10-30-2019 04:11 AM
hi every body,
i have a problem with the config 802.1 in switch and connection to ISE server.
i do all configuration in switch but i don't have ping of my ise server in switch.must i have ping?!
this is my config:
conf t
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa accounting update newinfo periodic 5
radius server ISE
address ipv4 172.16.32.102 auth-port 1812 acct-port 1813
timeout 2
retransmit 3
key cisco
ip radius source-interface lo0
radius-server dead-criteria time 3
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
aaa server radius dynamic-author
client 172.16.32.102 server-key cisco
access-list 10 permit 172.16.32.0 0.0.0.255
access-list 10 deny any log
mac address-table notification change
mac address-table notification mac-move
logging origin-id ip
logging source lo0
logging host 172.16.32.102 transport udp port 20514
epm logging
ip access-list ext ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any host 172.16.32.102
deny ip any any
ip access-list ext ACL-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host 172.16.32.102
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
dot1x system-auth-control
default int range gi1/0/1-2
int range gi1/0/1-2
switchport host
switchport access vlan 401
spanning-tree bpdugaurd enable
authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method
authentication host-mode multi-auth
authentication timer reauthenticate server
authentication event server dead action authorize vlan 401
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
ip access-group ACL-DEFAULT in
snmp trap mac-notification change added
snmp trap mac-notification change removed
int vlan 401
ip helper-address 172.16.32.102
wr mem
--------------------------------------
can anyone guide me?!
thanks alot
10-30-2019 02:23 PM
Hello,
is this the full configuration ? I don't see a default route, and there is no IP address on the Vlan interface ?
10-31-2019 12:36 AM
hello ,
yes , i have vlan with ip add and mask.here i sent my 802.1x confing.and i don't know is it right or not .
and for ip route , must to which ip write ip route?
thanks
10-31-2019 12:53 AM
10-31-2019 01:00 AM
Hello,
post the full running configuration (show run) of the 9300 and indicate to which port the ISE is connected. You have an IP helper-address for the ISE on the SVI for Vlan 401, that would indicate that the server is on another subnet.
10-31-2019 01:21 AM
10-31-2019 01:56 AM
Hello,
post a schematic drawing of your topology. Can your clients ping 172.16.32.102 ?
10-31-2019 02:06 AM
10-31-2019 02:22 AM
Hello,
again, post the full running configuration (show run) of your 9300, and a drawing of your topology. It is impossible to provide an answer without knowing what is connected to what.
10-31-2019 02:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide