11-19-2015 03:19 AM - edited 03-10-2019 11:15 PM
Hi Friends,
We are facing some delay issue with Cisco ISE 1.4 and Avaya Phone
Currently we are running with MDA and having multiple flavor of Avaya Phones, wherein we observed 802.1x authentication happened flawlessly but it’s getting delay for MAB authentication for Avaya Phone.
To be precise Avaya Phones keep on asking DHCP request and it’s getting DHCP after 60sec which is quite more.
Can anyone help me how we can reduced this because normal ports it’s taking less than 5 sec.
Current switch port config
switchport access vlan XX
switchport mode access
switchport voice vlan XX
ip access-group ISE-ALL in
authentication event fail action next-method
authentication event server dead action authorize vlan XX
authentication event server dead action authorize voic XX
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x mac-auth-bypass
dot1x timeout tx-period 10
Thanks in advance
Solved! Go to Solution.
11-19-2015 09:28 AM
Hi Pranav,
Then you already made a good process since the default is 90 seconds :)
Tuning the timers is a combination of 'dot1x timeout tx-period' and 'dot1x max-reauth-req'
Please have a look at the following url: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387271
Regards, Jan-Willem
11-19-2015 07:39 AM
Hi Pranav,
The switch starts with dot1x, if that fails it start using MAB. You can easily achive your goal by changing the 'authentication order'. Alternative you have to tune the timers.
Regards, Jan-Willem Molenaar
11-19-2015 09:03 AM
Hi jwmolenaar,
Thanks for reply. We wants to achieved dot1x auth first then Mab thats why we have set order to dot1x first then mab.
Can you tell me how to achevie by tunning timers...? Currently we observed even if we set dot1x timeout for 5 sec still dot1x to mab failover happeing after 15 sec.
11-19-2015 09:28 AM
Hi Pranav,
Then you already made a good process since the default is 90 seconds :)
Tuning the timers is a combination of 'dot1x timeout tx-period' and 'dot1x max-reauth-req'
Please have a look at the following url: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387271
Regards, Jan-Willem
11-25-2015 08:57 PM
Hi Jan-Willem,
Thaks for your support but now if we changed the dot1x timer(tx-period -2sec and reauth-req - 1) and try to shut/no shut the interface then my domain machine hitting to 2 sec.
If we keep timer defualt all working as expected first machine auth then user auth but Avaya phone registration not working.
Can you suggest me on the same.
Thanks in advance
11-30-2015 01:59 AM
Hi Pranav,
Tuning the timers is always hard and is depending on the environment. Therefore I prefer the order MAB en second Dot1x. Of course with prio Dot1x and second MAB.
I'm no 100% sure but if I am correct dot1x starts immediately if an endpoints send an EAPoL start. Additionally the switch is configured with fallback of Dot1x including a higher prio so the switch will always initiate an EAP Request-Identity after MAB timeout.
This is my default approuch...
If someone have additions or comments, please feel free.
12-05-2015 02:48 AM
Hi jwmolenaar,
Thanks for reply.. Whenever I try to tackle with timer then its hitting to MAB for Machine even if on machine dot1x service enable.
Regards
Pranav
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide