Re: WS-C2960+48PST-S es compatible con ISE ??

eperezb · ‎10-08-2019

Actualmente nos encontramos instalando una autenticación por red cableada con ISE, este modelo de equipo WS-C2960 + 48PST-S es compatible con ISE ??

balaji.bandi · ‎10-08-2019

i will try to help if this was written in English..or wait for Local Language person can respond soon.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

eperezb · ‎10-08-2019

We are implementing a network wired authentication with ISE, we have Switch models WS-C2960 + 48PST-S, the question is whether these devices are compatible with ISE... and if they are compatible which the universal configuration for implementation with ISE?

balaji.bandi · ‎10-08-2019

yes, they are compatible with an implement with 802.1X

here is the matrix for 2.4

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

eperezb · ‎10-09-2019

Currently I have this configuration in the interface, but my phone avaya can not log in, if I connect a PC if it authenticates, there will be some script

interface GigabitEthernet1/0/7
description Prueba ISE
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end

balaji.bandi · ‎10-09-2019

On high leveyou need multi-domain

authentication host-mode multi-auth

multi-auth: Multiple mac addresses can be in DATA domain (all authenticated individually) and only 1 MAC address can be in Voice domain. it should work as epxected

Also change to below and test

authentication host-mode multi-domain

802.1X multi-authentication feature allows multiple end-user hosts to authenticate on a single port.

802.1X multi-domain authentication is the feature used to authenticate an IP phone and an end-user host to different VLANs while on the same port.

also check the Logs in ISE what is the reason was failing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

eperezb · ‎10-10-2019

Enter the command

authentication host-mode multi-domain

Igot the folowing

Oct 10 10:25:16.273: %DOT1X-5-FAIL: Authentication failed for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (ccf9.54a0.9fba) on Interface

Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 150 on port FastEthernet0/27 cannot be equivalent to the Voice VLAN AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1

Log's ISE attached