11-18-2019 11:10 AM
I have a issue with 802.1X, when I connect a laptop to port G1 / 0/2 it authenticates successfully and is reflected with the command show authentication session int g1 / 0/2 det and also in ISE but when I connect a second device in The G1 / 0/3 port does not see any session with sh authenticate session nor in the ISE but in the network card if the connection established to the domain appears and can have internet access.
I am using SD-Access Fabric with the closeAuthentication template.
Current configuration : 390 bytes
!
interface GigabitEthernet1/0/2 and G1/0/3
switchport access vlan 1038
switchport mode access
device-tracking attach-policy IPDT_MAX_10
load-interval 30
cts manual
policy static sgt 4
no propagate sgt
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no macro auto processing
source template DefaultWiredDot1xClosedAuth
spanning-tree portfast
end
!
!
template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
switchport access vlan 2047
switchport mode access
switchport voice vlan 4000
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
!
policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60
!
Also we did the test on other switch without SD-Access and the 802.1X authentication works fine with the same ISE, connecting 3 laptops and all session are shows.
Does anybody know what I missing?
Thanks and regards.
Solved! Go to Solution.
11-19-2019 08:28 AM
11-19-2019 06:34 AM
11-19-2019 08:06 AM
11-19-2019 08:28 AM
11-19-2019 08:56 PM
Mike
I deleted the CTS Manual (Policy static sgt) and configured cts role-based enforcement and finally the laptops authenticated.
Thanks and regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide