Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6397
Views
5
Helpful
2
Replies

authentication event fail action next-method, does not fail over to next method.

Go to solution
Jim Araujo
Level 1
Level 1

‎07-12-2016 10:25 AM - edited ‎03-10-2019 11:55 PM

Hello, I am not sure why this is happening. We have a phone and windows PC on port fa0/11. Fa0/11 has dot1x enabled on it with the fail action to go to the next-method. The Windows PC fails MAB (first method) but the switch never moves on ot try dot1x (second method). Am I missing something?

Some debugs (this is the PC):

Jul 12 13:24:13.921 EDT: %AUTHMGR-5-START: Starting 'mab' for client (xxxx.yyyy.5572) on Interface Fa0/11 AuditSessionID 0A0A070B0000008F0E46E0DA
Jul 12 13:24:13.963 EDT: %MAB-5-FAIL: Authentication failed for client (xxxx.yyyy.5572) on Interface Fa0/11 AuditSessionID 0A0A070B0000008F0E46E0DA
Jul 12 13:24:13.963 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (xxxx.yyyy.5572) on Interface Fa0/11 AuditSessionID 0A0A070B0000008F0E46E0DA
interface FastEthernet0/11
 switchport access vlan 221
 switchport mode access
 switchport voice vlan 121
 authentication event fail retry 1 action next-method
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer restart 0
 authentication timer reauthenticate server
 authentication violation protect
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 5
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 spanning-tree portfast
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jim Araujo
Level 1
Level 1

‎07-12-2016 11:26 AM

Knew it was something simple.

I was  missing the  global config command dot1x system-auth-control

View solution in original post

2 Replies 2

Go to solution
Jim Araujo
Level 1
Level 1

‎07-12-2016 11:26 AM

Knew it was something simple.

I was  missing the  global config command dot1x system-auth-control

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Jim Araujo

‎07-13-2016 09:54 AM

Good job on resolving your own issue and also thank you for taking the time to come back and update the thread (+5 from me). 

Also, when I run into issues I always take advantage of ISE's Evaluate Configuration Validator located under Operations > Troubleshoot > General Tools. It is not 100% accurate but it definitely helps you complete a quick sanity check on a NAD. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents