policy input voice-services
end

Re: dot1X and multi-domain

Yudong Wu — Thu, 30 Sep 2010 21:25:57 GMT

Could you please collect "sh dot1x int Gx/y details" in both multi-host and multi-domain mode after the authentication?

By the way, are you using vlan 1 as data vlan?

Re: dot1X and multi-domain

MAGNUS SVENSSON — Fri, 01 Oct 2010 07:40:56 GMT

Hi , It has to be a bug, I have logged a case with TAC " CaseID:615560039. The thing is that if I run multi-host mode everythning works , but then you have security issues, if I run multi-domain the client and phone gets an IP address but are not able to communicate (ex ping there default GW). The output of the commands you requested looks okej, in multi-domain you have one voice and one data , and in multi-host you have one data....

/Magnus

Re: dot1X and multi-domain

MAGNUS SVENSSON — Mon, 18 Oct 2010 13:39:34 GMT

Now Cisco TAC has find out that there is a bug in the 12.2 (54) SG release regarding multi-domain and C4506. I have now downgraded the IOS to 12.2 (53) SG3. And now it works.

Bug ID is: CSCtj56811 (It was just posted).

/Magnus

Re: dot1X and multi-domain

Yudong Wu — Mon, 18 Oct 2010 15:01:31 GMT

Thanks a lot Magnus for keeping us posted.