Cisco ip phone and wired user authenticate form ISE

teymur azimov · ‎08-06-2014

Hi dears,

I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.

Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)

I create new authentication policy and use mab, and new authorization police.

The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.

Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.

Thanks.

Saurav Lodh · ‎08-06-2014

can you share the switch side port configurations? also show the output of

show authentication sessions interface fastEthernet..

teymur azimov · ‎08-07-2014

interface GigabitEthernet1/0/48
switchport access vlan 10
switchport mode access
switchport voice vlan 14
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

do you need ISE configuration??

embowers1 · ‎08-08-2014

I would use <authentication host-mode multi-auth> with caution. With that state it is possible for a switch or hub to be attached to the phone and multiple devices attached to the hub.

With <authentication host-mode multi-domain> you restrict it to one device per domain. 1 phone and 1 data device. any more then that and the port is err-disabled.

Venkatesh Attuluri · ‎08-19-2014

Your switch interface configuration seems to be fine for authenticating Phone with PC connected behind it.If you can provide screenshot of live authentication then we can find the reason why its failing

teymur azimov · ‎08-07-2014

please provide me any documentation how configure ip phone and behind the pc from ISE. i did not find any documentation.

nspasov · ‎08-07-2014

Can you provide the output from the following command:

show authentication session interface interface_name

Replace the interface_name the the interface that the phone/pc are connecting

Also, please proivde answers to the following questions:

1. What happens if you plug in the PC directly (bypassing the phone)

2. Model and firmware of Cisco Phone

3. PC OS type and supplicant used

4. Make, model and OS version of switch

Thank you for rating helpful posts!

teymur azimov · ‎08-07-2014

Thank you your helping.

When i connect only pc on that port of switch the authentication is OK(normal working). when i connect both of them the same port the phone is authenticate normaly. the pc want to authenticate but it can not. i think it is oouthorization problems. do you need ise configuration??

Pc: windows 7

Sw:Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE7,

I can connect remotely the sites. i will send you the others information asap.

nspasov · ‎08-08-2014

The more info you provide the better :) In addition to what I already requested please post screen shots from the live authenticaiton screen and then screen shot from the detailed screen for the mac address of the PC (when it fails authenticaiton).