04-10-2017 02:34 PM - edited 03-11-2019 12:37 AM
Hi,
I confured windows 2012 NPS Radius Server and cisco 2960-24PC-L
And i want to use 802.1x multi-auth multiple mac authentication.
İ can using grandstream IP telephone. and behind unmanage switch and a lot of printer,notebook and pc
I configured switch for test port f0/19 But i can see only IP Phone authentication but other machines not authentication.
vlan 1 for PC,Printer and notebook
Vlan 2 for IP Phone
vlan 99 for unauthentication devices.
You can see attached config and log file. If you want windows 2012 NPS Server. İ can send.
How can i resolve this problem ?
interface FastEthernet0/19
description BARIS
switchport mode access
switchport voice vlan 2
authentication control-direction in
authentication event no-response action authorize vlan 99
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout quiet-period 1
dot1x timeout tx-period 5
dot1x max-req 3
spanning-tree portfast
spanning-tree bpduguard enable
end
Ali
04-10-2017 10:48 PM
We would normally expect to see your authentication order and priority commands include dot1x. Is there a reason why you left them off? At least one client appears to have 802.1x setup as we see the dot1x authentication request in your debug output.
Also, I see the endpoint sending machine credentials:
*Jul 9 07:18:28.568: RADIUS: User-Name [1] 22 "host/DESKTOP-T4BKUJQ"
...but not user credentials. That is a setting in the supplicant.
04-11-2017 05:24 AM
Hi Marvin,
Thanks for response.My customer wants mab.
I think resolve problem. I removed mac user from NPS 2012 and recreated authentication success.. You can see sh authentication sessions output.
But İ run sh dot1x int f0/19 details command. i can not see authentication.
May be mab ?
Customer_A_SW#sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa0/19 000b.8288.470a mab DATA Authz Success 0AFC01FD00004DE7A3A1AE92
Fa0/19 089e.0184.c79c mab DATA Authz Success 0AFC01FD00004DE6A3A1AB29
Fa0/19 180c.acdd.4fe1 mab DATA Authz Success 0AFC01FD00004DE9A3A3E529
Fa0/19 ecf4.bb46.31f4 mab DATA Authz Success 0AFC01FD00004DE8A3A1BFF8
Customer_A_SW#
Customer_A_SW#sh dot1x int f0/19 details
Dot1x Info for FastEthernet0/19
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 1
MaxReq = 3
TxPeriod = 1
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
Customer_A_SW#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide