10-15-2020 03:19 AM
We are using EAP-TLS with MIC certificate for IP phones to be authenticated on wired dot1x. And have configured MAB as a fail back mechanism with dot1x having higher priority/order. Below is a snip from interface config
However, we have encountered a peculiar scenario where old IP Phones are getting stuck in dot1x authentication; not failing over to MAB if they have a expired MIC. What is see from ISE that it is not sending "Access-Reject" after EAP-TLS authentication failure because of MIC expiry, rather it is sending an "Access-Challenge".
ISE: v2.4 patch11
Switch: 3750 with 15.2.4.E8
Phone: Cisco 7962, 7965
10-15-2020 04:08 AM
Hello
if u have continuous Running state for dot1x in output of "sho authe sess int N d" i'd advice to call TAC
10-15-2020 04:20 AM
I think what is happening here is that ISE sends the access-challenge messages and wait for the responses, but it looks like the old phones do not support them. In this case, the access-challenge messages will be treated as access-reject, hence, the phones will be denied access to the network, and will not try to failover to the next authc method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide