11-25-2018 08:49 AM
Hi Guys
Please help me to overcome one general issue from ISE Side. when we put ‘authentication open’ command in port configuration, all the endpoints are getting full access in the network in a certain period.
But we remove this command from port ,then Cisco IPphonesare not getting IP. We confirmed IP phones are getting authenticated and authorized in ISE.
Solved! Go to Solution.
12-03-2018 08:24 AM
Hi Team,
I got a solution to overcome this issue.
I had removed 'authentication open' command from the port and added 'dot1x critical eapol' in global configuration.
with this changes , initial access was denyed and also IPPhones getting IP.
Thanks for your support
11-25-2018 09:01 AM
Authentication open command will allow unrestricted Layer 2 access to the network even before any authentication has succeeded.
If ISE is authenticating and authorizing properly, then you need to check on the switch. Check the output of "show authentication session interface <>"
Have you configured dynamic authorization on switch?
11-26-2018 04:41 AM
Hi Pan,
thanks for your reply.Yes we had configured dynamic authorization on switch.
Plaese Find the sessin details from the siwth and port configuration
ACCESS-SW-01#sh authentication sessions interface GigabitEthernet2/0/43
Interface: GigabitEthernet2/0/43
MAC Address: 0021.55d4.xxxx
IP Address: 192.18.69.39
User-Name: 00-21-55-D4-xx-xx
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC12FA6500005BD3671A05BC
Acct Session ID: 0x000063B8
Handle: 0xED0005DE
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
interface GigabitEthernet2/0/43
description *****Connected to Users*****
switchport access vlan 107
switchport mode access
switchport voice vlan 269
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
end
Looking forward for your response
11-26-2018 04:52 AM
Change the order authentication order dot1x mab to authentication order mab dot1x do shut no shut
Then search for the mac address of the ip phone in live logs and check if there is anything failing there?
Share the output of "sh authentication sessions interface GigabitEthernet2/0/43" again.
What have you configured in "ip access-group ACL-ALLOW in" remove is and check.
11-26-2018 05:01 AM - edited 11-26-2018 05:13 AM
Hi
You are using dot1x and then MAB with a tx period of 10 seconds. This will require 30 seconds before MAB occurs. How long is the DHCP time out on the phones? There are two alternatives to test/correct the issue; lower the tx-period or reverse dot1x/MAB sequence. To start I would lower the tx period to 6 seconds which is a setting that is working out in several different environments.
interface GigabitEthernet2/0/43
dot1x timeout tx-period 6
//Martin
11-26-2018 05:10 AM
I agree with Martin in trying to lower the tx-period first. In all my closed mode installs I have never had to reverse the order to "mab dot1x". There are ramifications to reversing the order. If you do order "mab dot1x" first you are requiring the OS to initiate Dot1x. Some OS versions (Macs are an example) are only responders to Dot1x.
11-26-2018 08:58 AM
Sure,I will do these changes and update you.
12-03-2018 08:24 AM
Hi Team,
I got a solution to overcome this issue.
I had removed 'authentication open' command from the port and added 'dot1x critical eapol' in global configuration.
with this changes , initial access was denyed and also IPPhones getting IP.
Thanks for your support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide