04-18-2011 05:31 AM - edited 03-10-2019 06:00 PM
Hello,
I am using Cisco ACS 5.1. I would like to authenticate my ip phones with mab (Avaya phones) and the commputers with dot1x.
Everything works fine except that the phones which are successfully authenticated with mab tries to authenticate again
and again and again ... and this fills up the ACS logs. Every authentication is successfull and the phone does not hang up. But this fills
up my logs and makes them unusefull.
switch version: cat4500-ipbasek9-mz.122-53.SG3.bin
port config:
interface FastEthernet2/25
switchport access vlan 107
switchport mode access
switchport voice vlan 502
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no logging event link-status
load-interval 60
speed 100
duplex full
qos vlan-based
authentication event fail action authorize vlan 109
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout server-timeout 25
dot1x timeout tx-period 15
dot1x timeout supp-timeout 25
dot1x max-req 3
tx-queue 3
priority high
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 10
end
Thanks,
Andras
Solved! Go to Solution.
04-18-2011 07:39 AM
Hi,
If you remove the commands:
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
Does the phones stop authenticating every minute?
Please note that you have set the aging time to 1 minute, which means that if the phone is not sending any traffic, the switch will delete its mac address fro mthe mac table, therefore, the dot1x process will kick.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-18-2011 07:39 AM
Hi,
If you remove the commands:
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
Does the phones stop authenticating every minute?
Please note that you have set the aging time to 1 minute, which means that if the phone is not sending any traffic, the switch will delete its mac address fro mthe mac table, therefore, the dot1x process will kick.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-19-2011 01:11 AM
Hi,
This was the solution. Removing "switchport port-security aging time 1" from the port-config.
Thanks,
Andras
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide