Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2559
Views
25
Helpful
4
Replies

dot1x and Mab on a HUB - via Switch port - Wired

Go to solution
laurathaqi
Level 3
Level 3

‎10-19-2021 12:32 AM

Dear community, 

 

I have a switch, and in that switch port, is a HUB connected. The hub then has three computers and one Printers connected to it. The computers need to authenticate via PEAP whilst the Printer via MAB. 

I applied the general configurations in the switch ports, and all of the devices connected to the hub, lost communication. This is a meaning that they do not authenticate nor communicate with the switch anymore. 

 

The devices are remote, so am unable to troubleshoot directly on the devices however, am sure the computers are configured properly with PEAP since I have distributed configurations via GPO in all branches and HQ.  and the HQ Computers are working properly based on the GPO configurations. 

The switchport configuration is as following: 

switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout tx-period 10
dot1x timeout reauth-period 7200
dot1x guest-vlan 1
dot1x reauthentication
spanning-tree portfast

 

Switch model is Catalyst 2950 and it does not support CoA, just plain authentication via dot1x. And I have managed to configure successfully the directly connected to the switch port PC's. 

 

So my question is: How do I approach the HUB in this case? 

 

Looking forward to hearing from you. 

 

Thank you,

Laura

1 Accepted Solution

Accepted Solutions

Go to solution
laurathaqi
Level 3
Level 3
In response to Mike.Cifelli

‎10-29-2021 08:47 AM

Hi @Mike.Cifelli 

 

Thank you for your feedback. Apologies for the late response. Client went on vacation thus all configurations were put on a pending state.  I found the following link: https://community.cisco.com/t5/network-access-control/hub-behind-a-dot1x-port/td-p/4070418 that explains my doubts and am planning to further proceed with this one.

 

My client returns next week, so I will update you on the results  

 

Thank your for your support and feedback!

 

Best wishes,

Laura

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-19-2021 04:45 AM - edited ‎10-19-2021 04:45 AM

A few things to consider:

-Have you considered using multi-auth host mode? This ensures that multiple endpoints are authenticated into the data vlan in a 1 for 1 scenario with each auth being separate.  The command you are using: dot1x host-mode multi-host simply authenticates the first mac and allows all others.

-Try running some switch side debugs:

debug aaa authentication

debug eap all

Go to solution
laurathaqi
Level 3
Level 3
In response to Mike.Cifelli

‎10-20-2021 08:12 AM

Hi @Mike.Cifelli 

 

Thank you for the feedback!

 

The Catalyst 2950 I have does only support the following "dot1x host-mode multi-host" and not also the "authentication host-mode multi-auth". Furthermore, when I configure the Switch port with "dot1x host-mode multi-host",  this port, were the HUB is connected, all the Hub's ports block communication for the devices were they are connected at the Hub. 

To further visualize the connection: 

 

Endpoints -> Hub -> Switch. When Switchport configured with dot1x, the endpoints lose communication.

 

So I would like to know how are the Hubs usually handled when dealing with PEAP authentication via Cisco ISE. Are the Ports were the Hubs connect configured same as the Access Ports were Hosts connect!? 

 

Will apply the debugs during tomorrow and see if I get and further details. 

 

Thank you,

Laura 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-20-2021 08:22 AM

I apologize for any confusion.  

-I have does only support the following "dot1x host-mode multi-host" and not also the "authentication host-mode multi-auth".

I did not mean to use both.  I meant try testing with authentication host-mode multi-auth only on interface.  Tomorrow when you share debugs, please also share other relevant information such as:

-From switch: #show authentication session interface xxx detail

-From ISE: radius live log failure

Go to solution
laurathaqi
Level 3
Level 3
In response to Mike.Cifelli

‎10-29-2021 08:47 AM

Hi @Mike.Cifelli 

 

Thank you for your feedback. Apologies for the late response. Client went on vacation thus all configurations were put on a pending state.  I found the following link: https://community.cisco.com/t5/network-access-control/hub-behind-a-dot1x-port/td-p/4070418 that explains my doubts and am planning to further proceed with this one.

 

My client returns next week, so I will update you on the results  

 

Thank your for your support and feedback!

 

Best wishes,

Laura

0 Helpful
Customers Also Viewed These Support Documents