Solved: Hi jwmolenaar,

Pranav Gade · ‎11-19-2015

Hi Friends,

We are facing some delay issue with Cisco ISE 1.4 and Avaya Phone

Currently we are running with MDA and having multiple flavor of Avaya Phones, wherein we observed 802.1x authentication happened flawlessly but it’s getting delay for MAB authentication for Avaya Phone.

To be precise Avaya Phones keep on asking DHCP request and it’s getting DHCP after 60sec which is quite more.

Can anyone help me how we can reduced this because normal ports it’s taking less than 5 sec.

Current switch port config

switchport access vlan XX
switchport mode access
switchport voice vlan XX
ip access-group ISE-ALL in
authentication event fail action next-method
authentication event server dead action authorize vlan XX
authentication event server dead action authorize voic XX
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x mac-auth-bypass
dot1x timeout tx-period 10

Thanks in advance

jwmolenaar · ‎11-19-2015

Hi Pranav,

Then you already made a good process since the default is 90 seconds :)
Tuning the timers is a combination of 'dot1x timeout tx-period' and 'dot1x max-reauth-req'

Please have a look at the following url: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387271

Regards, Jan-Willem

View solution in original post

jwmolenaar · ‎11-19-2015

Hi Pranav,

The switch starts with dot1x, if that fails it start using MAB. You can easily achive your goal by changing the 'authentication order'. Alternative you have to tune the timers.

Regards, Jan-Willem Molenaar

Pranav Gade · ‎11-19-2015

Hi jwmolenaar,

Thanks for reply. We wants to achieved dot1x auth first then Mab thats why we have set order to dot1x first then mab.

Can you tell me how to achevie by tunning timers...? Currently we observed even if we set dot1x timeout for 5 sec still dot1x to mab failover happeing after 15 sec.

jwmolenaar · ‎11-19-2015

Hi Pranav,

Then you already made a good process since the default is 90 seconds :)
Tuning the timers is a combination of 'dot1x timeout tx-period' and 'dot1x max-reauth-req'

Please have a look at the following url: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387271

Regards, Jan-Willem

Pranav Gade · ‎11-25-2015

Hi Jan-Willem,

Thaks for your support but now if we changed the dot1x timer(tx-period -2sec and reauth-req - 1) and try to shut/no shut the interface then my domain machine hitting to 2 sec.

If we keep timer defualt all working as expected first machine auth then user auth but Avaya phone registration not working.

Can you suggest me on the same.

Thanks in advance

jwmolenaar · ‎11-30-2015

Hi Pranav,

Tuning the timers is always hard and is depending on the environment. Therefore I prefer the order MAB en second Dot1x. Of course with prio Dot1x and second MAB.

I'm no 100% sure but if I am correct dot1x starts immediately if an endpoints send an EAPoL start. Additionally the switch is configured with fallback of Dot1x including a higher prio so the switch will always initiate an EAP Request-Identity after MAB timeout.

This is my default approuch...

If someone have additions or comments, please feel free.

Pranav Gade · ‎12-05-2015

Hi jwmolenaar,

Thanks for reply.. Whenever I try to tackle with timer then its hitting to MAB for Machine even if on machine dot1x service enable.

Regards

Pranav

Cisco ISE 1.4 with Avaya Phone(MDA)