02-25-2021 01:44 AM - edited 02-25-2021 01:44 AM
Hi,
my Customer has some strange behaviors on his Switches with some clients.
First the config (Closed Mode):
aaa group server radius ISE server name cisco-nac01 server name cisco-nac02 ! aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa accounting update newinfo periodic 2880 aaa accounting dot1x default start-stop group ISE aaa accounting network default start-stop group ISE aaa server radius dynamic-author client 10.30.1.16 server-key 7 <removed> client 10.30.1.17 server-key 7 <removed> authentication mac-move permit radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 10 tries 3 radius-server deadtime 15 ! radius server cisco-nac01 address ipv4 X.X.X.X auth-port 1812 acct-port 1813 automate-tester username switch_ise_check idle-time 10 key 7 <removed> ! radius server cisco-nac02 address ipv4 X.X.X.X auth-port 1812 acct-port 1813 automate-tester username switch_ise_check idle-time 10 key 7 <removed> interface GigabitEthernet1/0/X switchport access vlan 332 (Guest VLAN with Captive portal) switchport mode access authentication event server alive action reinitialize authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 1 spanning-tree portfast edge spanning-tree bpduguard enable
They have 2960X with Release 15.2.7E0a (we already tested with newer Releases but i didnt work. we also can not use newer releases cause we ran into some bugs.)
Ok now to the actual problem:
First, with this config mostly everything works fine. But there are about 5 Clients (500 Clients overall) that have strang behaviors. when i configure the interfaces with the config above, the misbehaving client doesnt get a session:
Switch#sho authentication sess int g1/0/12 details No sessions match supplied criteria.
then i add this to the port:
authentication open
then the clients gets a session with dhcp IP etc. :
Switchr#sho authentication sess int g1/0/12 details Interface: GigabitEthernet1/0/12 MAC Address: XXXX.XXXX.XXXX IPv6 Address: Unknown IPv4 Address: 10.X.X.X User-Name: 00-03-05-18-04-22 Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: 3600s (server), Remaining: 3220s Timeout action: Reauthenticate Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 172421s Session Uptime: 392s Common Session ID: 0A1E3206000031B4614F1C82 Acct Session ID: 0x00003168 Handle: 0xDD000D77 Current Policy: POLICY_Gi1/0/12 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Vlan Group: Vlan: 250 Method status list: Method State dot1x Stopped mab Authc Success
But the client doenst work. i can not ping or get to its http interface, although it got the correct adresse from the dynamic vlan 250.
i have to add
switchport access vlan 250
Now it works...
Other Clients in the same Policy Set etc. with MAB and dynamic vlan 250 are working perfect! just these **** 5 Clients..
Anything i dont see?
Solved! Go to Solution.
02-25-2021 03:38 AM
Hi @fabian.kaltenschnee ,
try the following show/debugs to clarify the case:
show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification
Hope this helps !!!
02-25-2021 03:38 AM
Hi @fabian.kaltenschnee ,
try the following show/debugs to clarify the case:
show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification
Hope this helps !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide