08-26-2013 04:50 AM - edited 03-10-2019 08:49 PM
Dears,
i have strange issue with dot1x , when i configured the port as multi-domain it is working if IP phone connected.
if IP phone removed and PC connected directly to the switch port the PC can't work properly although it authentciated ,autorized and have the proper IP address.
when i changed to single-host it is working properly.
Thanks,
Ibrahim
08-27-2013 09:20 PM
Hello Ibrahim
This is really a strange issue. However please review the few steps which are given below:
Enable Multi-Auth host mode. Multi-Auth is essentially a superset of Multi-Domain Authentication
(MDA). MDA only allows a single endpoint in the data domain. When multi-auth is configured, a single
authenticated phone is allowed in the voice domain (as with MDA) but an unlimited number of data
devices can be authenticated in the data domain.
! Allow voice + multiple endpoints on same physical access port
authentication host-mode multi-auth
• Ensure that the RADIUS probe is enabled in Cisco ISE.
• Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP
information.
• Ensure that network access devices run the following CDP and LLDP commands to capture CDP
and LLDP information from endpoints:
cdp enable
lldp run
• Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS
commands.
For example, use the following commands:
aaa new-model
aaa accounting dot1x default start-stop group radius
radius-server host
radius-server vsa send accounting
Thanks:
Muhammad Munir
09-05-2013 08:10 AM
Specify the settings here to ensure the switch is able to appropriately handle RADIUS Change of Authorization behavior supporting Posture functions from Cisco ISE.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide