01-13-2014 01:49 AM - edited 03-10-2019 09:16 PM
Hi All,
I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.
I tried using the following solution as well,
https://supportforums.cisco.com/thread/2015988
it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.
Can someone exactly confirm whats the issue over here and how to resolve?
My config on port is as follows,
!
int ten1/1/9
switchport mode access
authentication host-mode single-host
authentication port-control auto
authentication violation restrict
authentication control-direction in
mab
!
Regards,
02-17-2014 07:11 PM
Hi Robert,
I was checking the use of this command and came across with this statement saying
" The caveat to this method is that an SVI must exist on every switch in every VLAN where
Windows clients who run DHCP reside."
and In my setup, mostly edge switches are running on layer 2 purely. SVIs are created on core switches where routing is done. so wondering if this command will still supports and the purpose can be achieved?
Regards,
Hammad
02-17-2014 07:40 PM
Hammad,
The command still applies. I have used this command with "use svi" and built a local svi on the edge switch just for this reason. The ip device tracking uses arp to resolve the ip address. Some device dont respond like others. By using the use svi command you source it directly from the edge switch. I know it's a pain to build an svi for each vlan that is using static IPs but it may be the only way. Try it on one and let us know the outcome.
Sent from Cisco Technical Support Android App
02-20-2014 06:05 AM
The customer use case (detailed below) is essentially MAB for protected devices on specific ports to one server and all other ports would point to a separate server. Is this something that could be accomplished via SANet? This would of course require them to upgrade all affected access switches assuming what Hsing-Tsu mentioned below is true and we're limited to 3650/3850 today.
You can have different RADIUS servers for for dot1x and MAB when you use identity policy (SANet).
You can create two policies doing the same thing (eg MAB) but use different RADIUS servers.
You would then have a different policy attached to the port groups in question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide