01-30-2019 01:46 PM
I enable Dot1x - Plugged in the PC to Ipphone - My phone is registered with CM and my PC got an Ip address. The issue that I am having is Domain = unknown - status = Unauth - Method = N/A ---
Any help is appreciated.
SW-lab#sho authentication sessions interface g1/0/2
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 0016.46a8.a523 N/A UNKNOWN Unauth 0A16640A00000032A0A896C4
Gi1/0/2 d4be.d95c.a825 N/A UNKNOWN Unauth 0A16640A00000033A0A8B9C7
SW-lab#sho run int g1/0/2
interface GigabitEthernet1/0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 150
device-tracking
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
Thanks
01-31-2019 02:09 AM
What does ISE Live Log and the detail of the failed Authentication/Authorization look like?
01-31-2019 06:15 AM
There is nothing in ISE live logs.
I already have that configured. I have a radius server already configured and belongs to the radius group.
aaa authentication login default enable local
aaa authentication dot1x default group LAB-RADIUS
aaa authorization network default group LAB-RADIUS
aaa accounting identity default start-stop group LAB-RADIUS
01-31-2019 08:50 AM
Are you pushing your vlan from ISE or relying on fallback of the switch access vlan on your interface command? Is vlan 120 in your vlan db?
There is nothing in ISE live logs.
Are you reaching ISE? Are ports 1812/1813 (radius default for authentication/accounting) blocked anywhere along the path? Are you sourcing radius traffic from the correct management interface? Any of these could present a problem.
01-31-2019 05:40 AM
Please ensure that you have your AAA statements properly setup. Depending on your configuration it should look something along these lines:
aaa authentication dot1x default group radius
aaa authorization network default group radius
Also, add the command authentication port-control auto. Then force a re-auth. Hope this helps.
01-31-2019 06:09 AM
also to add make sure you have these commands
radius server attributes vsa sent authen
radius server attributes vsa sent account
01-31-2019 06:35 AM
I entered these commands, but they don't show under running config. I am running IOS Version 16.6.5 - SW 3850
SW-lab(config)#radius-server vsa send authentication
SW-lab(config)#radius-server vsa send accounting
SW-lab# sho run
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
01-31-2019 06:39 AM
they dont show up unless you do show run all.
!
could you also make sure you have emp logging and dot1x logging ver are also configured.
!
than shut the interface down and no shut.
!
and also share the logs what you see.
01-31-2019 06:59 AM - edited 01-31-2019 07:00 AM
I configured emp logging and dot1x logging ver and shut no shut, no changes. Also I am not seeing any logs.
Thanks!
01-31-2019 07:04 AM
can you display the ISE logs what you see there?
01-31-2019 07:10 AM - edited 01-31-2019 07:11 AM
SW-lab#sho mab interface g1/0/2 details
MAB details for GigabitEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass = Enabled
MAB Client List Is Empty
SW-lab#sho mab interface g1/0/3 details
MAB details for GigabitEthernet1/0/3
-------------------------------------
Mac-Auth-Bypass = Enabled
MAB Client List Is Empty
The logs are from yesterday. Nothing for today
01-31-2019 07:12 AM
This make sense. as you hitting the default authorization rule which is deny. have you configure any authorization rule for this
01-31-2019 07:34 AM - edited 01-31-2019 07:40 AM
01-31-2019 07:52 AM
01-31-2019 08:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide