RADIUS MAC authentication host-mode multi-auth with dynamic ACL (2960s)

WesKerT · ‎11-25-2018

Hello All,

May I ask when a port configured to host-mode multi-auth as there is another switch plugged into that port and have number of end devices.

Does the dACL be valid in this situation to each end client?

Port configuration like this for reference:

!

interface gi1/0/1

authentication host-mode multi-auth

authentication port-control auto

authentication event server dead action authorize
authentication order mab
authentication priority mab

mab

!

As I tried some testing when using default single-host mode, dACL works well.

But when configure as multi-auth mode, I can see the authentication sessions are success and different ACL are apply to each of client.

But the end client unable to go outside to any network.

Here is the partial result of show command:

Show authentication session int gi1/0/1

Interface :Gi1/0/1

MAC address: aaaa.aaaa.aaaa

Status: Authz Success

Domain:DATA

Per-User ACL: deny ip any 192.168.51.0 0.0.0.255

Per-User ACL: permit ip any any

Interface :Gi1/0/1

MAC address: bbbb.bbbb.bbbb

Status: Authz Success

Domain:DATA

Per-User ACL: deny ip any 192.168.52.0 0.0.0.255

Per-User ACL: permit ip any any

Is there any configuration I missed?

Thank you in advanced.

hslai · ‎12-22-2018

In case of LAN Lite, it supports very limited features for ISE and TrustSec. Older IOS trains might have issues, such as CSCtz92782 and CSCtz92782. Also, check whether IP device tracking are working for all the endpoints from the other switch.

NB: End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 2960-S Series and 2960-SF Series Switches shows the platform has reached the end-of-sale and the end of SW maintenance; the last date of support is Nov-30, 2020.