cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7215
Views
0
Helpful
3
Replies
Highlighted
Contributor

doit1x Monitor Mode

Hi,

I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.

Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1.

The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.

When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should.

Anyone has seen this before and/or have some insight on how this should work?

I know this probably is a client/supplicant problem.

monitor mode.pngmm3.png

Port config:

interface GigabitEthernet0/2

description 802.1x port PC lab

switchport access vlan 8

switchport mode access

authentication host-mode multi-auth

authentication open

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

----------------------------------

sw#sh auth sess int gi0/2

            Interface:  GigabitEthernet0/2

          MAC Address:  000d.9d90.c96d

           IP Address:  192.168.50.30

            User-Name:  000d9d90c96d

               Status:  Authz Failed

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  C0A8320900000CF4DC2FDA59

      Acct Session ID:  0x00000D2A

               Handle:  0xA0000CF5

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Failed over

Everyone's tags (3)
3 REPLIES 3
Beginner

doit1x Monitor Mode

You need a configured ip access-group with the ACL of permit ip any any hardcoded on the interface.

Beginner

doit1x Monitor Mode

While checking the authenticating the sessions, please also verify all  the dACLs which are enforced. This will help obtain more input and  narrow down the problem.  Please make sure that the Web-auth ACL has no  errors

Participant

doit1x Monitor Mode

Hi,

Please check if you configured Fallback to unauthorized network access under you Windows NIC dot1x settings.

If not, you won't get network access when dot1x fails.