cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

789
Views
0
Helpful
4
Replies
Thomas P
Beginner

Dot1x with Apple MAC on Cisco 3650

Hello,

I have a customer with only Apple iMac and Macbook pro as computers. I have to configure dot1x authentication on 3650 and 3850 switchs. Here is the template I use on each port (129 : vlan data, 132 : vlan guest):

 switchport mode access
 switchport voice vlan 134
 trust device cisco-phone
 authentication event server dead action authorize vlan 129
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 132
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 8
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

The Apple computers are connected behind 7841 IP Phones. This explains why there is mab authentication configuration on the port.

The problem is that sometimes some Apple computers lose their authentication and fail to authenticate again:

%DOT1X-5-FAIL: Authentication failed for client (0c4d.xxxx.xxxx) on Interface Gi1/0/14

Can someone help me to solve this problem please? Maybe someone has already configured dot1X with Apple computers ?

 

Thank you for your help.

 

Thomas.

4 REPLIES 4
rob.drye
Beginner

You shouldn't need any of the mab authentication for the phones to work.  Here's a cut down of your port config to match the one we use with 802.1X authentication for devices plugged into cisco VOIP phones:

 switchport mode access
 switchport voice vlan 134

 authentication event server dead action authorize vlan 129
 authentication event no-response action authorize vlan 132

 authentication order dot1x
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 8

You can use the rest of the spanning tree and QOS stuff as-is.
 

Hello Rob,

I need the mab commands because my phones are authenticated by mab (they are created in the active directory as users with their MAC address as password).

In your template the command "authentication priority dot1x mab" does not appear. It was worst without this command.

 

 

Here's a port config from one of my switches:

interface GigabitEthernet1/0/1
 switchport access vlan 192
 switchport mode access
 power inline never
 authentication order dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

dtjacob
Beginner

Thomas,

Out of curiosity, how did you configure your MACs for dot1x....onboarding using ISE?

Content for Community-Ad