cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4471
Views
10
Helpful
7
Replies

NEAT and CISP not working

desweiler
Level 1
Level 1

Hello,

 

I am trying to get NEAT to work. I set up the ISE and Swicthes according to this http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html guide.

The supplicant switch successfully authenticates itself to the ISE. The authenticator switch receives the av-pair and reconfigures the port to a trunk port.

The CISP part does not seem to be working though. I enabled it globally on both switches (there is only one command available "cisp enable").

 

On Authenticator I see:


CISP Status for interface Gi1/0/2
---------------------------------
  Version:     1
  Mode:        Authenticator
  Peer Mode:   Supplicant
  Auth State:  Idle

 

But on Supplicant I see that he tries to register but in the end it shows:

CISP Status for interface Gi0/10
--------------------------------
  Version:     (not negotiated)
  Mode:        Supplicant
  Peer Mode:
  Supp State:  Registration Failed

 

I can see CISP clients on the supplicant switch but not on the authenticator. IOS is 15.2(1)E on both switches.

 

Without CISP only the MAC Address of the physical Interface is registered on the authenticator. Because of this the supplicant switch is not reachable anymore because the SVI has a different MAC Address. If I choose host-mode multi-host the switch works again but this is because this way all other MACs are allowed on this port.

 

7 Replies 7

desweiler
Level 1
Level 1

I just found out that it is working if the native vlan of the trunk is the vlan of the supplicant switch SVI.

 

This way I see the correct CISP status and I see the CIPS Clients on the Authenticator switch.

 

I can also use PCs connected to the supplicant switch. They are added to the CISP client list on the authenticator. This only works for PCs that don't use dot1x.

 

If the switchport on the supplicant is configured for dot1x it is not working at all.

Dot1x doesn't seem to start on the supplicant. With "debug dot1x all" I only see ".Apr 15 10:01:01: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet0/1".

 

The same port with the same config works if the supplicant switch is connected without NEAT. If I use NEAT, NEAT seems to work but dot1x for clientports on the supplicant switch stops working!

ok another update. Using IOS 12.2(55)EX2 on the supplicant switch (2960CG) it all works directly. 15.2.(1)E and even the latest 15.2(1)E2 don't work!

 

This is clearly a bug!

I'm running two identical 3560-CG's on 15.2(2)E 

Both switches authenticate to ISE correctly however only one switch works fine, the other refuses to negotiate CISP.

They both have management IP's in VLAN200 which is allowed on the trunk but is not the native VLAN on the Auth switch port.

The only difference configured is the management IP and the dot1x credentials username.

hdussa
Level 1
Level 1

Hi,

 

AUTHENTICATOR

cisp enable

interface xxxx

  switchport mode access

  authentication port-control auto

  dot1x pae authenticator

 

SUPPLICANT

cisp enable

!

dot1x credentials TEST

  username cisco         (needs to be configured as a User in RADIUS)

  password cisco          (needs to be configured as a User in RADIUS

dot1x supplicant force-multicast

!

interface gixxx           (UPLINK to Authenticator)

  switchport mode trunk

  switchport trunk native vlan xxx

  dot1x pae supplicant

  dot1x credentials TEST

 

Regards Horst

 

Hi, thanks for your answer. This is exactly what I have configured. It is only working correctly however if the native VLAN of the trunk is the VLAN of the supplicant switch management SVI. This is not documented in the Cisco Guide though.

Additionally using IOS 15.2(1) dot1x clients on ther supplicant switch don't work. On 12.2(55)EX2 this is working.

if your management Vlan is not VLAN 1 you ever need to configure the the appropriate VLAN as NATIVE VLAN on the supplicant. I ran into the same issue.

 

Horst

I was also told this however in testing I've discovered that (perhaps with newer versions) it is no longer true.

I have this working now with the supplicant switch management SVI in VLAN200 yet a default native vlan on the trunk to the authenticator switch. 

What i did discover however is that certain STP conditions can prevent it from working. I am using MSTP, and if i removed VLAN1 from the trunk it would fail to work, even though I could see MAC addresses on the trunk of other hosts.