Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
832
Views
0
Helpful
2
Replies

second device auth problem

billywaiclassmate
Level 1
Level 1

ā€Ž12-15-2017 12:12 AM - edited ā€Ž02-21-2020 10:41 AM

My problem is when the first device auth successful(dot1x - vlan 2), then exchange second device connect same port, in the normal, it should be auth success mab and assign to vlan 8, but I find it will be follow the previous one auth vlan policy and can't get ip address.

below it have some information for my problem

 

auth information

ISETEST#sh auth session int g1/0/7
Interface: GigabitEthernet1/0/7
MAC Address: 0023.5ad5.6b39
IP Address: 192.168.3.59
User-Name: NITEC\Bill
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 2
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC106401000000210AE40298
Acct Session ID: 0x0000003A
Handle: 0x0A000022

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

----------------------------------------
Interface: GigabitEthernet1/0/7
MAC Address: 3c52.82ce.059b
IP Address: Unknown
User-Name: 3C-52-82-CE-05-9B
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Vlan Policy: 2
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC106401000000220AE4EA32
Acct Session ID: 0x0000003B
Handle: 0x18000023

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

----------------------------------------
Interface: GigabitEthernet1/0/7
MAC Address: 000d.6554.8072
IP Address: 192.168.8.18
User-Name: 00-0D-65-54-80-72
Status: Authz Success
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 7
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC106401000000200AE19C51
Acct Session ID: 0x00000039
Handle: 0x94000021

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

 

and then it is port command:i

nterface GigabitEthernet1/0/7
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
switchport voice vlan 7
ip device tracking maximum 2
authentication event fail action next-method
authentication event server dead action authorize vlan 2
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping trust
end

 

finally, have any way to clear last auth connect record when the new device connect?

 

Thank for help

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

ā€Ž12-16-2017 07:51 PM

I don't think this is the case. Even if the old session isn't created, dot1x creates new authentication session per mac address. From your output I see that authorization failing for the mac 3c52.82ce.059b which is the reason for not getting mac address.
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Mohammed al Baqari

ā€Ž12-16-2017 07:58 PM

Also, make sure that you are using ' authentication host-mode multi-auth'
mode.
0 Helpful
Customers Also Viewed These Support Documents