cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
0
Helpful
3
Replies

Wired Device not authenticating

estadlercisco
Level 1
Level 1

this is a device that i am just trying to mab into an endpoint group. As soon as I put the mab/dot1x port configuration on the interface I can't reach the device, and show auth sess doesn't have a session for the interface. If i debug radius authentication i get no output for that device either. as soon as I default the interface and put it into the data vlan the device is reachable

 

I've tried adding authentication open and removing dot1x pae authenticator to the port.

 

Is there something else i could do to get the device to authenticate?

 

here's the standard port configuration i'm using.

interface GigabitEthernet2/0/8
switchport access vlan 1049
switchport mode access
switchport voice vlan 2049
authentication event fail action next-method
authentication event server dead action authorize vlan 1049
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 1049
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable

3 Replies 3

thomas
Cisco Employee
Cisco Employee

Please follow our best practice configuration guidance and troubleshooting steps in the ISE Wired Access Deployment Guide.

 

You have not included the ISE LiveLog status/details to know how ISE is authorizing the endpoint.

 

paul
Level 10
Level 10

I don't think this is your problem, but you cannot use this command when doing multiauth:

 

authentication event server dead action authorize vlan 1049

 

So your fail open will not work.  In multiauth, you should be using:

 

authentication event server dead action reinitialize vlan 1049

 

That may have changed but I don't think so.  If you are in open mode then those commands aren't needed.

 

 

 

 

 

hslai
Cisco Employee
Cisco Employee

If the switch is one of the classic 3K models and running an older IOS release (e.g. 12.2(55)SE10), then you may try this ISE tool "Evaluate Configuration Validator"

Screen Shot 2018-08-31 at 7.05.33 PM.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: