09-17-2018 05:58 AM
Hi,
I am currently testing a simple MAB authentication on a Cisco 2960 with firmware 15.0 (2) SE11. The authentication on test-port 2 works fine and the client can connect and ping to his gateway.
But after an indefinite period (sometimes 10 minutes, sometimes 18 minutes or ~30 Minutes) the Ping from the Win 10 client to the gateway stops. When the Ping has stopped the switch port is still up, the client still has his ip address, the "show authentication session"-command shows Authorized and everything seems to be fine. When the Ping stops the CLI of the switch shows no output (reauthentication or something) and the ISE shows nothing (Logical, because the switch performs no authentication).
My switch config:
Building configuration... Current configuration : 4474 bytes ! ! Last configuration change at 23:31:09 UTC Thu Mar 4 1993 by xxxxxxx ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! enable secret 5 xxxxxxx ! username xxxxxxx secret 5 xxxxxxx username xxxxxxx secret 5 xxxxxxx aaa new-model ! ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authentication dot1x default group radius aaa authorization exec default group tacacs+ local aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting commands 7 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common system mtu routing 1500 access-session template monitor ! ! ip domain-name test.com ! ! crypto pki trustpoint TP-self-signed-1899961600 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1899961600 revocation-check none rsakeypair TP-self-signed-1899961600 ! ! crypto pki certificate chain TP-self-signed-1899961600 certificate self-signed 01 xxxxxxx dot1x system-auth-control ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 description dot1x+mab switchport mode access authentication order mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.126.163 255.255.255.0 ! ip default-gateway 192.168.126.254 ip http server ip http secure-server tacacs-server host 192.168.126.162 key xxxxxxx tacacs-server timeout 1 tacacs-server directed-request radius-server dead-criteria time 1 tries 1 radius-server host 192.168.126.162 auth-port 1812 acct-port 1813 key xxxxxxx radius-server deadtime 1 ! ! ! vstack ! line con 0 line vty 0 4 transport preferred ssh transport input ssh line vty 5 15 transport preferred ssh transport input ssh ! end
Solved! Go to Solution.
09-17-2018 11:22 AM
09-17-2018 11:22 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: