10-08-2020 05:09 AM
Hi all,
I'm trying to configure ports on switches Catalyst 2960 , 2960X and 9200L using host-mode multi-auth but leaving also the fail vlan because we want to maintain a recovery method to guarantee access to devices also in case MAB and dot1x fail.
We are using as authentication order mab and then dot1x ( because we have some issues with ip phones certificates so need to use mab as first attempt )
Problem arise during first test on 2960 using devices that are not able to use dot1x and mac address are not recognized by radius system.With multi-auth mode the port remain not authorized and mac addres go in drop state.
I found in some documentation ( not in all documentation ) that with multi-auth mode guest vlan and fail vlan are not enabled even if I can configure it.
In cat9200L the behaviour seems to be different as I see the device in authorized state, so my question is : do you have tried also this type of setup ? It is a Platform dependent behaviour or it correct that with multi-authentication mode is not permited to use guest and fail vlan ?
Below an example
on cat9200L C9200L-24P-4G 16.12.02 :
---------------------------------------
On 2960 WS-C2960-24LT-L 12.2(55)SE12 :
-----------------------------------------
Solved! Go to Solution.
10-12-2020 07:34 PM
The way I see it, I never fail a MAB auth. You have to configure ISE MAB Authentication to 'Continue if User not found' (default is to Reject). Then the user will be put into an access VLAN configured on the switch port. Make that VLAN a guest VLAN and enable profiling so that ISE can CoA that user/device into another VLAN if needed (e.g. ISE profiles the device as a printer etc. - if VLAN change is involved then the port should also be bounced via ISE CoA to force the device to perform DHCP again)
10-12-2020 07:34 PM
The way I see it, I never fail a MAB auth. You have to configure ISE MAB Authentication to 'Continue if User not found' (default is to Reject). Then the user will be put into an access VLAN configured on the switch port. Make that VLAN a guest VLAN and enable profiling so that ISE can CoA that user/device into another VLAN if needed (e.g. ISE profiles the device as a printer etc. - if VLAN change is involved then the port should also be bounced via ISE CoA to force the device to perform DHCP again)
10-13-2020 04:38 AM
Auth fail VLAN is only available in single-host mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide