Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
0
Helpful
3
Replies

802.1x with logon script

Go to solution
cheungchunyu
Level 1
Level 1

‎10-18-2016 06:14 AM - edited ‎03-11-2019 12:09 AM

Hello,

Before setting the 802.1x with ISE.The user logon with a script for mapping the network drive.

We deployed the 802.1x with ip phone and PC successfully, however the logon script is not working now.

Any required step to make the logon script work?

ISE:2.1

switch :3750 with 12.2(55) SE10

PC:WIN7 (connect to ip phone)

ip phone:6921(connect to switch f 1/0/4)

Switch config is show follow:


!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service linenumber
service sequence-numbers
!
hostname ISESW01
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxx
!
!
 aaa new-model
!
!
aaa group server radius ISE
server 10.202.152.91 auth-port 1645 acct-port 1646
server 10.202.152.92 auth-port 1645 acct-port 1646
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
!
!
aaa server radius dynamic-author
client 10.202.152.91 
client 10.202.152.92 
!
aaa session-id common
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
vtp mode transparent
 ip dhcp excluded-address 10.202.21.1 10.202.21.10
ip dhcp excluded-address 10.202.121.196
!
ip dhcp pool testingdhcp
network 10.202.19.0 255.255.255.0
default-router 10.202.19.1
dns-server 10.202.152.21
!
!
ip device tracking
!
mls qos map policed-dscp 0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
--More--  mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint TP-self-signed-1210376576
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1210376576
revocation-check none
rsakeypair TP-self-signed-1210376576
!
!
crypto pki certificate chain TP-self-signed-1210376576
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
auto qos srnd4
dot1x system-auth-control
dot1x critical eapol
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 819 priority 61440
!
vlan internal allocation policy ascending
!
vlan 121
name Voice_Vlan
 !
vlan 819
name 19F_VLAN
!
vlan 888,899
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
match ip dscp cs3 af31
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
!
!
!

interface FastEthernet1/0/4
switchport access vlan 819
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 889
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!


!
interface Vlan1
no ip address
!
interface Vlan819
ip address 10.202.19.11 255.255.255.0
!
ip default-gateway 10.202.19.1
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended AUTOQOS-ACL-DEFAULT
permit ip any any
ip access-list extended Redirect
deny udp any eq bootpc any eq bootps
deny udp any any eq bootps
deny udp any any eq domain
deny ip any host 10.202.154.192
permit ip any any
!
 !
snmp-server community Cisco123 RO
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.202.152.91 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxx
radius-server host 10.202.152.92 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
djhurley
Level 1
Level 1

‎11-01-2016 08:18 AM

I had a similar problem when the workstations where set to 'computer or user authentication' within PEAP settings. What was happening is that the DACL that was used for when the computer account was authenticated restricted access to just the DCs etc, but did not include the locations required for the login script. It appears that in Windows 7 the user login script runs before the dot1x presents the user credentials to the switch.

So in our case we modified the DACL that is in place for the computer account to permit access to the locations required for the login script (i.e. the network shares servers), and all is working.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
djhurley
Level 1
Level 1

‎11-01-2016 08:18 AM

I had a similar problem when the workstations where set to 'computer or user authentication' within PEAP settings. What was happening is that the DACL that was used for when the computer account was authenticated restricted access to just the DCs etc, but did not include the locations required for the login script. It appears that in Windows 7 the user login script runs before the dot1x presents the user credentials to the switch.

So in our case we modified the DACL that is in place for the computer account to permit access to the locations required for the login script (i.e. the network shares servers), and all is working.

0 Helpful

Go to solution
cheungchunyu
Level 1
Level 1
In response to djhurley

‎11-01-2016 10:32 PM

I use same solution here to solve my problem.However, we allow the pc to ad to get the logon script in preauth stage.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

‎11-01-2016 10:46 AM

Use machine only authentication in windows, or use Cisco AnyConnect NAM with EAP-Chaining, this solves the issue you are most likely having.

0 Helpful
Customers Also Viewed These Support Documents