05-10-2021 12:14 AM
Hi,
I prepared a switch 2960 version 15.0(2) SE6 and a phone 7940 connected to this switch, and all work fine with MAB ,after that I connect a win 10 pc to the phone using 802.1x and the switch complain about security violation and automatically shutdown the port.
If I connect the pc directly to the port ,no problem.
I´m looking for discrepancies between ISE and 2960 versions, but nothing for the moment.
Any help will be appreciated
Thanks
Solved! Go to Solution.
05-11-2021 02:52 AM - edited 05-11-2021 02:54 AM
You are using radius Group :
aaa group server radius dot1x_auth
server name ISE1
!
then this may need to change :
aaa authentication dot1x default group dot1x_auth
aaa authorization network default group dot1x_auth
aaa accounting dot1x default start-stop group dot1x_auth
I try below config :
interface FastEthernet0/13
description Pruebas_ISE
switchport access vlan 320
switchport mode access
switchport voice vlan 411
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain ( if you want you can use multi-auth - i have explained bottom)
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
05-10-2021 01:56 AM
- Show the running-config of the particular port(s) ; you may also find some hints in this thread :
M.
05-10-2021 02:03 PM
Can you post the switch configuration ?
05-11-2021 01:43 AM
Hi,
thanks for your replies.
@marce1000 I tried the hints in the link you posted but no chance.
@balaji.bandi I attach the conf with the essential conf, the test port is 0/13 and vlan 320 is for Data (for pc behind phone in 802.1x) and vlan 411 is for voice (MAB).
Thanks
05-11-2021 02:06 AM
>...and the switch complain about security violation and automatically shutdown the port
- What is the exact message as seen in the logs when this happens ?
M.
05-11-2021 02:08 AM
The configuration you posted shows the interface host-mode configured as multi-host. Multi-host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. As per the IP Telephony for 802.1X Design Guide document, multi-host mode is not recommended for IP Telephony. I would recommend using either Multi-Domain or Multi-Auth mode.
One of the most common issues that results in a violation is if the phone is not authorised correctly for the VOICE domain. If the phone is authorised in the DATA domain and you connect a PC that is also authorised in the DATA domain, it can result in a violation unless you are using Multi-Auth mode.
I would suggest having a look at the 'show auth session interface fa0/13' output to see if the phone is in the DATA or VOICE domain. You should also review the ISE Secure Wired Access Prescriptive Deployment Guide guide to compare your configurations.
05-11-2021 02:52 AM - edited 05-11-2021 02:54 AM
You are using radius Group :
aaa group server radius dot1x_auth
server name ISE1
!
then this may need to change :
aaa authentication dot1x default group dot1x_auth
aaa authorization network default group dot1x_auth
aaa accounting dot1x default start-stop group dot1x_auth
I try below config :
interface FastEthernet0/13
description Pruebas_ISE
switchport access vlan 320
switchport mode access
switchport voice vlan 411
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain ( if you want you can use multi-auth - i have explained bottom)
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide