10-08-2019 02:32 PM - edited 10-08-2019 02:33 PM
Actualmente nos encontramos instalando una autenticación por red cableada con ISE, este modelo de equipo WS-C2960 + 48PST-S es compatible con ISE ??
10-08-2019 02:36 PM
i will try to help if this was written in English..or wait for Local Language person can respond soon.
10-08-2019 02:44 PM
We are implementing a network wired authentication with ISE, we have Switch models WS-C2960 + 48PST-S, the question is whether these devices are compatible with ISE... and if they are compatible which the universal configuration for implementation with ISE?
10-08-2019 03:36 PM
yes, they are compatible with an implement with 802.1X
here is the matrix for 2.4
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html
10-09-2019 06:59 AM
Currently I have this configuration in the interface, but my phone avaya can not log in, if I connect a PC if it authenticates, there will be some script
interface GigabitEthernet1/0/7
description Prueba ISE
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end
10-09-2019 08:06 AM - edited 10-09-2019 08:08 AM
On high leveyou need multi-domain
authentication host-mode multi-auth
multi-auth: Multiple mac addresses can be in DATA domain (all authenticated individually) and only 1 MAC address can be in Voice domain. it should work as epxected
Also change to below and test
authentication host-mode multi-domain
802.1X multi-authentication feature allows multiple end-user hosts to authenticate on a single port.
802.1X multi-domain authentication is the feature used to authenticate an IP phone and an end-user host to different VLANs while on the same port.
also check the Logs in ISE what is the reason was failing.
10-10-2019 09:54 AM
Enter the command
authentication host-mode multi-domain
Igot the folowing
Oct 10 10:25:16.273: %DOT1X-5-FAIL: Authentication failed for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (ccf9.54a0.9fba) on Interface
Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 150 on port FastEthernet0/27 cannot be equivalent to the Voice VLAN AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Log's ISE attached
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide