authentication host-mode

ibrahim_hassan · ‎08-26-2013

Dears,

i have strange issue with dot1x , when i configured the port as multi-domain it is working if IP phone connected.

if IP phone removed and PC connected directly to the switch port the PC can't work properly although it authentciated ,autorized and have the proper IP address.

when i changed to single-host it is working properly.

Thanks,

Ibrahim

Muhammad Munir · ‎08-27-2013

Hello Ibrahim

This is really a strange issue. However please review the few steps which are given below:

Enable Multi-Auth host mode. Multi-Auth is essentially a superset of Multi-Domain Authentication

(MDA). MDA only allows a single endpoint in the data domain. When multi-auth is configured, a single

authenticated phone is allowed in the voice domain (as with MDA) but an unlimited number of data

devices can be authenticated in the data domain.

! Allow voice + multiple endpoints on same physical access port

authentication host-mode multi-auth

• Ensure that the RADIUS probe is enabled in Cisco ISE.

• Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP

information.

• Ensure that network access devices run the following CDP and LLDP commands to capture CDP

and LLDP information from endpoints:

cdp enable

lldp run

• Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS

commands.

For example, use the following commands:

aaa new-model

aaa accounting dot1x default start-stop group radius

radius-server host auth-port acct-port key

radius-server vsa send accounting

Thanks:

Muhammad Munir

aqjaved · ‎09-05-2013

Specify the settings here to ensure the switch is able to appropriately handle RADIUS Change of Authorization behavior supporting Posture functions from Cisco ISE.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf