06-30-2011 05:29 PM - edited 03-12-2019 05:39 PM
I had dot1x working with a guest vlan, data vlan and voice vlan. I have upgraded my IOS and now im having this issue:
1. IP Phone can register with cisco call manager (Great)
2. Plug in a computer on the domain with a certificate into the phone and dot1x allows it on the network (Great).
3. Plug my macbook into the switch port of the IP Phone and it times out and doesnt kick the macbook into the guest vlan (Sucks) It just gets an APIPA ip address
I get these errors:
%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6
I guess its going off the mac address of the machine when its plugged into the phone is there any way to disable this and have it dump straight into the guest vlan if there is no suppliment or the suppliment fails?
I had this working working perfectly before the IOS upgrade I am running IOS verison cat4500-ipbasek9-mz.150-2.SG.bin I am running the Cisco 4507 with dual supervisor boards
Mod Ports Card Type Model
---+-----+--------------------------------------+------------------+-----------
1 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+
2 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+
3 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45
4 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45
5 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45
6 48 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V
7 48 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V
Here is what I have configured on my testing port:
interface FastEthernet6/35
switchport mode access
switchport voice vlan 50
logging event link-status
authentication event fail retry 5 action authorize vlan 69
authentication event no-response action authorize vlan 69
authentication host-mode multi-host
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication timer restart 10800
authentication timer reauthenticate 10800
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 10
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
Now here is the kicker, if I unplug my phone and plug in my macbook pro into the port directly it bumps the port into VLAN 69 which is the guest vlan and what I wanted. So it has something to do with the port not transitioning to the guest vlan while plugged into the IP Phone.
Any clues?
07-01-2011 03:23 AM
Auth fail vlan assignment is only supported on single host mode found here -
See if you can set this port to single host and try again.
Thanks,