cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1595
Views
0
Helpful
20
Replies

ISE 1.4 access point mab

adamgibs7
Level 6
Level 6

Dears,

i have access point connected in the network through 4500 switch with power injector the access point which are connected on 4500 are falling in proper authorization policy but the access point which are connected to 3560 switch  with 15.X IOS   i can see the injector mac address falling in the authorization policy and the real access point mac address is not seen in the ISE anywhere and the access point doesnt register to the WLC.

thanks

20 Replies 20

jan.nielsen
Level 7
Level 7

Sounds odd that a power injector would have a mac address, why do you think it's the power injectors mac address, does it say anything about that on the injector ?

Dear Jan,

yes it is because I have others access points also without power injector and they are seen onlyonce mac address on the sh run interface of the switch but  see 2 mac address are learned where power injector is connected, as I have enabled port-security sticky I can come to know how many mac address are learned on the port.

any trick to solve this, I m facing only on 3560 switch, on 4500 switch it is detected properly and it falls in access point endpoint group in ISE and it is authorized appropriately.

thanks 

So did you try to use a power adapter with the 4500 switch? Does the same thing happen as on the 3560?

So did you try to use a power adapter with the 4500 switch?

yes i use a power injector with 4500 switch , and it works fine in ise

Does the same thing happen as on the 3560?

no it doesnt work with 3560 switch.

thanks

Could you show us the interface configuration of the port on the 3560 and output of "show auth sess int x/x" when the power injector is attached with a device behind it.

Dear Jan,

I have removed the port security also can you share me the recommended by cisco that port-security should be disabled on dot1x.

now i get the attached error on the ISE the DACL is failing .

IOS version is "flash:c3560e-universalk9-mz.150-2.SE9.bin.

interface GigabitEthernet0/1
 description "Connected to Access Point"
 switchport access vlan XX

switchport mode access
 ip access-group ACL-DEFAULT in
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Dears,

Anybody can help me to achieve success.

thanks

I don't think the DACL errors is your problem, its probably more of a symptom of your problems. It looks to me like your AP is using more than one mac, the two mac's on the port, are from the same vendor (Cisco B0:00:B4), and not from your power injector. I have seen that with 2700 APs, you should just let it authenticate with both MACs, and see which one gets the ip address. Right now you are not sending any permit-access and ACL to the switch as far as i can tell. One more thing you could try is using "authentication host-mode multi-auth"

Dear Jan,

what does the above does which you have advice to adam

thanks

Well, as far as i can tell from the screenshot, your not actually failing, other than downloading the ACL after you have been authenticated and authorized. Have you checked that your ACL is syntax correct ? Could you post the rest of the switch config?

Dear Jan,

thanks for the reply,  but if u see the show authentication session interface output authz is failing

here are the attached as requested,

the dacl is working fine with other access points which are connected to 4500 switch

Could you show the config of the 4500?

Also try doing some "show ip device tracking int gx/x" when the AP is connected.

I would also remove those empty lines from your ACL just to be sure thats not a problem for the 3560.

Maybe do some debug also on the switch,

"debug dot1x all"

"debug epm all"

"debug aaa authentication"

"debug aaa authorization"

Dear Jan,

Attached as requested, Have also included ip device tracking from 4500.

Looks like your AP is not getting an IP address, and so the ACL is not being downloaded. You are also missing dhcp snooping on the 3560's

from your 4500 
ip dhcp snooping vlan 1-34,36-4094

remember setting trusted dhcp ports also.