Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
3
Replies

802.1x Authz failing with 3rd party dump switches and PCs connecting to it.

MS-JK
Level 1
Level 1

‎11-27-2018 10:38 AM

HI,

Here is my Scenario:

3750/2960/3850  --> PHONE -> Desktop Switch (Linksys or dump switch) -> Workstation

 

ISE 2.3 P4

 

The PHONE gets profiled/authenticated just fine and added as part of VOICE VLAN BUT the Workstation fails. (NOTE: that IF the workstation plugs into directly to the 3750/2960/3850 - its working fine.)

 

Interface config switch:

 

interface FastEthernet4/0/2

switchport access vlan 8

switchport mode access

switchport voice vlan 9

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

authentication control-direction in

authentication event server dead action reinitialize vlan 8

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 7

no cdp enable

spanning-tree portfast

service-policy input access-port-policy

 

It appears these devices do not like the 0180:c200:0003 bridging frame that is referenced in the EAPOL or EAP response packets. Has anyone run into this? Anything that can be added to the port to over come this issue?

 

Thanks for advise!

 

0 Helpful
3 Replies 3

mnagired
Cisco Employee
Cisco Employee

‎11-27-2018 11:59 AM

1stly,

Sorry i have never tested this and also Not sure about the Linksys switch model you using, but by default(Force Authorized Port authentication is disabled ) the switch should pass through the EAP packet.. May be factory default the Linksys switch and try it once..

2nd,

Authentication order & Priority doesnt match up.. Can you keep it same..

authentication order mab dot1x

authentication priority dot1x mab

 

0 Helpful

MS-JK
Level 1
Level 1
In response to mnagired

‎11-27-2018 05:29 PM

Actually - looks like ANY switch including Cisco's 300s series. I'm wondering if this is even a supported scenario or not.

0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to MS-JK

‎11-28-2018 12:07 AM

This is not a supported scenario as such but i do not see why it should not work as well.


If the supplicant sends an EAPoL-Start packet, then the traffic would be unicast and these frames to the multicast mac address do not even come into picture. Switch by default does not send EAPoL packets in case of a data device connected behind a phone scenario.

 

You can configure your supplicant to transmit EAPoL-Start messages as follows via group policy.

When you create a connection profile, you can find this settings under 'advanced' button.

Computer settings -> Policies -> Windows Settings -> Security Settings -> Wired Network (802.3) Policies1256088.png

 

Make sure that EAPoL-Start Message is set to "Transmit" instead of "Transmit per IEEE 802.1X" and see if this helps.

0 Helpful
Customers Also Viewed These Support Documents