cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
10
Helpful
4
Replies

802.1x issues...I think

angel-moon
Level 3
Level 3

Hello everyone,

 

On a network with 802.1x on all switch ports when I connect a newly configured phone it will not register ("Verify Network Connection" message on the phone) unless I take out the switch command line authentication port-control auto.  Once I issue a "no" on that command the phone can find CUCM and register.  If I ut it back in after it register the phone de-registers.  Anyone know what I can do to keep this line in AND have the phone register? 

 

 

Thanks in advance!!!

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the configuration to have look.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

switchport access vlan 111

switchport mode access

switchport voice vlan 222

srr-queue bandwidth share 1 30 35 5

priority-queue out

 authentication event fail action next-method

authentication event server dead action authorize vlan 111

authentication event server dead action authorize voice

authentication event server alive action reinitialize

 authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server dynamic

authentication violation restrict

mab     

 mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 5

auto qos voip cisco-phone

 storm-control broadcast level 10.00

storm-control multicast level 10.00

spanning-tree portfast

spanning-tree bpduguard enable

 

The QOS configuration aside, the port looks to be configured fine for 802.1x. There are other configurations you need to make sure exist on the switch, such as "dot1x system-auth-control" and RADIUS configuration (radius servers, dot1x configuration for aaa, etc.).

 

We are missing quite a few details though. Assuming your configuration is correct outside the specific interface you've pasted, you may want to check if any RADIUS traffic is leaving from your switch and encapsulating EAPOL traffic for the phone port. 

Scott Pedersen
Level 1
Level 1

The authentication port-control auto command is what controls whether you device must authenticate with your authentication servers such as Cisco ISE. Depending on your authentication server setup the device is allowed or denied access to the network. If you want to make sure your device can access the network with that in place you need to consult with your Admin of that authentication server to make sure everything is in place to allow the device access. Without knowing what you are using it is impossible to get any more detailed than that.