Hi,

I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.

Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1.

The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.

When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should.

Anyone has seen this before and/or have some insight on how this should work?

I know this probably is a client/supplicant problem.

Port config:

interface GigabitEthernet0/2

description 802.1x port PC lab

switchport access vlan 8

switchport mode access

authentication host-mode multi-auth

authentication open

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

----------------------------------

sw#sh auth sess int gi0/2

            Interface:  GigabitEthernet0/2

          MAC Address:  000d.9d90.c96d

           IP Address:  192.168.50.30

            User-Name:  000d9d90c96d

               Status:  Authz Failed

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  C0A8320900000CF4DC2FDA59

      Acct Session ID:  0x00000D2A

               Handle:  0xA0000CF5

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Failed over