04-06-2022 10:11 AM
Hello Dear,
I have an issue with cisco ISE 2.7, windows 10 20H and cisco 3850
I need cocurrent authentication dot1.x and mab for AVAYA and windows 10
mab works correctly and dot1x does not.
all windows 10 fall into mab and in live log i can not see dot1x authentication...only mab.
in some switches, we have to restart the ip phone and sometimes dot1x works.
Here is my config
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate mab
40 terminate dot1x
20 class DOT1X-FAILED do-all
10 authenticate using mab
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ line enable
aaa authentication dot1x default group ISE-GROUP
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group ISE-GROUP
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE-GROUP
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Solved! Go to Solution.
04-07-2022 01:20 PM
This is a duplicate of the same question asked here. Let's continue the discussion there.
04-06-2022 08:38 PM
04-06-2022 10:43 PM
Hello @Marcelo Morais
we are using cisco meraki for wireless and it is working fine.
Just for wired that we have issues
Here it is
interface GigabitEthernet1/0/31
description Users-Second-Port(14.X)
switchport access vlan 14
switchport mode access
switchport nonegotiate
switchport voice vlan 104
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
04-07-2022 01:59 PM
Hi @kbadjoko ,
please take a look at Configuring Identity Control Policies search for: Example: Configuring Control Policy for Sequential Authentication Methods.
"The following example shows a control policy that is configured to allow sequential authentication methods using 802.1X (dot1x), MAB, and web authentication."
Hope this helps !!!
04-07-2022 01:20 PM
This is a duplicate of the same question asked here. Let's continue the discussion there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide