08-26-2015 12:36 PM - edited 03-08-2019 01:32 AM
Is anyone successfully running a 6880 with IAs with ISE? (802.1x and MAB) We are having enormous difficulties centered around device tracking.
We're on 15.2(1)SY1.
Thanks.
11-09-2015 01:33 AM
Hi Leroy,
We are running 6880-X-LE with ISE 802.1x and MAB. It is working for us ...kind off...we have some other issues...
We were on 15.2(1)SY1 but are now on 15.2(1)SY1a. It seems a little bit more stable but it is really way too early to tell. We have had numorous suprises with the IA architecture...
If I may ask how do you deploy device tracking, cause we did not do anything specific. I know you must now create a policy and apply that etc.
Ciao
JC
11-22-2015 11:36 PM
Hi Leroy,
If I may ask how many interfaces have you got that is Dot1x "enabled" on your system and also which of the 6880 models do you have? The 6880-X or the 6880-X-LE?
We are having issues that we found is not documented. I might share but not over this channel yet...
Ciao
JC
11-23-2015 05:55 AM
6880-X-LE, around 336 dot1x interfaces. It's working well for us under 15.2(1)SY1a, however we're not full production yet.
12-08-2015 01:02 AM
Hi Leroy,
Be aware that there is some limit on the 6880-X-LE and dot1x interfaces....
We are also on that release which is stable until you cross the limit...
Cisco SE recommends the limit to be 1000 dot1x enabled ports....
We are on 1200...if we add more the box get extremely unstable...
Hope this helps
Ciao
JC
12-08-2015 06:26 AM
Good to know. Is this a confirmed bug? Do you have a bug number?
Thank you.
12-08-2015 11:04 PM
Hi Leroy,
It is not a bug. It is a limitation on the resources on the 6880-X-LE model.
Apparently the 6880-X model supports the whole count.
I am waiting for another answer from Cisco regarding this because we see some other inconsistency as well.
PM me your email and I will forward the info when I get this.
Maybe you can confirm with your Cisco SE as well...
Ciao
05-23-2016 02:21 AM
Hi,
We did a HW upgrade to 6880-X model as well as IOS upgrade to 15.2.1.SY2 and we no longer see any issues with dot1x/MAB clients.
We have 1300 odd interfaces configured with dot1x/mab and will be adding more shortly.
Ciao
JC
06-07-2016 06:02 AM
I did the same. I have 6880-X-LE,
Version 15.2(1)SY2.
Any access port (216 - guest vlan):
interface GigabitEthernet122/1/0/3
switchport
switchport trunk allowed vlan 1
switchport mode access
switchport access vlan 216
authentication event fail action next-method
authentication event server dead action authorize vlan 216
authentication event server alive action reinitialize
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
All of the commands work fine on Сatalyst 2960 and ISE 1.3, but it does not work on 6880. No dot1.x authentication. Any ideas ???
12-10-2015 11:44 PM
Hi,
Just an update.
As mentioned we are having 1200 configured dot1x interfaces and on round about 400 active users we started to see funny behaviour. Any new connections do not get authorised. We removed "authentication port-control auto" which puts the interfaces' state into force authorised and all is working again (obviously without the dot1x security).
Still awaiting response from Cisco.
Not a great situation to be in...
Ciao
JC
11-23-2015 05:53 AM
15.2(1)SY1a seems to have fixed most of our issues except one cosmetic one. You do not necessarily have to create and apply a policy because when you put authentication port-control auto on the interface it applies the default policy. We are seeing if we can run with the default policy but if we run into issues will have to create a custom policy.
In the end all we had to do to get device tracking working was 2 commands:
device-tracking binding reachable-lifetime 30 stale-lifetime 10 down-lifetime 5
device-tracking tracking
The first is not even necessary if you're ok with the defaults.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide