09-02-2015 01:38 AM - edited 03-10-2019 11:01 PM
I am running Cisco ACS( Version : 5.4.0.46.0a) 802.1x with certificate based authentication for Wired connections. the issus is i found some authentication failed messages in some switch port. when I troubleshooting in ACS, it is an error: "22056 Subject not found in the applicable identity store(s). : Authentication failed ". but I could not find the MAC address on this port. the authentication failed message should disappeared after 60 seconds normally it the device pull out the cable. but i found the authentication failed session always in the switch and the ACS.
for example:
in the port Gi1/0/15, there has an Avaya phone and a PC authentication success, but there has another MAC address failed. it was strange the this port did not connect any other device. so i am so confused about this situation. i tried to add one command :"authentication timer inactivity 30", but it seem like no use.
switch#show authe se | inc Gi1/0/15
Gi1/0/15 90b1.1c9b.d9c4 dot1x DATA Authz Success 0A19F5820001536935ED8383
Gi1/0/15 24d9.214e.39be dot1x VOICE Authz Success 0A19F5820001452D31ECA0FD
Gi1/0/15 8c70.5a29.39be dot1x DATA Authz Failed 0A19F582000150163568626F
switch#show mac add | inc Gi1/0/15
100 90b1.1c9b.d9c4 STATIC Gi1/0/15
300 24d9.214e.39be STATIC Gi1/0/15
switch#show run int Gi1/0/15
Building configuration...
Current configuration : 540 bytes
!
interface GigabitEthernet1/0/15
switchport access vlan 100
switchport mode access
switchport voice vlan 300
duplex full
authentication event server dead action reinitialize vlan 100
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer inactivity 30
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 5.00
spanning-tree portfast
spanning-tree bpduguard enable
switch module: WS-C3750X-48PF-S
switch IOS: c3750e-universalk9-mz.150-2.SE4.bin
09-02-2015 01:36 PM
It must have been the Avaya phone before learning the voice VLAN.
09-02-2015 11:10 PM
Thanks Peter.
you mean the addtional MAC belongs to the Avaya phone? but the problem is why this failure authentication session could not clear automatically? and i could find the mac address int the mac address table.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide