cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9994
Views
0
Helpful
7
Replies

Dot1x issues

sullyjman12
Level 1
Level 1

I had dot1x working with a guest vlan, data vlan and voice vlan.  I have upgraded my IOS and now im having this issue:

1.  IP Phone can register with cisco call manager (Great)

2.  Plug in a computer on the domain with a certificate into the phone and dot1x allows it on the network (Great).

3.  Plug my macbook into the switch port of the IP Phone and it times out and doesnt kick the macbook into the guest vlan (Sucks)  It just gets an APIPA ip address

I get these errors:

%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6

%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6

I guess its going off the mac address of the machine when its plugged into the phone is there any way to disable this and have it dump straight into the guest vlan if there is no suppliment or the suppliment fails?

I had this working working perfectly before the IOS upgrade   I am running IOS verison cat4500-ipbasek9-mz.150-2.SG.bin  I am running the Cisco 4507 with dual supervisor boards

Mod Ports Card Type                              Model             

---+-----+--------------------------------------+------------------+-----------

1     2  Supervisor II+ 1000BaseX (GBIC)        WS-X4013+         

2     2  Supervisor II+ 1000BaseX (GBIC)        WS-X4013+        

3    48  10/100/1000BaseT (RJ45)                WS-X4548-GB-RJ45 

4    48  10/100/1000BaseT (RJ45)                WS-X4548-GB-RJ45

5    48  10/100/1000BaseT (RJ45)                WS-X4548-GB-RJ45

6    48  10/100BaseTX (RJ45)V, Cisco/IEEE       WS-X4248-RJ45V

7    48  10/100BaseTX (RJ45)V, Cisco/IEEE       WS-X4248-RJ45V

Here is what I have configured on my testing port:

interface FastEthernet6/35

switchport mode access

switchport voice vlan 50

logging event link-status

authentication event fail retry 5 action authorize vlan 69

authentication event no-response action authorize vlan 69

authentication host-mode multi-host

authentication order dot1x

authentication priority dot1x

authentication port-control auto

authentication timer restart 10800

authentication timer reauthenticate 10800

dot1x pae authenticator

dot1x timeout quiet-period 5

dot1x timeout server-timeout 10

dot1x timeout tx-period 5

dot1x max-reauth-req 1

spanning-tree portfast

Now here is the kicker, if I unplug my phone and plug in my macbook pro into the port directly it bumps the port into VLAN 69 which is the guest vlan and what I wanted.  So it has something to do with the port not transitioning to the guest vlan while plugged into the IP Phone.

Any clues?

7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

Auth fail vlan assignment is only supported on single host mode found here -

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/15.02SG/configuration/guide/dot1x.html#wp1198927

See if you can set this port to single host and try again.

Thanks,