05-07-2016 12:06 AM - edited 03-10-2019 11:44 PM
Dears,
i have access point connected in the network through 4500 switch with power injector the access point which are connected on 4500 are falling in proper authorization policy but the access point which are connected to 3560 switch with 15.X IOS i can see the injector mac address falling in the authorization policy and the real access point mac address is not seen in the ISE anywhere and the access point doesnt register to the WLC.
thanks
05-10-2016 08:43 AM
Sounds odd that a power injector would have a mac address, why do you think it's the power injectors mac address, does it say anything about that on the injector ?
05-10-2016 10:31 AM
Dear Jan,
yes it is because I have others access points also without power injector and they are seen onlyonce mac address on the sh run interface of the switch but see 2 mac address are learned where power injector is connected, as I have enabled port-security sticky I can come to know how many mac address are learned on the port.
any trick to solve this, I m facing only on 3560 switch, on 4500 switch it is detected properly and it falls in access point endpoint group in ISE and it is authorized appropriately.
thanks
05-10-2016 11:06 AM
So did you try to use a power adapter with the 4500 switch? Does the same thing happen as on the 3560?
05-11-2016 12:25 PM
So did you try to use a power adapter with the 4500 switch?
yes i use a power injector with 4500 switch , and it works fine in ise
Does the same thing happen as on the 3560?
no it doesnt work with 3560 switch.
thanks
05-11-2016 01:33 PM
Could you show us the interface configuration of the port on the 3560 and output of "show auth sess int x/x" when the power injector is attached with a device behind it.
05-12-2016 12:01 PM
Dear Jan,
I have removed the port security also can you share me the recommended by cisco that port-security should be disabled on dot1x.
now i get the attached error on the ISE the DACL is failing .
IOS version is "flash:c3560e-universalk9-mz.150-2.SE9.bin.
interface GigabitEthernet0/1
description "Connected to Access Point"
switchport access vlan XX
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end
05-21-2016 06:22 AM
Dears,
Anybody can help me to achieve success.
thanks
05-21-2016 07:05 AM
I don't think the DACL errors is your problem, its probably more of a symptom of your problems. It looks to me like your AP is using more than one mac, the two mac's on the port, are from the same vendor (Cisco B0:00:B4), and not from your power injector. I have seen that with 2700 APs, you should just let it authenticate with both MACs, and see which one gets the ip address. Right now you are not sending any permit-access and ACL to the switch as far as i can tell. One more thing you could try is using "authentication host-mode multi-auth"
05-21-2016 12:43 PM
Dear Jan,
what does the above does which you have advice to adam
thanks
05-21-2016 12:43 PM
Well, as far as i can tell from the screenshot, your not actually failing, other than downloading the ACL after you have been authenticated and authorized. Have you checked that your ACL is syntax correct ? Could you post the rest of the switch config?
05-21-2016 01:11 PM
05-21-2016 01:11 PM
Could you show the config of the 4500?
Also try doing some "show ip device tracking int gx/x" when the AP is connected.
I would also remove those empty lines from your ACL just to be sure thats not a problem for the 3560.
Maybe do some debug also on the switch,
"debug dot1x all"
"debug epm all"
"debug aaa authentication"
"debug aaa authorization"
05-21-2016 01:56 PM
05-21-2016 02:05 PM
Looks like your AP is not getting an IP address, and so the ACL is not being downloaded. You are also missing dhcp snooping on the 3560's
from your 4500
ip dhcp snooping vlan 1-34,36-4094
remember setting trusted dhcp ports also.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide