Multi authentication issue

cgtydvc · ‎06-09-2021

Hi,

I got some issue multi authentication on Cisco 2960s switch. I need to add macro for some of ports(for clients). I cant write "authentication event server dead action authorize" and "authentication event server alive action reinitialize". Cisco show me just after when i wrote the authentication event ? => "fail and no-response".

I try to IOS upgrade but nothing is changed. Before Cisco upgrade we used 12.55 and after Cisco suggested upgrade 15.2 lates version.

I'm open to your ideas.

Thank you for any advise.

pieterh · ‎06-09-2021

I cannot match the term "multi authentication" with "authentication event server dead action authorize" command

- do you mean you need multiple devices authenticated on the same switchport ?
- or you need to configure multiple aaa-servers ?

cgtydvc · ‎06-10-2021

Sorry, i didnt specify int the statement. I need to configure mutli authentication on the same switchport. When device has 12.55 ios that interface didnt show me "authentication host-mode mutli-auth". and including the commands I mentioned above. I tried to upgraded the switch with15.2 ios but nothing is changed.

pieterh · ‎06-10-2021

is there already some dot1x configuration active on the switch ?

if not you need to do some global configuration first

look at this document

cgtydvc · ‎06-10-2021

there aren't any configuration on the switchports. All ports default. Commands are not listed when i write multi-auth. But i can write single-host auth. I can't think of anything else, there may be a problem with the device.

pieterh · ‎06-10-2021

if your switchport is default-config then there is also totally no dot1x authentication active
so multi-auth that depends on dot1x or mab authentication has no purpose here
=> you first need to configure dot1x authentication (global and on port) before you can use multi-auth on a port

follow steps in document from my earlier post this document

cgtydvc · ‎06-11-2021

I very appreciate your helping but it didnt change after the global aaa authentication. I can see on the Cisco ISE mab and dot1x authentication success with single supplicant. I tried to reset sw and again defined dot1x auth. didnt change. If i can find solution i will write here

pieterh · ‎06-11-2021

ok, good luck please let us know if you make any progress,

but I'm still confused
>>> there aren't any configuration on the switchports. All ports default. <<<
how does Cisco ISE and MAB work on a port without config to use authentication ?

cgtydvc · ‎06-11-2021

i hope, if i find i will share the proccess.

The supplicant can be auth but It doesn't have mutli-auth mode and auth. event server dead command.

For example; i can write this config and i can see supplicant on Cisco ISE.

int gi0/28

switchport mode access

authentication event fail action next-method

authentication event no-response action authorize vlan 3

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

There are some snmp and spanning-tree command but dont need to write here so when i write "sh authentication session int gi0/28"output is "mab => Authc Success". I can see when track with session-id "status is Authz Success".

pieterh · ‎06-11-2021

you do not mention the " dot1x pae authenticator" command on the port config ?
if this is really not there, then the dot1x in the "authentication order..." command has no function
mab does not use a supplicant