05-16-2014 07:23 AM - edited 03-10-2019 09:43 PM
Hi
We have configure the ISE and our requirement is Clients which connects behind the IP-Phone should be getting dot1x authentication Posturing done and MAB for Phones no Authentication..
Problem face by us is Dot1x authentication Posture for Client is working and even the MAB for IP-Phone is working , but the IP-Phone get IP address of data vlan 326 , but in the authentication policy its show the voice vlan tag..
secondly everytime dot1x happens for client , also the MAB occure for IP Phone
Please find the configuration and logs
interface FastEthernet0/5
switchport access vlan 390
switchport mode access
switchport voice vlan 338
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 3
spanning-tree portfast
end
9Floor_2960_3#show authentication sessions interface fastEthernet 0/5
Interface: FastEthernet0/5
MAC Address: c062.6b62.d767
IP Address: 10.22.50.36
User-Name: C0-62-6B-62-D7-67
Status: Authz Success
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 338
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A1666120000020D25E0B591
Acct Session ID: 0x0000042E
Handle: 0xD300020E
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
----------------------------------------
Interface: FastEthernet0/5
MAC Address: e89a.8f13.11fb
IP Address: 10.22.50.35
User-Name: kbank\kge10315
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 326
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A1666120000020E25E0BE51
Acct Session ID: 0x00000430
Handle: 0x1500020F
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
9Floor_2960_3#show epm session summary
EPM Session Information
-----------------------
Total sessions seen so far : 141
Total active sessions : 2
Interface IP Address MAC Address VLAN Audit Session Id:
----------------------------------------------------------------------------------
FastEthernet0/5 10.22.50.36 c062.6b62.d767 326 0A1666120000020D25E0B591
FastEthernet0/5 10.22.50.35 e89a.8f13.11fb 326 0A1666120000020E25E0BE51
9Floor_2960_3#show authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa0/5 c062.6b62.d767 mab VOICE Authz Success 0A1666120000020D25E0B591
Fa0/5 e89a.8f13.11fb dot1x DATA Authz Success 0A1666120000020E25E0BE51
Can any one come up with suggestion
05-26-2014 06:28 AM
Issue got resolve , as cdp was disable on port level ....
After enabling the cdp , IP Phone was able to get voice vlan ip address..
08-06-2014 11:51 AM
I also configurate that but the problem is the phone is authenticate successfully but the wired user want to authenticate but it can not. the switch configuration is same as your confiq. Can you provide me the any practice ise configuration. before it i have only wired user authentication and it is working normally. when i configure new aithentication and autherization profile for phone at this time the phone is authenticate normal but wired user not.
my email address: educcna@gmail.com
Thank for your helping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide