Hi,
my Customer has some strange behaviors on his Switches with some clients.
First the config (Closed Mode):
aaa group server radius ISE
server name cisco-nac01
server name cisco-nac02
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
aaa server radius dynamic-author
client 10.30.1.16 server-key 7 <removed>
client 10.30.1.17 server-key 7 <removed>
authentication mac-move permit
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server cisco-nac01
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
automate-tester username switch_ise_check idle-time 10
key 7 <removed>
!
radius server cisco-nac02
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
automate-tester username switch_ise_check idle-time 10
key 7 <removed>
interface GigabitEthernet1/0/X
switchport access vlan 332 (Guest VLAN with Captive portal)
switchport mode access
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast edge
spanning-tree bpduguard enable
They have 2960X with Release 15.2.7E0a (we already tested with newer Releases but i didnt work. we also can not use newer releases cause we ran into some bugs.)
Ok now to the actual problem:
First, with this config mostly everything works fine. But there are about 5 Clients (500 Clients overall) that have strang behaviors. when i configure the interfaces with the config above, the misbehaving client doesnt get a session:
Switch#sho authentication sess int g1/0/12 details
No sessions match supplied criteria.
then i add this to the port:
authentication open
then the clients gets a session with dhcp IP etc. :
Switchr#sho authentication sess int g1/0/12 details
Interface: GigabitEthernet1/0/12
MAC Address: XXXX.XXXX.XXXX
IPv6 Address: Unknown
IPv4 Address: 10.X.X.X
User-Name: 00-03-05-18-04-22
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s (server), Remaining: 3220s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172421s
Session Uptime: 392s
Common Session ID: 0A1E3206000031B4614F1C82
Acct Session ID: 0x00003168
Handle: 0xDD000D77
Current Policy: POLICY_Gi1/0/12
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 250
Method status list:
Method State
dot1x Stopped
mab Authc SuccessBut the client doenst work. i can not ping or get to its http interface, although it got the correct adresse from the dynamic vlan 250.
i have to add
switchport access vlan 250
Now it works...
Other Clients in the same Policy Set etc. with MAB and dynamic vlan 250 are working perfect! just these **** 5 Clients..
Anything i dont see?
