Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
0
Helpful
4
Replies

Dot1x with Apple MAC on Cisco 3650

Thomas P
Level 1
Level 1

‎07-09-2015 04:49 AM - edited ‎03-10-2019 10:53 PM

Hello,

I have a customer with only Apple iMac and Macbook pro as computers. I have to configure dot1x authentication on 3650 and 3850 switchs. Here is the template I use on each port (129 : vlan data, 132 : vlan guest):

 switchport mode access
 switchport voice vlan 134
 trust device cisco-phone
 authentication event server dead action authorize vlan 129
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 132
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 8
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

The Apple computers are connected behind 7841 IP Phones. This explains why there is mab authentication configuration on the port.

The problem is that sometimes some Apple computers lose their authentication and fail to authenticate again:

%DOT1X-5-FAIL: Authentication failed for client (0c4d.xxxx.xxxx) on Interface Gi1/0/14

Can someone help me to solve this problem please? Maybe someone has already configured dot1X with Apple computers ?

 

Thank you for your help.

 

Thomas.

Labels:
0 Helpful
4 Replies 4

rob.drye
Level 1
Level 1

‎07-09-2015 09:33 AM

You shouldn't need any of the mab authentication for the phones to work.  Here's a cut down of your port config to match the one we use with 802.1X authentication for devices plugged into cisco VOIP phones:

 switchport mode access
 switchport voice vlan 134
 authentication event server dead action authorize vlan 129
 authentication event no-response action authorize vlan 132
 authentication order dot1x
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 8

You can use the rest of the spanning tree and QOS stuff as-is.
 

0 Helpful

Thomas P
Level 1
Level 1
In response to rob.drye

‎07-10-2015 02:50 AM

Hello Rob,

I need the mab commands because my phones are authenticated by mab (they are created in the active directory as users with their MAC address as password).

In your template the command "authentication priority dot1x mab" does not appear. It was worst without this command.

 

 

0 Helpful

rob.drye
Level 1
Level 1
In response to Thomas P

‎12-01-2015 07:09 AM

Here's a port config from one of my switches:

interface GigabitEthernet1/0/1
 switchport access vlan 192
 switchport mode access
 power inline never
 authentication order dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

0 Helpful

dtjacob
Level 1
Level 1

‎12-01-2015 07:01 AM

Thomas,

Out of curiosity, how did you configure your MACs for dot1x....onboarding using ISE?

0 Helpful
Customers Also Viewed These Support Documents