04-04-2012 06:31 AM - edited 03-10-2019 06:58 PM
Hi,
I´m currently setting a LAB in order to test NEAT feature. The Supplicant switch (sSW) is able to authenticate toward the Authenticator Switch (aSW).
sSW#sh cisp summary
CISP is running on the following interface(s):
----------------------------------------------
Fa0/8 (supplicant)
When I connect a PC with X.509 certificate to the sSW, I see the EAPOL request coming from the PC to the sSW on Fa0/1:
*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): Role determination not required
*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): New client detected, issuing Start Request to AuthMgr
But the sSW does not forward the packet to the aSW.
sSW#sh cisp interface fastEthernet 0/1
CISP not enabled on specified interface
Do I need additional configuration on the port toward the PC?
Why the CISP is not enabled on the Fa0/1?
Topology and config is below:
Topolgy:
PC-------------0/1|sSW|0/8--------------4/10|aSW|
Configuration:
-----------------------------------------
aSW: WS-C4510R-E
System image file is "bootflash:cat4500e-entservicesk9-mz.150-2.SG3.bin"
interface GigabitEthernet4/10
description toward sSW
switchport trunk native vlan 332
switchport mode trunk
switchport voice vlan 335
logging event link-status
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast trunk
----------------------------------------------
sSW> 2960
"flash:c2960-lanbasek9-mz.150-1.SE2.bin"
dot1x credentials cisco
username cisco
password 0 cisco
!
cisp enable
dot1x supplicant force-multicast
interface FastEthernet0/8
description toward 4/10-aSW
switchport trunk native vlan 332
switchport mode trunk
duplex full
dot1x pae supplicant
dot1x credentials cisco
interface FastEthernet0/1
description toward PC
switchport access vlan 332
switchport mode access
speed 100
duplex full
spanning-tree portfast
sh cisp interface fastEthernet 0/1
CISP not enabled on specified interface
*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): Role determination not required
*Mar 6 23:25:12.600: dot1x-ev(Fa0/1): New client detected, issuing Start Request to AuthMgr
sSW#sh cisp summary
CISP is running on the following interface(s):
----------------------------------------------
Fa0/8 (supplicant)
sSW#sh cisp clients
Supplicant Client Table:
------------------------
MAC Address VLAN Interface
---------------------------------
0000.0c07.ac01 332 Fa0/8
0024.14af.3e09 1 Fa0/8
8cb6.4fab.c7c1 332 Vl332
0022.9031.53ff 332 Fa0/8
0024.14af.3e09 332 Fa0/8
8cb6.4fab.c7c0 1 Vl1
sSW#sh cisp interface fastEthernet 0/1
CISP not enabled on specified interface
12-19-2012 03:07 PM
Hi Amin,
Please have a look on the brief of CISP:
http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=9434
In my understanding, the CISP is only working on the switch to switch port.
----------
Which can win the race: increasing bandwidth with new technologies VS QoS?
12-20-2012 07:14 PM
Hi,
When using neat the switch authenticates itself to the upstream switch so that the link becomes a trunking port. The switch that the client is connecting to must have the radius configuration to support dot1x much like your other switches. That switch that authenticates itself must have its ip address added to the radius server database so it can authenticate.
Let me know if that helps point you in the right direction.
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide