CRITICAL ISE COMMAND PREVENTING DT IMAGING SOFTWARE FROM RUNNING

jcarrabine1 · ‎10-04-2013

We use an imaging solution called FOG. It is an open source software. Since I placed my switchports in dot1x FOG won't TFTP on boot anymore. I've tried everything I can think of. I have noticed that as soon as I remove the command MAB from my port configuration the TFTP takes off. This only happens on our 3750E switches. I have tried 12.2se55 and 15.0.2se4. Same thing on both sets of code.

Anyone?

Leroy Plock · ‎10-04-2013

Is the problem with FOG only? Can you run successful pings while FOG is in fail state?

Is it possible a DACL is being applied to the interface when MAB authentication happens?

Run a show ip access-list int

jcarrabine1 · ‎10-04-2013

It appears to be. If I remove the command MAB while the TFTP is trying to communicate it takes right off. I have put a port level ACL that permits all traffic and it does not work, and I don't think dACL's are applied that early in the boot process. Running a show auth sess int show no applied ACL's.

Peter Koltl · ‎10-09-2013

You can play with

dot1x timeout tx-period x

dot1x max-reauth-req x

spanning-tree portfast

commands.

You can rely on

successful MAB
pre-auth ACL that permits TFTP (ip access-group in command on port)