Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
0
Helpful
7
Replies

ISE General Questions : DOT1x, NAM, NAC etc...

Go to solution
niketan sutar
Level 1
Level 1

‎05-10-2016 02:05 AM - edited ‎03-10-2019 11:45 PM

hi,

I have two questions. One is an issue i am facing and second is a probability i want to check

issue: i have a stack of 3 switches: 2 x WS-C3850-48Pand 1x WS-C3850-24P, running IOS-XE  03.03.01SE. Now on some ports when i try to put the following commands, it gives me the below output.

authentication event fail action next-method
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)#$tion event server dead action authorize voice
 authentication event server dead action authorize voice
    ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication host-mode multi-auth
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication order dot1x mab
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication priority dot1x mab
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication port-control auto
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication periodic
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication timer reauthenticate server
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication violation restrict
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# mab
                             ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# dot1x pae authenticator
                            ^
% Invalid input detected at '^' marker.

and in the same switch, i have some ports which have accepted these commands.. I dont undrestand the injustice done to one port.

any help will be appreciated.

now for the probability i wanna check:

2: CAN WE HAVE A CISCO ANYCONNECT CONFIGURED ON A WINDOWS MACHINE AS A SUPPLICANT THAT SUPPORTS BOTH PEAP AND SMARTCARD AT THE SAME TIME. SO IF THERE ARE MULTIPLE USERS, SOMW OF WHICH WILL BE USING SMARTCARD AND SOME GENERIC USERNAME AND PASSWORD ON THE MACHINE, CAN BOTH OF THEM CO-EXIST??

THANKS IN ADVANCE..

Nick...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎05-10-2016 11:15 AM

Did you make sure those ports are actually set as access ports before loading the dot1x config?, it will fail on ex. routed ports.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
jan.nielsen
Level 7
Level 7

‎05-10-2016 11:15 AM

Did you make sure those ports are actually set as access ports before loading the dot1x config?, it will fail on ex. routed ports.

0 Helpful

Go to solution
niketan sutar
Level 1
Level 1
In response to jan.nielsen

‎05-10-2016 10:55 PM

Yes Jan,

here is the complete output.

GCB2-FF-C1-SW1(config)#interface GigabitEthernet3/0/2
GCB2-FF-C1-SW1(config-if)# switchport voice vlan 67
GCB2-FF-C1-SW1(config-if)# power inline never
GCB2-FF-C1-SW1(config-if)# authentication event fail action next-method
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)#$tion event server dead action authorize voice
 authentication event server dead action authorize voice
    ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication host-mode multi-auth
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication order dot1x mab
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication priority dot1x mab
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication port-control auto
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication periodic
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication timer reauthenticate server
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# authentication violation restrict
                              ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# mab
                             ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# dot1x pae authenticator
                            ^
% Invalid input detected at '^' marker.

GCB2-FF-C1-SW1(config-if)# spanning-tree portfast
GCB2-FF-C1-SW1(config-if)# spanning-tree bpduguard enable

i even tried with a proper access vlan instead of a voice vlan... still the same issue is faced..

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to niketan sutar

‎05-10-2016 11:52 PM

Can you give us a "show run interface Gi3/0/2"?

0 Helpful

Go to solution
niketan sutar
Level 1
Level 1
In response to jan.nielsen

‎05-11-2016 01:07 AM

I got it resolved. I had to do a reboot on the switch after defaulting the interface. Post reboot, i was able to configure the same

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎05-10-2016 03:42 PM

Hi Nick-

For #1 - I would also mirror Jan's comment and ask to make sure that the affected ports are configured as "switchports"

Also, please note that early versions of IOS-XE were very problematic and had tons of issues/bugs related and unrelated to 802.1x. Thus, I would suggest that you upgrade from your current release ot a newer and more stable version such as 3.6.4

For #2 - The AnyConnect profile can be different for each user on the machine. Thus, user-1 can be PEAP based vs user-2 EAP-TLS

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
niketan sutar
Level 1
Level 1
In response to nspasov

‎05-10-2016 10:53 PM

hi Neno,

Thanks for the reply.

I wanted to know if i can use both the PEAP and EAP-TLS on the same endpoint. I.E. say i have two users accessing the same machine, one uses PEAP and other EAP-TLS. can i do an anyconnect configuration to support them both on that one single machine itself?

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to niketan sutar

‎05-12-2016 03:00 PM

Yes, you can have different AnyConnect profiles for the different users that login to that machine. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents