06-09-2021 04:55 AM - edited 06-09-2021 05:21 AM
Hi,
I got some issue multi authentication on Cisco 2960s switch. I need to add macro for some of ports(for clients). I cant write "authentication event server dead action authorize" and "authentication event server alive action reinitialize". Cisco show me just after when i wrote the authentication event ? => "fail and no-response".
I try to IOS upgrade but nothing is changed. Before Cisco upgrade we used 12.55 and after Cisco suggested upgrade 15.2 lates version.
I'm open to your ideas.
Thank you for any advise.
06-09-2021 07:07 AM
I cannot match the term "multi authentication" with "authentication event server dead action authorize" command
- do you mean you need multiple devices authenticated on the same switchport ?
- or you need to configure multiple aaa-servers ?
06-10-2021 12:14 AM
Sorry, i didnt specify int the statement. I need to configure mutli authentication on the same switchport. When device has 12.55 ios that interface didnt show me "authentication host-mode mutli-auth". and including the commands I mentioned above. I tried to upgraded the switch with15.2 ios but nothing is changed.
06-10-2021 03:40 AM
is there already some dot1x configuration active on the switch ?
if not you need to do some global configuration first
look at this document
06-10-2021 05:16 AM
there aren't any configuration on the switchports. All ports default. Commands are not listed when i write multi-auth. But i can write single-host auth. I can't think of anything else, there may be a problem with the device.
06-10-2021 06:00 AM - edited 06-10-2021 06:03 AM
if your switchport is default-config then there is also totally no dot1x authentication active
so multi-auth that depends on dot1x or mab authentication has no purpose here
=> you first need to configure dot1x authentication (global and on port) before you can use multi-auth on a port
follow steps in document from my earlier post this document
06-11-2021 01:22 AM
I very appreciate your helping but it didnt change after the global aaa authentication. I can see on the Cisco ISE mab and dot1x authentication success with single supplicant. I tried to reset sw and again defined dot1x auth. didnt change. If i can find solution i will write here
06-11-2021 02:38 AM
ok, good luck please let us know if you make any progress,
but I'm still confused
>>> there aren't any configuration on the switchports. All ports default. <<<
how does Cisco ISE and MAB work on a port without config to use authentication ?
06-11-2021 04:33 AM - edited 06-11-2021 04:35 AM
i hope, if i find i will share the proccess.
The supplicant can be auth but It doesn't have mutli-auth mode and auth. event server dead command.
For example; i can write this config and i can see supplicant on Cisco ISE.
int gi0/28
switchport mode access
authentication event fail action next-method
authentication event no-response action authorize vlan 3
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
There are some snmp and spanning-tree command but dont need to write here so when i write "sh authentication session int gi0/28"output is "mab => Authc Success". I can see when track with session-id "status is Authz Success".
06-11-2021 07:11 AM
you do not mention the " dot1x pae authenticator" command on the port config ?
if this is really not there, then the dot1x in the "authentication order..." command has no function
mab does not use a supplicant
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide