03-19-2015 05:28 AM - edited 03-10-2019 10:33 PM
Hi
On a Catalyst 2960, I'm trying to allow a IP phone and a computer on the same port, and verify those devices against RADIUS (ISE). Unauthenticated devices should be placed in guest VLAN. In the event of a RADIUS failure, no device should be placed in guest, but go to the access vlan.
When authentication fails for a device, it goes to guest VLAN 50, as desired. When RADIUS is down, it should bypass authentication and go to access VLAN, but it does not. Why ?
My port setting and RADIUS setup looks like this:
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport voice vlan 6
authentication event server dead action authorize vlan 5
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 50
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 120
radius-server retry method reorder
radius-server transaction max-tries 3
!
radius server ISE
address ipv4 [omitted by me] auth-port 1812 acct-port 1813
key [omitted by me]
Output from switch when I connect:
%DOT1X-5-FAIL: Authentication failed for client (001e.330c.7871) on Interface Gi1/0/5 AuditSessionID C0A80BDC0000008F013B8CF6
Mar 30 07:12:28.821: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Mar 30 07:12:28.821: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Regards
Kjetil
05-29-2015 08:40 AM
Hi
For me it get's worse...I wan't it to go to VlanGuest and it won't...ever...I compared my port configuration with yours and it's almost identical...
Config from my port:
interface FastEthernet0/28
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 113
switchport port-security maximum 2
switchport port-security
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action authorize vlan 165
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
Errors from switch when plugging to the port
045739: May 29 16:35:21.045 PT: %AUTHMGR-5-START: Starting 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045740: May 29 16:35:21.054 PT: %MAB-5-FAIL: Authentication failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045741: May 29 16:35:21.054 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045742: May 29 16:35:21.062 PT: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045743: May 29 16:35:21.062 PT: %AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045744: May 29 16:35:22.866 PT: %LINK-3-UPDOWN: Interface FastEthernet0/28, changed state to up
045745: May 29 16:35:23.872 PT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/28, changed state to up
045747: May 29 16:36:53.691 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045748: May 29 16:36:53.691 PT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045749: May 29 16:36:53.691 PT: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
QL-SW1#
045750: May 29 16:36:53.699 PT: %AUTHMGR-5-FAIL: Authorization failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
05-29-2015 10:11 AM
Hi!!!
Mine is working allready... here's my configuration, please check if it works with you!
Here's the input:
interface FastEthernet0/28
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 113
switchport port-security maximum 2
switchport port-security
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
dot1x mac-auth-bypass
dot1x critical recovery action reinitialize
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x control-direction in
dot1x timeout quiet-period 2
dot1x timeout server-timeout 2
dot1x timeout reauth-period server
dot1x timeout tx-period 1
dot1x timeout supp-timeout 2
dot1x max-reauth-req 1
dot1x reauthentication
dot1x guest-vlan 166
dot1x auth-fail vlan 166
The output came out with sintax fixed for the 2960 model:
interface FastEthernet0/28
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 113
switchport port-security maximum 2
switchport port-security
shutdown
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action authorize vlan 166
authentication event no-response action authorize vlan 166
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout server-timeout 2
dot1x timeout tx-period 1
dot1x timeout supp-timeout 2
dot1x max-reauth-req 1
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
And the Terminal monitor Output is like this :
046200: May 29 18:01:32.251 PT: %AUTHMGR-5-START: Starting 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046201: May 29 18:01:32.268 PT: %MAB-5-FAIL: Authentication failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046202: May 29 18:01:32.268 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046203: May 29 18:01:32.268 PT: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046204: May 29 18:01:32.268 PT: %AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046205: May 29 18:01:34.097 PT: %LINK-3-UPDOWN: Interface FastEthernet0/28, changed state to up
046206: May 29 18:01:34.332 PT: %DOT1X-5-FAIL: Authentication failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID
046207: May 29 18:01:34.332 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046208: May 29 18:01:34.332 PT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046209: May 29 18:01:34.332 PT: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046210: May 29 18:01:34.332 PT: %AUTHMGR-5-VLANASSIGN: VLAN 166 assigned to Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
046211: May 29 18:01:35.112 PT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/28, changed state to up
046212: May 29 18:01:35.322 PT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide