Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4798
Views
5
Helpful
4
Replies

Endpoint mac address shown DROP in switch and no ISE sessions after activating "access-session closed"

Go to solution
getaway51
Level 2
Level 2

‎11-06-2019 07:13 AM

Hi,

 

Currently all ports is running in monitor mode(template OPEN_MODE). I randomly chose Gi1/0/7 in template "closed"

Then i "shut, no shut" the port Gi1/0/7. Traffic not passing through like forever. The device has no error during monitor mode with auth passed and in the ALLOW authorization policy. 

If i normalize back Gi1/0/7 to template OPEN_MODE, traffic PASS again.

Wht could be the issue? PLS PLS SOMEONE HELP ME!!!! 

 

template OPEN_MODE
dot1x pae authenticator
mab
access-session control-direction in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X
!
template closed
dot1x pae authenticator
mab
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to getaway51

‎11-08-2019 08:18 PM - edited ‎11-11-2019 12:17 PM

I believe you are correct on this. I've seen some mention that 802.1X not supported on trunk ports. If your intention is to have endpoints on different VLAN on the same switch interfaces and you are using Catalysis 3650, 3850, or 9K series on recent IOS-XE releases, my impression is that is possible on access ports.

Per MAC per VLAN Assignment (aka MAC based VLANs)

  • With Catalyst 2960X, 3850/3650 (or 9000 series) switches: Each session can have individual VLAN assigned
  • 2960X -> 15.2(2)E
  • 3850/3650 -> 03.03.00SE

802.1X on Trunk Ports

  • Authenticate Flex Connect AP over trunk interface and let AP authenticate the wireless clients
    • auth host-mode multi-host
  • NEAT
  • 15.2(1)E / 3.5.0E

View solution in original post

4 Replies 4

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎11-06-2019 07:26 AM

What does it show in the ISE Live Logs (Operations->Radius->Live Logs)?  Is it failing authentication?  Is it passing authentication in ISE?

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎11-06-2019 08:53 AM

Hi,

I think it was caused by trunk port. I am using trunk port.

I am not sure why this happens.

I heard access port has no issue.

I m still seeking the answers. 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to getaway51

‎11-08-2019 08:18 PM - edited ‎11-11-2019 12:17 PM

I believe you are correct on this. I've seen some mention that 802.1X not supported on trunk ports. If your intention is to have endpoints on different VLAN on the same switch interfaces and you are using Catalysis 3650, 3850, or 9K series on recent IOS-XE releases, my impression is that is possible on access ports.

Per MAC per VLAN Assignment (aka MAC based VLANs)

  • With Catalyst 2960X, 3850/3650 (or 9000 series) switches: Each session can have individual VLAN assigned
  • 2960X -> 15.2(2)E
  • 3850/3650 -> 03.03.00SE

802.1X on Trunk Ports

  • Authenticate Flex Connect AP over trunk interface and let AP authenticate the wireless clients
    • auth host-mode multi-host
  • NEAT
  • 15.2(1)E / 3.5.0E

Go to solution
deepuvarghese1
Spotlight

‎01-25-2021 07:07 AM

We are using a WS-C3850-24U with software version 16.6.3 controlled with ISE commands. Getting request timeout continuously even if the endpoint is authenticated and authorized.

 

ISE live logs shows repeated entry for every drop and it is successful too. If we remove the ISE commands it works perfectly without any issue.  ISE version is 2.4.

0 Helpful
Customers Also Viewed These Support Documents
Top