cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1201
Views
20
Helpful
10
Replies

6880 with ISE

Leroy Plock
Level 1
Level 1

Is anyone successfully running a 6880 with IAs with ISE? (802.1x and MAB) We are having enormous difficulties centered around device tracking.

We're on 15.2(1)SY1.

Thanks.

 

10 Replies 10

jcockburn
Level 1
Level 1

Hi Leroy,

We are running 6880-X-LE with ISE 802.1x and MAB. It is working for us ...kind off...we have some other issues...

We were on 15.2(1)SY1 but are now on 15.2(1)SY1a. It seems a little bit more stable but it is really way too early to tell. We have had numorous suprises with the IA architecture...

If I may ask how do you deploy device tracking, cause we did not do anything specific. I know you must now create a policy and apply that etc.

Ciao

JC

Hi Leroy,

If I may ask how many interfaces have you got that is Dot1x "enabled" on your system and also which of the 6880 models do you have? The 6880-X or the 6880-X-LE?

We are having issues that we found is not documented. I might share but not over this channel yet...

Ciao

JC

6880-X-LE, around 336 dot1x interfaces. It's working well for us under 15.2(1)SY1a, however we're not full production yet.

Hi Leroy,

Be aware that there is some limit on the 6880-X-LE and dot1x interfaces....

We are also on that release which is stable until you cross the limit...

Cisco SE recommends the limit to be 1000 dot1x enabled ports....

We are on 1200...if we add more the box get extremely unstable...

Hope this helps

Ciao

JC

Good to know. Is this a confirmed bug? Do you have a bug number?

Thank you.

Hi Leroy,

It is not a bug. It is a limitation on the resources on the 6880-X-LE model.

Apparently the 6880-X model supports the whole count.

I am waiting for another answer from Cisco regarding this because we see some other inconsistency as well.

PM me your email and I will forward the info when I get this.

Maybe you can confirm with your Cisco SE as well...

Ciao

Hi,

We did a HW upgrade to 6880-X model as well as IOS upgrade to 15.2.1.SY2 and we no longer see any issues with dot1x/MAB clients.

We have 1300 odd interfaces configured with dot1x/mab and will be adding more shortly.

Ciao

JC

I did the same. I have 6880-X-LE,
Version 15.2(1)SY2. 

Any access port (216 - guest vlan):

interface GigabitEthernet122/1/0/3
 switchport
 switchport trunk allowed vlan 1
 switchport mode access
 switchport access vlan 216
 authentication event fail action next-method
 authentication event server dead action authorize vlan 216
 authentication event server alive action reinitialize
 authentication order dot1x mab webauth
 authentication priority dot1x mab webauth
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 10

All of the commands work fine on Сatalyst 2960 and ISE 1.3, but it does not work on 6880. No dot1.x authentication.    Any ideas ???

Hi,

Just an update.

As mentioned we are having 1200 configured dot1x interfaces and on round about 400 active users we started to see funny behaviour. Any new connections do not get authorised. We removed "authentication port-control auto" which puts the interfaces' state into force authorised and all is working again (obviously without the dot1x security).

Still awaiting response from Cisco.

Not a great situation to be in...

Ciao

JC

15.2(1)SY1a seems to have fixed most of our issues except one cosmetic one. You do not necessarily have to create and apply a policy because when you put authentication port-control auto on the interface it applies the default policy. We are seeing if we can run with the default policy but if we run into issues will have to create a custom policy.

In the end all we had to do to get device tracking working was 2 commands:

device-tracking binding reachable-lifetime 30 stale-lifetime 10 down-lifetime 5
device-tracking tracking

The first is not even necessary if you're ok with the defaults.

Review Cisco Networking for a $25 gift card