11-27-2018 10:38 AM
HI,
Here is my Scenario:
3750/2960/3850 --> PHONE -> Desktop Switch (Linksys or dump switch) -> Workstation
ISE 2.3 P4
The PHONE gets profiled/authenticated just fine and added as part of VOICE VLAN BUT the Workstation fails. (NOTE: that IF the workstation plugs into directly to the 3750/2960/3850 - its working fine.)
Interface config switch:
interface FastEthernet4/0/2
switchport access vlan 8
switchport mode access
switchport voice vlan 9
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication control-direction in
authentication event server dead action reinitialize vlan 8
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 7
no cdp enable
spanning-tree portfast
service-policy input access-port-policy
It appears these devices do not like the 0180:c200:0003 bridging frame that is referenced in the EAPOL or EAP response packets. Has anyone run into this? Anything that can be added to the port to over come this issue?
Thanks for advise!
11-27-2018 11:59 AM
1stly,
Sorry i have never tested this and also Not sure about the Linksys switch model you using, but by default(Force Authorized Port authentication is disabled ) the switch should pass through the EAP packet.. May be factory default the Linksys switch and try it once..
2nd,
Authentication order & Priority doesnt match up.. Can you keep it same..
authentication order mab dot1x
authentication priority dot1x mab
11-27-2018 05:29 PM
Actually - looks like ANY switch including Cisco's 300s series. I'm wondering if this is even a supported scenario or not.
11-28-2018 12:07 AM
This is not a supported scenario as such but i do not see why it should not work as well.
If the supplicant sends an EAPoL-Start packet, then the traffic would be unicast and these frames to the multicast mac address do not even come into picture. Switch by default does not send EAPoL packets in case of a data device connected behind a phone scenario.
You can configure your supplicant to transmit EAPoL-Start messages as follows via group policy.
When you create a connection profile, you can find this settings under 'advanced' button.
Computer settings -> Policies -> Windows Settings -> Security Settings -> Wired Network (802.3) Policies
Make sure that EAPoL-Start Message is set to "Transmit" instead of "Transmit per IEEE 802.1X" and see if this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide