Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
3
Replies

Unable to authenticate users from 2960LL authenticate with ISE

sarathd24
Level 1
Level 1

‎04-11-2017 04:48 AM - edited ‎03-11-2019 12:37 AM

Hi all,

I am aware that 2960 lan lite switches are not compatible with ISE. But I am in a situation were I should make this work ? I have a 3850 switch, the users connected to that switch are able to authenticate via ISE successfully. If I am connecting a 2960LL switch to one of the access ports of the 3850 with multi-hosts configured, all the traffic  from the 2960 will be hitting the 3850's access port and those users should be authenticating with ISE right ? I my case it's not working. Should I make any configuration changes to the 2960 switch ? Any help would really be appreciated.

For your reference.

2960 LL ( Port 48 ) ----------- 3850 ( port 15 ) ----- cisco ISE

Port 48

switchport mode access 

switchport access vlan 10

port 15
switchport access vlan 10
switchport mode access
authentication control-direction in
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
end

Thanks

Labels:
0 Helpful
3 Replies 3

agrissimanis
Level 1
Level 1

‎04-12-2017 08:39 AM

This should work, but it depends on what type of authentication methods you are using. Switches by standard do not forward EAPoL frames, so these frames would get dropped by the 2960 and never reach the 3850 or the client. So you would need to use MAB for these hosts. Using multi-host will authenticate the first user and allow all the others. If you want to authenticate multiple users you should use multi-auth.

0 Helpful

sarathd24
Level 1
Level 1
In response to agrissimanis

‎04-13-2017 02:52 AM

I tried using Multi-auth in the configuration but the authentication is still unsuccessful. As you said the switches are dropping the EAP packets ( found the eap timeout messages in the logs ). What should I configure to make this work ? 

Note :I have also configured posturing in ISE.

0 Helpful

agrissimanis
Level 1
Level 1
In response to sarathd24

‎04-21-2017 08:03 AM

Apologies for the late reply, I am not aware of a way how to make "intelligent" Cisco switch forward EAP frames. I don't think that it is possible, but there might be some interesting workaround.

I faced similar challenges with under-the-desk consumer grade switches/hubs - some forward EAP frames and dot1x works, some do not and I ended up temporarily using MAB in such cases, until I could get rid of these devices.

0 Helpful
Customers Also Viewed These Support Documents