02-25-2021 01:44 AM - edited 02-25-2021 01:44 AM
Hi,
my Customer has some strange behaviors on his Switches with some clients.
First the config (Closed Mode):
aaa group server radius ISE server name cisco-nac01 server name cisco-nac02 ! aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa accounting update newinfo periodic 2880 aaa accounting dot1x default start-stop group ISE aaa accounting network default start-stop group ISE aaa server radius dynamic-author client 10.30.1.16 server-key 7 <removed> client 10.30.1.17 server-key 7 <removed> authentication mac-move permit radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 10 tries 3 radius-server deadtime 15 ! radius server cisco-nac01 address ipv4 X.X.X.X auth-port 1812 acct-port 1813 automate-tester username switch_ise_check idle-time 10 key 7 <removed> ! radius server cisco-nac02 address ipv4 X.X.X.X auth-port 1812 acct-port 1813 automate-tester username switch_ise_check idle-time 10 key 7 <removed> interface GigabitEthernet1/0/X switchport access vlan 332 (Guest VLAN with Captive portal) switchport mode access authentication event server alive action reinitialize authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 1 spanning-tree portfast edge spanning-tree bpduguard enable
They have 2960X with Release 15.2.7E0a (we already tested with newer Releases but i didnt work. we also can not use newer releases cause we ran into some bugs.)
Ok now to the actual problem:
First, with this config mostly everything works fine. But there are about 5 Clients (500 Clients overall) that have strang behaviors. when i configure the interfaces with the config above, the misbehaving client doesnt get a session:
Switch#sho authentication sess int g1/0/12 details No sessions match supplied criteria.
then i add this to the port:
authentication open
then the clients gets a session with dhcp IP etc. :
Switchr#sho authentication sess int g1/0/12 details Interface: GigabitEthernet1/0/12 MAC Address: XXXX.XXXX.XXXX IPv6 Address: Unknown IPv4 Address: 10.X.X.X User-Name: 00-03-05-18-04-22 Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: 3600s (server), Remaining: 3220s Timeout action: Reauthenticate Restart timeout: N/A Periodic Acct timeout: 172800s (local), Remaining: 172421s Session Uptime: 392s Common Session ID: 0A1E3206000031B4614F1C82 Acct Session ID: 0x00003168 Handle: 0xDD000D77 Current Policy: POLICY_Gi1/0/12 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Vlan Group: Vlan: 250 Method status list: Method State dot1x Stopped mab Authc Success
But the client doenst work. i can not ping or get to its http interface, although it got the correct adresse from the dynamic vlan 250.
i have to add
switchport access vlan 250
Now it works...
Other Clients in the same Policy Set etc. with MAB and dynamic vlan 250 are working perfect! just these **** 5 Clients..
Anything i dont see?
Solved! Go to Solution.
02-25-2021 03:38 AM
Hi @fabian.kaltenschnee ,
try the following show/debugs to clarify the case:
show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification
Hope this helps !!!
02-25-2021 03:38 AM
Hi @fabian.kaltenschnee ,
try the following show/debugs to clarify the case:
show mac address table interface <interface>
debug dot1x all
debug mab all
debug mac-notification
Hope this helps !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: