03-30-2020 06:51 AM - edited 03-30-2020 06:56 AM
hello everyone
I have a problem guys,
1 piece standalone cisco ise v2.4 I use it in the building
500 to 800 users are working
''now; map authentication side is actively working now ''
anyconnect is installed on all computers and config is ready,
and when I activate the ports on the switch, I see that there is authentication on it
so the system is working'
but
there is no authentication at all when I restart computers,
running system before restarting computers
does not work after restarting computers
authentication does not work when I restart computers
and non-authentication users
anyconnect software asks for username and password
Meanwhile, I upgraded the patch updates
I made switch firmware updates
and there are switches operating in different brands
juniper,alcatel,huawei
I request your support on this matter, friends
thanks,
I'm transmitting the config information in the attachment,
'''
aaa authentication login default group XX_tacacs local
aaa authentication login console local
aaa authentication login CONSOLE none
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group XX_tacacs local if-authenticated
aaa authorization exec CONSOLE none
aaa authorization commands 1 default group XX_tacacs local if-authenticated
aaa authorization commands 15 default group XX_tacacs local if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group baro_tacacs
aaa accounting commands 1 default start-stop group XX_tacacs
aaa accounting commands 15 default start-stop group XX_tacacs
'''
port config
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 40
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
power inline port 2x-mode
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 1
spanning-tree portfast
spanning-tree bpduguard enable
Solved! Go to Solution.
05-16-2020 05:34 PM - edited 05-16-2020 05:35 PM
It's time to call TAC.
In the future, please provide relevant configurations and errors in the beginning of your post to make it faster and easier for people to provide suggestions. See How to Ask The Community for Help.
03-30-2020 05:35 PM
NEVER use Port Security with 802.1X.
You must disable Port Security if you want to use 802.1X.
'authentication host-mode multi-domain' will ensure you only have 1 endpoint each on the Voice VLAN and Data VLAN.
03-31-2020 04:43 AM
03-30-2020 11:40 PM
Hi,
As you're running multi-domain mode, do your computers attach to the IP Phones, or directly to the switch? Also, you should be removing port-security, as the moment you have authentication configured on the port, port-security is kinda built-in, and based on the host mode, one or multiple MAC addresses are allowed.
What is the OS on your computers, and do you use the native supplicant or AnyConnect NAM module?
Regards,
Cristian Matei.
03-31-2020 04:46 AM
03-31-2020 10:04 AM
Then what is your AnyConnect configuration?
04-01-2020 07:35 AM - edited 04-01-2020 07:37 AM
04-01-2020 07:36 AM
04-18-2020 04:32 PM
04-18-2020 07:36 PM
Can you check below setting on NAM under Client Policy, if the Connection Attempt is selected as "After user login"
04-19-2020 06:18 AM
thank you for your answer buddy
settings this way
what is it supposed to be ??
can you send me a sample that works smoothly ?
thank you
04-22-2020 08:50 AM
there are so many ccie here nobody know what this problem is
05-08-2020 02:13 PM
05-12-2020 01:49 PM
Did you disable Port Security on the switchports first then try AnyConnect?
802.1X and Port Security will fight for control of the port.
05-14-2020 03:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide