10-08-2019 02:32 PM - edited 10-08-2019 02:33 PM
Actualmente nos encontramos instalando una autenticación por red cableada con ISE, este modelo de equipo WS-C2960 + 48PST-S es compatible con ISE ??
10-08-2019 02:36 PM
i will try to help if this was written in English..or wait for Local Language person can respond soon.
10-08-2019 02:44 PM
We are implementing a network wired authentication with ISE, we have Switch models WS-C2960 + 48PST-S, the question is whether these devices are compatible with ISE... and if they are compatible which the universal configuration for implementation with ISE?
10-08-2019 03:36 PM
yes, they are compatible with an implement with 802.1X
here is the matrix for 2.4
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html
10-09-2019 06:59 AM
Currently I have this configuration in the interface, but my phone avaya can not log in, if I connect a PC if it authenticates, there will be some script
interface GigabitEthernet1/0/7
description Prueba ISE
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end
10-09-2019 08:06 AM - edited 10-09-2019 08:08 AM
On high leveyou need multi-domain
authentication host-mode multi-auth
multi-auth: Multiple mac addresses can be in DATA domain (all authenticated individually) and only 1 MAC address can be in Voice domain. it should work as epxected
Also change to below and test
authentication host-mode multi-domain
802.1X multi-authentication feature allows multiple end-user hosts to authenticate on a single port.
802.1X multi-domain authentication is the feature used to authenticate an IP phone and an end-user host to different VLANs while on the same port.
also check the Logs in ISE what is the reason was failing.
10-10-2019 09:54 AM
Enter the command
authentication host-mode multi-domain
Igot the folowing
Oct 10 10:25:16.273: %DOT1X-5-FAIL: Authentication failed for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (ccf9.54a0.9fba) on Interface
Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 150 on port FastEthernet0/27 cannot be equivalent to the Voice VLAN AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Oct 10 10:25:16.273: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (ccf9.54a0.9fba) on Interface Fa0/27 AuditSessionID AC1045650000312FF869A9D1
Log's ISE attached
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: