04-07-2016 06:42 AM - edited 03-10-2019 11:39 PM
I'm getting some odd behaviour with a Catalyst switch and 802.1x. I am using multi-auth, with a PC and Cisco Phone patched in. Both devices authenticate correctly, but only the PC is authorized based on the switch logs.
Apr 7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09
Apr 7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09
Apr 7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID Unassigned
Apr 7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09
Apr 7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Apr 7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID
Apr 7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Apr 7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
aaa authentication dot1x default group RADIUS-DOT1X
aaa authorization network default group radius
ip radius source-interface Loopback0
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/1
switchport mode access
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 999
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication violation protect
mab
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
no mdix auto
spanning-tree portfast
and
Solved! Go to Solution.
04-12-2016 02:36 AM
Hello Jim,
Try to use host mode multi-domain instead of multi-auth.
Regards,
Poonam Garg
04-07-2016 06:49 AM
Try configuring a voice VLAN on the port.
switchport voice vlan <vlan-id>
04-07-2016 06:53 AM
That will work...but I'm trying to dynamically assign the VLAN based on RADIUS attributes.
04-12-2016 02:36 AM
Hello Jim,
Try to use host mode multi-domain instead of multi-auth.
Regards,
Poonam Garg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide