authentication dot1x some problom

Similar Questions

• some computers are not authenticated successfully with ISE and join comments vlan

  Hello

  We have deployed ISE in a company and set the workstations for authentication of the computer. When jobs are authentication, they are placed in the VLAN Data (5), if they fail, then they must be placed in the VLAN (50). WiredAutoConfig service as supplicant is set with gpo to all the workstations have the same settings.

  Certificate of the ISE is signed by our internal CA and workstations have also imported CA in their trusted CA list.

  The problem is that few jobs are placed in the VLAN. Previously on these workstations, we got a pop-up as below. When you click on 'connect' work stations have been placed properly in the data VLAN (5). We do not get this security alert more on these machines and they just join them VLAN that is don't want we want.

  However, most of the workstations is authenticated successfully.

  

  switchports configuration:

  switchport access vlan 5
  switchport mode access
  switchport voice vlan 6
  authentication event fail following action method
  action of death event authentication server allow vlan 5
  action of death event authentication server allow voice
  no response from the authentication event action allow vlan 50
  living action of the server reset the authentication event
  multi-domain of host-mode authentication
  authentication order dot1x mab
  authentication priority dot1x mab
  Auto control of the port of authentication
  periodic authentication
  authentication violation replace
  MAB
  MLS qos trust dscp
  dot1x EAP authenticator
  dot1x tx-time 10
  spanning tree portfast
  spanning tree enable bpduguard

  Journal of ISE authentication;

  auth1.PNG

  

  authen2.PNG

  

  Everyone is in a similar situation?

  I guess that the machines in the domain have the root CA certificate checked under the 'Protected EAP Properties' window?

• Dot1x question: authentication MAB will never be failure or timeout

  Hello

  I have a problem when the switch will try to authenticate a device with MAB and it will never, or timeout.

  Here's the situation: where a device has 802 authentication. 1 x active but not a invalid parameters (or missing certificate).

  The switch will start dot1x for the customer and it will not be (a). He will switch to dot1x to MAB and... silence.

  I use a WS-C2960-24LT-L with IOS 15.0 (2) SE.

  Config:

   interface FastEthernet0/16 switchport access vlan 155 switchport mode access authentication event fail action authorize vlan 550 authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication port-control auto mab dot1x pae authenticator dot1x timeout quiet-period 3 dot1x timeout tx-period 1 spanning-tree portfast spanning-tree bpduguard enable end

  Newspapers:

   Dec 4 17:34:51.064 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up Dec 4 17:34:51.147 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:52.070 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up Dec 4 17:34:54.234 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:54.234 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:35:00.601 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094

  SH int fa0/16 session auth

   Interface: FastEthernet0/16 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A011246000001197AA21094 Acct Session ID: 0x00000380 Handle: 0x1700011A Runnable methods list: Method State dot1x Failed over mab Running

  You can see above that is still running MAB but this device is not listed on the local store ID sequence or any where. If I run the command 'No mab', the switch will respond will be unavailable methods more and nothing more.

   Interface MAC Address Method Domain Status Session ID Fa0/16 (unknown) N/A UNKNOWN No Methods 0A011246000001197AA21094

  However, when I remove the command MAB; reset the port; He eventually fail to dot1x and move to restricted VLAN.

  It is this value by default design or the drop between the switch and the ACS authentication? Should I just use MAB where it is needed?

  Thank you in advance.

  On your configuration of the interface, I normally expect to see flex active thus auth:

   authentication priority dot1x mab authentication order dot1x mab authentication event fail action next-method

• "authentication control-direction in" CLOSED authentication mode

  Switch: 4510R-E, running a DEV version 3.6.0-based

  ISE: 1.2.0.899 patch 7

  Hi, I worked on a weird issue where some of my clients would pass through their IP address and the only way I could get it back was to spend their open port in authentication mode. I need to run in closed mode, because I change VLAN via MAB.

  I worked with TAC, and they suggested that add the command "authentication control direction in" in my config switchport (below). Couple tests Ive done, this seems to help. But I understand why. Isn't the direction-control a little command reduce to naught the principle of closed mode operation? That is, it allows a communication until the device is allowed. Thank you.

  interface GigabitEthernet2/18
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 66
  events-the link status logging
  authentication event fail following action method
  action of death server authentication of the event allowed vlan 34
  action of death event authentication server allow voice
  living action of the server reset the authentication event
  the host-mode multi-auth authentication
  authentication order mab dot1x
  authentication priority dot1x mab
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  dot1x EAP authenticator
  dot1x tx-time 10
  service-policy input QoS-entry-policy
  Service-politique-accueil-port-sortie-strategie output QoS
  end

  I also need to use this command to preserve the authenticated devices. He was going on with a video surveillance system, which was an embedded Linux operating system. It's the MAB and because there was no transmission all noisy traffic (unlike a windows box) then the switch would not be able to reauth it as it had no mac address to auth, so show up with an 'unknown' in the MAC field.

