Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2526
Views
0
Helpful
3
Replies

Configure 802.1x Base MAC for IP Phones or MAB - with NPS Server (Radius)

Gregorio310
Level 1
Level 1

‎11-16-2016 09:42 AM - edited ‎02-20-2020 09:44 PM

Hello everybody!

I'm trying to configure my enviorment with the 802.1x for wired for machines with Certificate, and i got sucess , but when i try to authenticate IP PHONES based on MAC it is not working.

I check the configurations and create a new policy to authenticate IP Phones but is now working.

Any One could help me?

 switchport access vlan 507
 switchport mode access
 switchport voice vlan 607
 no logging event link-status
 authentication host-mode multi-host
 authentication port-control auto
 no snmp trap link-status
 spanning-tree portfast

if i used

 switchport access vlan 507
 switchport mode access
 switchport voice vlan 607
 no logging event link-status
 mab
 no snmp trap link-status
 spanning-tree portfast

The status continue not authorized.

I created a used on my AD but it don't have a password, how could i resolve this config?

MY NPS is a Windows server 2008 R2

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎11-21-2016 12:30 PM

Hi there, can you please add the following commands and then try again:

 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication control-direction both
 authentication violation restrict

If it still fails please provide the out from the following command:

show authentication session interface interface_name_number

Thank you for rating helpful posts!

0 Helpful

Gregorio310
Level 1
Level 1
In response to nspasov

‎11-25-2016 05:00 AM

Hello Didn't work.

Follow the output.

Current configuration : 505 bytes
!
interface GigabitEthernet2/0/1
 description Carlos - Black
 switchport access vlan 507
 switchport mode access
 switchport voice vlan 607
 no logging event link-status
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication violation restrict
 no snmp trap link-status
 mls qos trust dscp
 auto qos trust
 spanning-tree portfast
end

BRMORXS070#sh authe session int GigabitEthernet2/0/1
No sessions match supplied criteria.

Runnable methods list:
  Handle  Priority  Name
    9        5      dot1x
    16       10     mab
    14       15     webauth

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Gregorio310

‎12-01-2016 09:26 AM

Sorry for the delayed reply (busy week). Can you please:

1. Enable "authentication port-control auto"

2. Enable "debug aaa authentication"

3. Enable "debug radius"

2. Wait till the authentication fails and then issue the "show authentication session" command and post the output here. 

5. Post the output from the debug sessions

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents