cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
0
Helpful
4
Replies

Still no network connection after successfull mac based authentication?

jkholding
Level 1
Level 1

Hello,

 

We use mac based authentication on all workgroup switches. Everything works fine here.

Now we got a new core switch and we enabled mac based authentication there too.

 

Here, only our table phones are not connected to the network. I can see in the logs of the radius that the authentication is successful.

The mac address and ip address is found in the arp table.

show auth brief shows that the port, on which the phone is connected, looks good (AuthC=m:OK, AuthZ=AZ: SA-)

If I re-configure the port without mac based authentication, the phone works fine.

 

This is how the port is configured:

 

switchport access vlan 11
switchport mode access
switchport nonegotiate
switchport voice vlan 15
authentication host-mode multi-host
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 7200
authentication timer restart 300
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

 

What could I do next to narrow down the source problem?

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni
What does your authorization profile result look like? (AuthZ=AZ: SA-)

@Mike.Cifelli wrote:
What does your authorization profile result look like? (AuthZ=AZ: SA-)

That's what I already wrote:


AuthC=m:OK, AuthZ=AZ: SA-

 

 

I meant can you share how those are configured in ISE? Can you share your detailed logs as well?

First, it's no ISE, it's a free radius server running on linux.

There's a default radiusd.conf in /etc/raddb and a clients.conf enabling the network range of the switches to access the radius server.

All authentication attempts are logged to /var/log/radius/.

The successful attempts are shown as the following:

(28978) Tue Apr 2 08:00:03 2019 : Auth: Login OK: [aabbccddeeff] (from client 192.168.4.0/24 port 50104 cli AA-BB-CC-DD-EE-FF)

 

Authentication on the switch shows as:

Gi4/0/41 aabb.ccdd.eeff m:OK AZ: SA- X 693s

 

Everything seems to work fine except the fact the device is not reachable.

 

I need a clue to narrow down the issue.