04-11-2017 04:48 AM - edited 03-11-2019 12:37 AM
Hi all,
I am aware that 2960 lan lite switches are not compatible with ISE. But I am in a situation were I should make this work ? I have a 3850 switch, the users connected to that switch are able to authenticate via ISE successfully. If I am connecting a 2960LL switch to one of the access ports of the 3850 with multi-hosts configured, all the traffic from the 2960 will be hitting the 3850's access port and those users should be authenticating with ISE right ? I my case it's not working. Should I make any configuration changes to the 2960 switch ? Any help would really be appreciated.
For your reference.
2960 LL ( Port 48 ) ----------- 3850 ( port 15 ) ----- cisco ISE
Port 48
switchport mode access
switchport access vlan 10
port 15
switchport access vlan 10
switchport mode access
authentication control-direction in
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
end
Thanks
04-12-2017 08:39 AM
This should work, but it depends on what type of authentication methods you are using. Switches by standard do not forward EAPoL frames, so these frames would get dropped by the 2960 and never reach the 3850 or the client. So you would need to use MAB for these hosts. Using multi-host will authenticate the first user and allow all the others. If you want to authenticate multiple users you should use multi-auth.
04-13-2017 02:52 AM
I tried using Multi-auth in the configuration but the authentication is still unsuccessful. As you said the switches are dropping the EAP packets ( found the eap timeout messages in the logs ). What should I configure to make this work ?
Note :I have also configured posturing in ISE.
04-21-2017 08:03 AM
Apologies for the late reply, I am not aware of a way how to make "intelligent" Cisco switch forward EAP frames. I don't think that it is possible, but there might be some interesting workaround.
I faced similar challenges with under-the-desk consumer grade switches/hubs - some forward EAP frames and dot1x works, some do not and I ended up temporarily using MAB in such cases, until I could get rid of these devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide