04-15-2014 12:06 AM - edited 03-10-2019 09:38 PM
Hello,
I am trying to get NEAT to work. I set up the ISE and Swicthes according to this http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html guide.
The supplicant switch successfully authenticates itself to the ISE. The authenticator switch receives the av-pair and reconfigures the port to a trunk port.
The CISP part does not seem to be working though. I enabled it globally on both switches (there is only one command available "cisp enable").
On Authenticator I see:
CISP Status for interface Gi1/0/2
---------------------------------
Version: 1
Mode: Authenticator
Peer Mode: Supplicant
Auth State: Idle
But on Supplicant I see that he tries to register but in the end it shows:
CISP Status for interface Gi0/10
--------------------------------
Version: (not negotiated)
Mode: Supplicant
Peer Mode:
Supp State: Registration Failed
I can see CISP clients on the supplicant switch but not on the authenticator. IOS is 15.2(1)E on both switches.
Without CISP only the MAC Address of the physical Interface is registered on the authenticator. Because of this the supplicant switch is not reachable anymore because the SVI has a different MAC Address. If I choose host-mode multi-host the switch works again but this is because this way all other MACs are allowed on this port.
04-15-2014 01:10 AM
I just found out that it is working if the native vlan of the trunk is the vlan of the supplicant switch SVI.
This way I see the correct CISP status and I see the CIPS Clients on the Authenticator switch.
I can also use PCs connected to the supplicant switch. They are added to the CISP client list on the authenticator. This only works for PCs that don't use dot1x.
If the switchport on the supplicant is configured for dot1x it is not working at all.
Dot1x doesn't seem to start on the supplicant. With "debug dot1x all" I only see ".Apr 15 10:01:01: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet0/1".
The same port with the same config works if the supplicant switch is connected without NEAT. If I use NEAT, NEAT seems to work but dot1x for clientports on the supplicant switch stops working!
04-15-2014 02:14 AM
ok another update. Using IOS 12.2(55)EX2 on the supplicant switch (2960CG) it all works directly. 15.2.(1)E and even the latest 15.2(1)E2 don't work!
This is clearly a bug!
11-10-2014 10:00 PM
I'm running two identical 3560-CG's on 15.2(2)E
Both switches authenticate to ISE correctly however only one switch works fine, the other refuses to negotiate CISP.
They both have management IP's in VLAN200 which is allowed on the trunk but is not the native VLAN on the Auth switch port.
The only difference configured is the management IP and the dot1x credentials username.
04-16-2014 02:56 AM
Hi,
AUTHENTICATOR
cisp enable
interface xxxx
switchport mode access
authentication port-control auto
dot1x pae authenticator
SUPPLICANT
cisp enable
!
dot1x credentials TEST
username cisco (needs to be configured as a User in RADIUS)
password cisco (needs to be configured as a User in RADIUS
dot1x supplicant force-multicast
!
interface gixxx (UPLINK to Authenticator)
switchport mode trunk
switchport trunk native vlan xxx
dot1x pae supplicant
dot1x credentials TEST
Regards Horst
04-16-2014 04:59 AM
Hi, thanks for your answer. This is exactly what I have configured. It is only working correctly however if the native VLAN of the trunk is the VLAN of the supplicant switch management SVI. This is not documented in the Cisco Guide though.
Additionally using IOS 15.2(1) dot1x clients on ther supplicant switch don't work. On 12.2(55)EX2 this is working.
04-16-2014 06:07 AM
if your management Vlan is not VLAN 1 you ever need to configure the the appropriate VLAN as NATIVE VLAN on the supplicant. I ran into the same issue.
Horst
11-12-2014 03:49 PM
I was also told this however in testing I've discovered that (perhaps with newer versions) it is no longer true.
I have this working now with the supplicant switch management SVI in VLAN200 yet a default native vlan on the trunk to the authenticator switch.
What i did discover however is that certain STP conditions can prevent it from working. I am using MSTP, and if i removed VLAN1 from the trunk it would fail to work, even though I could see MAC addresses on the trunk of other hosts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide