01-17-2015 11:07 PM - edited 03-10-2019 10:21 PM
Hi ,
I configured Critical vlan on my 2960-X switch , everything works perfect , as I expected when the Radius (ISE1.3) goes down , ports are placed in Critical vlan but here there is a problem , after the ports put in Critical VLAN the IP and The mac address in the output of "Sho authe session " command , showed UNKNOWN ,
Actually the system get the IP correctly and the IP to MAC binding is correct in IP DHCP Binding and IP device Tracking output , but the output siad unknown IP and MAC ,,
Is there any idea for that ?
thanks
01-18-2015 02:32 PM
Hello Richard-
A couple of questions:
1. Does the device have internet/intranet access during the critical auth?
2. Can you post your Radius and switchport configs?
Thank you for rating helpful posts!
01-18-2015 10:04 PM
Hi neno ,
Actually , No it does not any access to Internet Or Intranet ,
yes here is my configuration :
interface GigabitEthernet1/0/1
switchport access vlan 172
switchport mode access
authentication event server dead action authorize vlan 501
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 20
dot1x max-reauth-req 10
spanning-tree portfast
aaa new-model
!
!
aaa group server radius ISE
server name ISE-15
!
aaa authentication login default local
aaa authentication enable default none
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
aaa server radius dynamic-author
client 172.16.25.15 server-key cisco
!
ip device tracking
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 send nas-port-detail
radius-server attribute 31 remote-id
radius-server vsa send cisco-nas-port
!
radius server ISE-15
address ipv4 172.16.25.15 auth-port 1812 acct-port 1813
timeout 10
retransmit 2
automate-tester username tester probe-on
key cisco
01-20-2015 12:18 AM
Hmm, what version of code are you running? Also, can you post the output of the "show authentication session.." command? Last but not the least, have you confirmed that the critical VLAN exists in the switch VLAN database and it is allowed on the upstream trunk ports?
Thank you for rating helpful posts!
01-20-2015 01:20 AM
The version which is running on my 2960-X is cisco suggested IOS : " 15.0(2)EX5 "
and also I have a same problem with common 2960 ,
yes all the switching infrastructure work properly as I said IP Assignment is in placed but there is no report in sho command ,
here is the output of "sho auth sessions "
2960-x-B#sho auth sessions int gi 1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: Unknown
IP Address: Unknown
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Critical Auth
Vlan Policy: 501
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC10191A0000000F0005481A
Acct Session ID: 0x00000012
Handle: 0x8B000010
Runnable methods list:
Method State
dot1x Authc Failed
Critical Authorization is in effect for domain(s) DATA
#######################
2960-x-B#sho ip device tracking int gi 1/0/1
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
172.50.1.17 1078.d28e.d34a 501 GigabitEthernet1/0/1 ACTIVE
08-17-2015 08:25 AM
Hi Richard,
Sorry for hijacking your thread, but I have the same problem.
¿could you find a solution to this?
TIA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide