ā01-24-2024 09:44 PM
Hi All,
I have configured wired dot1x between my switch and cisco ise and on the other hand ise is integrated with the windows AD for domain users and PC authentication. I have noticed an issue with some users. The issue is that they have IP phone and PC, so they have voice vlan and access vlan configured on their endpoint (both are different vlans). The issue is that after couple of hours of inactivity, their network becomes unidentified and they are cut from network. On the switch, I can see that the voice vlan (static) mac address is there but the access vlan for endpoint is dropped and I keep getting the log DOT1X authentication failed for client.
When I do show authentication session interface detail, I get this:
show authentication sessions interface gigabitEthernet 2/0/6
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi2/0/6 xxxx.xxxx.f429 N/A UNKNOWN Unauth -
But again this mac address xxxx.xxxx.f429 is dropped in the mac table.
The issue fixes if the interface physically restarts.
This is my DOT1x config:
switchport access vlan x
switchport mode access
switchport voice vlan xx
power inline auto max 15400
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
spanning-tree portfast
end
On ISE, I do not see any live logs for this activity which means that no authentication request is reaching ise from the endpoint. I hope my question is clear, thanks.
ā01-25-2024 01:20 AM
These are not all config
Can I see
Show authentication sessions
MHM
ā01-25-2024 01:59 PM
@muhammadtalha - your config needs to handle inactivity - UNAUTH means that the session was authenticated, and then went inactive - but it's still there. What's going to clear it?
In IBNS 2.0 this is handled very nicely. I responded to another post today where I described this in some detail. Have a look and see if you can find equivalent commands in IBNS 1.0 - I can't find a switch old enough to test IBNS 1.0. But perhaps there is an "authentication session" style command to do the same thing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide