Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7716
Views
0
Helpful
3
Replies

doit1x Monitor Mode

Mikael Gustafsson
Level 5
Level 5

‎03-22-2013 03:54 AM - edited ‎03-10-2019 08:13 PM

Hi,

I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.

Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1.

The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.

When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should.

Anyone has seen this before and/or have some insight on how this should work?

I know this probably is a client/supplicant problem.

monitor mode.pngmm3.png

Port config:

interface GigabitEthernet0/2

description 802.1x port PC lab

switchport access vlan 8

switchport mode access

authentication host-mode multi-auth

authentication open

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

----------------------------------

sw#sh auth sess int gi0/2

            Interface:  GigabitEthernet0/2

          MAC Address:  000d.9d90.c96d

           IP Address:  192.168.50.30

            User-Name:  000d9d90c96d

               Status:  Authz Failed

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  C0A8320900000CF4DC2FDA59

      Acct Session ID:  0x00000D2A

               Handle:  0xA0000CF5

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Failed over

Labels:
0 Helpful
3 Replies 3

gschmitt.ngit
Level 1
Level 1

‎04-30-2013 01:51 PM

You need a configured ip access-group with the ACL of permit ip any any hardcoded on the interface.

0 Helpful

askhuran
Level 1
Level 1

‎04-30-2013 02:51 PM

While checking the authenticating the sessions, please also verify all  the dACLs which are enforced. This will help obtain more input and  narrow down the problem.  Please make sure that the Web-auth ACL has no  errors

0 Helpful

Octavian Szolga
Level 4
Level 4

‎05-01-2013 12:49 AM

Hi,

Please check if you configured Fallback to unauthorized network access under you Windows NIC dot1x settings.

If not, you won't get network access when dot1x fails.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents