Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

789
Views
0
Helpful
4
Replies
Thomas P
Beginner
Beginner
‎07-09-2015 04:49 AM
‎07-09-2015 04:49 AM

Dot1x with Apple MAC on Cisco 3650

Hello,

I have a customer with only Apple iMac and Macbook pro as computers. I have to configure dot1x authentication on 3650 and 3850 switchs. Here is the template I use on each port (129 : vlan data, 132 : vlan guest):

 switchport mode access
 switchport voice vlan 134
 trust device cisco-phone
 authentication event server dead action authorize vlan 129
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 132
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 8
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

The Apple computers are connected behind 7841 IP Phones. This explains why there is mab authentication configuration on the port.

The problem is that sometimes some Apple computers lose their authentication and fail to authenticate again:

%DOT1X-5-FAIL: Authentication failed for client (0c4d.xxxx.xxxx) on Interface Gi1/0/14

Can someone help me to solve this problem please? Maybe someone has already configured dot1X with Apple computers ?

 

Thank you for your help.

 

Thomas.

Labels:
0 Helpful
4 REPLIES 4
rob.drye
Beginner
Beginner
‎07-09-2015 09:33 AM
‎07-09-2015 09:33 AM

You shouldn't need any of the mab authentication for the phones to work.  Here's a cut down of your port config to match the one we use with 802.1X authentication for devices plugged into cisco VOIP phones:

 switchport mode access
 switchport voice vlan 134
 authentication event server dead action authorize vlan 129
 authentication event no-response action authorize vlan 132
 authentication order dot1x
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 8

You can use the rest of the spanning tree and QOS stuff as-is.
 

0 Helpful
Thomas P
Beginner
Beginner
In response to rob.drye
‎07-10-2015 02:50 AM
‎07-10-2015 02:50 AM

Hello Rob,

I need the mab commands because my phones are authenticated by mab (they are created in the active directory as users with their MAC address as password).

In your template the command "authentication priority dot1x mab" does not appear. It was worst without this command.

 

 

0 Helpful
rob.drye
Beginner
Beginner
In response to Thomas P
‎12-01-2015 07:09 AM
‎12-01-2015 07:09 AM

Here's a port config from one of my switches:

interface GigabitEthernet1/0/1
 switchport access vlan 192
 switchport mode access
 power inline never
 authentication order dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

0 Helpful
dtjacob
Beginner
Beginner
‎12-01-2015 07:01 AM
‎12-01-2015 07:01 AM

Thomas,

Out of curiosity, how did you configure your MACs for dot1x....onboarding using ISE?

0 Helpful
Latest Contents
CCIE Security in a Remote and Cloud Driven Network: SASE and...
Created by ciscomoderator on 04-22-2021 05:41 PM
0
0
0
0
Meet the Authors Event - CCIE Security in a Remote and Cloud Driven Network: SASE and Beyond (Live event – Thursday, 29th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris) This event will have place on Thursday 29th, April 2021 at 10... view more
Cisco and Radware - Securing your digital future
Created by Kelli Glass on 04-21-2021 05:16 PM
0
0
0
0
  Application Protection, Availability & Security Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business. Lear... view more
Cisco Wants your Feedback on the Secure Firewall Management ...
Created by caiharve on 04-21-2021 04:36 PM
0
0
0
0
Review the Cisco Secure Firewall Management Center (formally named "Firepower Management Center") on TrustRadius and receive a $25 gift card!     
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
Content for Community-Ad