01-18-2017 03:03 AM - edited 03-11-2019 12:22 AM
Hello
I'm testing wired 802.1x with a WS-C3650-48PD 03.06.05E and ISE 2.1. Switch config uses "new" ibns 2.0. 802.1x is working fine and I'm testing it under different scenarios.
The scenario where I am having an issue is when
The only way to get 802.1x working after the reload is to bounce the port.
Port dotx info is:
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Has anyone come across this issue?
Thanks
Andy
Solved! Go to Solution.
01-18-2017 08:10 AM
I think I may have resolved this. I was missing the following aaa command from the switch configuration:
aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>
From cisco documentation, this command generates a logoff for 802.1x authenticated clients when a switch reloads.
With this command in place
Cheers
Andy
01-18-2017 11:05 AM
You are absolutely correct. The "accounting" commands are a must when deploying dot1x:
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on 802.1x-enabled ports:
* User successfully authenticates.
* User logs off.
* Link-down occurs.
* Re-authentication successfully occurs.
* Re-authentication fails.
Good job on solving your own issue! Also, thank you for taking the time to come back and update the thread with a solution!
Now if your issue is resolved, you should mark the thread as "answered" :)
01-18-2017 08:10 AM
I think I may have resolved this. I was missing the following aaa command from the switch configuration:
aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>
From cisco documentation, this command generates a logoff for 802.1x authenticated clients when a switch reloads.
With this command in place
Cheers
Andy
01-18-2017 11:05 AM
You are absolutely correct. The "accounting" commands are a must when deploying dot1x:
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on 802.1x-enabled ports:
* User successfully authenticates.
* User logs off.
* Link-down occurs.
* Re-authentication successfully occurs.
* Re-authentication fails.
Good job on solving your own issue! Also, thank you for taking the time to come back and update the thread with a solution!
Now if your issue is resolved, you should mark the thread as "answered" :)
01-18-2017 11:30 AM
Thanks Neno
prior to enabling the command:
aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>
I already had the following aaa accounting commands:
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group <ISE-RADIUS-GROUP-NAME>
These worked fine for client accounting but I ran into the issue in the original post when the switch reloaded. Thanks for the reply - I'll mark thread as resolved.
Cheers
Andy
01-18-2017 03:15 PM
Good deal! I am guessing you also have "aaa accounting dot1x...." ?
01-19-2017 06:19 AM
Yes I did have "aaa accounting dot1x.." but it got converted to "aaa accounting identity.." when I moved to the ibns 2.0 "new style"
Cheers
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide