I have a 3560 running 15.0 code configured for dot1x and mab auth with ISE 1.2. We're having trivial experiences with the auth session starting for a non dot1x device connected behind a phone that has already passed MAB. There does not appear to be an auth session starting for the device, but it acquires an IP and traffic is subjected to the ACL-DEFAULT on the port, but since no auth session, there is no web-auth redirect. ARP shows the device as well as IP Device Tracking. A non-dot1x device connected directly to the port works as expected. A dot1x device behind the phone works fine. Any suggestions would be appreciated
3560G#sho ip device track all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
10.1.3.8 d824.bd26.0ee3 103 GigabitEthernet0/3 ACTIVE
10.1.1.39 008c.fa3d.1c78 101 GigabitEthernet0/3 ACTIVE
Total number interfaces enabled: 2
Enabled interfaces:
Gi0/3
3560G#sho auth sess int g0/3
Interface: GigabitEthernet0/3
MAC Address: d824.bd26.0ee3
IP Address: 10.1.3.8
User-Name: D8-24-BD-26-0E-E3
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4e4d854b
Session timeout: 3600s (local), Remaining: 3528s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A010003000000520377A661
Acct Session ID: 0x00000057
Handle: 0x28000053
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
3560G#sho run int g0/3
Building configuration...
Current configuration : 669 bytes
!
interface GigabitEthernet0/3
switchport access vlan 101
switchport mode access
switchport voice vlan 103
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 99
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark traffic to ISE-PSNs
permit ip any host 10.1.0.13
permit ip any host 10.1.0.17
remark Drop all the rest
deny ip any any log
Thanks,
Jason