cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

341
Views
25
Helpful
22
Replies
Beginner

802.1x Domain = unknown - status = Unauth - Method = N/A

I enable Dot1x - Plugged in the PC to Ipphone - My phone is registered with CM and my PC got an Ip address. The issue that I am having is Domain = unknown - status = Unauth - Method = N/A ---

 

Any help is appreciated. 

 

SW-lab#sho authentication sessions interface g1/0/2
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 0016.46a8.a523 N/A UNKNOWN Unauth 0A16640A00000032A0A896C4
Gi1/0/2 d4be.d95c.a825 N/A UNKNOWN Unauth 0A16640A00000033A0A8B9C7

 

 

SW-lab#sho run int g1/0/2

interface GigabitEthernet1/0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 150
device-tracking
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

 

Thanks

 

22 REPLIES
VIP Collaborator

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

What does ISE Live Log and the detail of the failed Authentication/Authorization look like?

Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

@Arne Bier 

 

There is nothing in ISE live logs. 

@Mike.Cifelli 

I already have that configured. I have a radius server already configured and belongs to the radius group.

 

aaa authentication login default enable local
aaa authentication dot1x default group LAB-RADIUS
aaa authorization network default group LAB-RADIUS
aaa accounting identity default start-stop group LAB-RADIUS

Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

Are you pushing your vlan from ISE or relying on fallback of the switch access vlan on your interface command? Is vlan 120 in your vlan db?

 

There is nothing in ISE live logs. 

 

Are you reaching ISE?  Are ports 1812/1813 (radius default for authentication/accounting) blocked anywhere along the path?  Are you sourcing radius traffic from the correct management interface?  Any of these could present a problem.

Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

Please ensure that you have your AAA statements properly setup.  Depending on your configuration it should look something along these lines:

 

aaa authentication dot1x default group radius
aaa authorization network default group radius

 

Also, add the command authentication port-control auto.  Then force a re-auth.  Hope this helps.

Rising star

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

also to add make sure you have these commands

 

radius server attributes vsa sent authen

radius server attributes vsa sent account

please do not forget to rate.
Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

@Sheraz.Salim

 

I entered these commands, but they don't show under running config. I am running IOS Version 16.6.5 - SW 3850


SW-lab(config)#radius-server vsa send authentication
SW-lab(config)#radius-server vsa send accounting

 

 

SW-lab# sho run
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

 

 

 

 

Rising star

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

they dont show up unless you do show run all.

!

could you also make sure you  have emp logging and dot1x logging ver are also configured.

!

than shut the interface down and no shut.

!

and also share the logs what you see.

please do not forget to rate.
Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

@Sheraz.Salim

 

 

I configured emp logging and dot1x logging ver and shut no shut, no changes. Also I am not seeing any logs. 

 

Thanks!

Rising star

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

can you display the ISE logs what you see there?

please do not forget to rate.
Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

@Sheraz.Salim


SW-lab#sho mab interface g1/0/2 details
MAB details for GigabitEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass = Enabled

MAB Client List Is Empty

 

SW-lab#sho mab interface g1/0/3 details
MAB details for GigabitEthernet1/0/3
-------------------------------------
Mac-Auth-Bypass = Enabled

MAB Client List Is Empty

 

 The logs are from yesterday. Nothing for today 

Highlighted
Rising star

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

This make sense. as you hitting the default authorization rule which is deny. have you configure any authorization rule for this

please do not forget to rate.
Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

@Sheraz.Salim

the default Authorization shows permit. Please see attachment.

 

Thanks!

VIP Rising star

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

The hit counters on those rules are 0. This could just be a display issue, but it is worth asking if you you have more than one policy set configured?

The default authorization rule in the screenshot you attached is Deny as Sheraz pulled from the live logs earlier. What are the configured conditions in the "Network_access_authentication_passed" library.
Beginner

Re: 802.1x Domain = unknown - status = Unauth - Method = N/A

@Damien Miller 

 

I hope I am answering your question. Please find attachment

 

CreatePlease to create content
Blog-Cisco Community Designated VIP Dinner CLEUR2019