cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

240
Views
0
Helpful
3
Replies
estadlercisco
Beginner

Wired Device not authenticating

this is a device that i am just trying to mab into an endpoint group. As soon as I put the mab/dot1x port configuration on the interface I can't reach the device, and show auth sess doesn't have a session for the interface. If i debug radius authentication i get no output for that device either. as soon as I default the interface and put it into the data vlan the device is reachable

 

I've tried adding authentication open and removing dot1x pae authenticator to the port.

 

Is there something else i could do to get the device to authenticate?

 

here's the standard port configuration i'm using.

interface GigabitEthernet2/0/8
switchport access vlan 1049
switchport mode access
switchport voice vlan 2049
authentication event fail action next-method
authentication event server dead action authorize vlan 1049
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 1049
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable

3 REPLIES 3
thomas
Cisco Employee

Please follow our best practice configuration guidance and troubleshooting steps in the ISE Wired Access Deployment Guide.

 

You have not included the ISE LiveLog status/details to know how ISE is authorizing the endpoint.

 

paul
Advocate

I don't think this is your problem, but you cannot use this command when doing multiauth:

 

authentication event server dead action authorize vlan 1049

 

So your fail open will not work.  In multiauth, you should be using:

 

authentication event server dead action reinitialize vlan 1049

 

That may have changed but I don't think so.  If you are in open mode then those commands aren't needed.

 

 

 

 

 

hslai
Cisco Employee

If the switch is one of the classic 3K models and running an older IOS release (e.g. 12.2(55)SE10), then you may try this ISE tool "Evaluate Configuration Validator"

Screen Shot 2018-08-31 at 7.05.33 PM.png

Content for Community-Ad