Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
0
Helpful
6
Replies

ISE and 3850 3.2.2SE - Authenticating Wrong Domain and More

Mark H
Level 1
Level 1

‎09-19-2014 12:35 AM - edited ‎03-12-2019 05:43 PM

Hi everyone,

Have been forced in to accepting the new session aware networking commands and I am running in to a few issues. I finally have a service policy that is authenticating dot1x and MAB (we use EAP-TLS for the desktop and MAB for the phone), however I am experiencing two major issues:

  1. When attempting to authenticate both devices, the port has a port-security issue and moves to an err-disabled state.
  2. When attempting to authenticate just the phone with the service-policy, the phone is authenticated in to the data domain. However, if I use a service-policy that authenticates just MAB the phone will be correctly authenticated in to the voice domain.

Can anyone give me some pointers in the right direction? Attached is the interface configuration and service-policy I'm using.

Thanks,

Mark

Labels:
Preview file
1 KB
Preview file
2 KB
0 Helpful
6 Replies 6

Saurav Lodh
Level 7
Level 7

‎09-19-2014 06:59 PM

Post the below output

 

#show authentication sessions interface XX

0 Helpful

Mark H
Level 1
Level 1
In response to Saurav Lodh

‎09-23-2014 09:56 PM

Hi salodh,

Please find attached the following:

1-Device.txt = The output when only authenticating MAB and one device. As you can see it starts unauthorized and once authorized remains on the data domain despite receiving the correct service template I have configured that allows voice domain access.

2-Devices.txt = This is what occurs when authenticating both dot1x and mab in a sequential manner for two devices. Once the second device is authenticated there is no access session for it, as you can see the port is put in to an err-disabled state.

Thanks,

Mark

Preview file
2 KB
Preview file
4 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎09-23-2014 10:35 PM

Hi Mark. I have never deployed dot1x in a manner that you have done it (service-policy) so I might need more info to better understand your deployment.

However, I would highly recommend that you upgrade the code of your switch. I have done several deployments with 3850s and I have had all kinds of issues with older code. You should be running 3.3.4 if you can. Perhaps you can upgrade one switch and test it but outside of dot1x there has been tons of other bug fixes related to XE. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Mark H
Level 1
Level 1
In response to nspasov

‎09-23-2014 10:40 PM

Thanks Neno, planning to give it a go on 3.6.0 shortly. If that fails I'll roll it back to 3.3.4 and give that a go as well.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Mark H

‎09-23-2014 10:42 PM

I have had a good run with 3.3.4 and it is currently ours and Cisco's recommended version but if you want to try 3.6 then be it :) Nonetheless, please let us know if that fixes the issue. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Mark H
Level 1
Level 1
In response to nspasov

‎09-23-2014 10:44 PM

Will do. We have 3.6 on majority of our production switches, we made the jump to it in order to resolve some SNMP temperature reporting issues. Unfortunately it was just before 3.3.4 got released!

0 Helpful
Customers Also Viewed These Support Documents