  It allows essentially traffic flow out of the port. This active unit to receive HTTP traffic and respond, then the switch could auth it again once the device sent a frame.

  When you do a Show authentication sessions you will notice a Oper control dir: the two will pass to Oper control dir: in

• 802. 1 x authentication with Linux clients on C2960S-48TS-L problem

  Hello

  Due to implementing Wired 802. 1 x in my business I have fased with authentication problem some computers to Linux (Ubuntu) 13.10 + via mab as my switches(C2960S-48TS-L) of access. The problem exists on IOS 12.55 and 15.0 (2) SE6.

  It seems that the authenticator cannot detect the supplicant MAC address. In debugging, the MAC address is (unknown MAC) or (0000.0000.0000).

  Before I could see the registered authentication MAC address on the switchport interface (no parameters of 802.1 x on the port):

  SH-mac address table interface 0/g1/2 "prior to authentication of 802. 1 x '.
  VLAN Mac Address Type Ports
  ----    -----------       --------    -----
  Article IG1 2 STATIC 0015.990f.60d9/0/2

  The host must obtain to Vlan 2 after the failure of authentication (according to the parameters of the port). But in reality the after attempting to authenticate the host on this port

  loses connection with the network and does not get into 2 VLANs

  SH - g1/0/2 interface mac address table 'after authentication 802. 1 x »
  VLAN Mac Address Type Ports
  ----    -----------       --------    -----

  SH authentication sessions

  Interface MAC address method ID of Session of field status
  6A7D1FAF0000000000023E32 DATA Authz success dot1x item in gi1/0/24 (unknown)
  6A7D1FAF0000000200024193 DATA Authz success dot1x item in gi1/0/25 (unknown)
  Item in gi1/0/2 (unknown) UNKNOWN mab 6A7D1FAF000000280011BA1A running

  SH dot1x interface details g1/0/2

  Info Dot1x for GigabitEthernet1/0/2
  -----------------------------------
  EAP AUTHENTICATOR =
  QuietPeriod = 5
  ServerTimeout = 0
  SuppTimeout = 30
  ReAuthMax = 2
  MaxReq = 2
  TxPeriod = 3

  SH run int g1/0/2

  interface GigabitEthernet1/0/2
  Description # user Port #.
  switchport access vlan 2
  switchport mode access
  switchport voice vlan 5
  switchport port-security maximum 5
  switchport port-security
  aging of the switchport port security 2
  inactivity of aging switchport port-security type
  IP arp inspection 120 deadline
  action retry authentication event 0 failure allow vlan 2
  action of death event authentication server allow vlan 2
  no response from the authentication event action allow vlan 2
  stream of host-authentication mode
  Auto control of the port of authentication
  periodic authentication
  Timer of authentication be re-authenticated 3900
  inactivity timer authentication 300
  restrict the authentication violation
  MAB
  dot1x EAP authenticator
  dot1x quiet-period 5
  dot1x tx-timeout 3
  Storm-control broadcasts 1.00
  multicast storm-control level 1.00
  Storm-control action trap
  No cdp enable
  spanning tree portfast
  spanning tree enable bpduguard
  spanning tree guard root
  end

  I tried to change host-mode of authentication in many areas, but the problem remains.

  "debug dot1x all" in the attached file.

  Please help me solve this problem

  You must delete all port security settings before you enable dot1x on a port, these two functions do not work well together.

  Jan.

• dot1x system-auth-control on 62xx and all port/traffic goes down?

  Hello

  with three VLANS, and now presenting only certain ports that I do the dot1x:

  RD (config) #dot1x # system - auth - control enable

  RD (config) #aaa authentication dot1x default # spot within a RADIUS to RADIUS

  RD (config) #interface ethernet 1/g1 # bind it to a port

  RD #dot1x (config-if-1/g1) auto # config dot1x port-control

  I assumed dot1x must be forced/enabled on port/int per basis and before it's done there's no dot1x, but it seems that - dot1x system-auth-control - does not wait for anything and everything stops instantly.

  Is this desired behavior?

  And if yes then how introduced little by little dot1x, looking fixedly with an ethernet port that are configured as here:

  1/g1

  Flow control: enabled

  Port: g1/1

  Belonging to a VLAN: access mode Mode

  Operating parameters:

  PVID: 1

  Capture filtering: enabled

  Acceptable frame type: no label

  Default priority: 0

  GVRP status: Disabled

  Protected: disabled

  -Other - or ITU (q)

  Port 1/g1 is a member of:

  Rule of VLAN name evacuation Type

  ----    --------------------------------- -----------   --------

  1 by default not marked by default

  Static configuration:

  PVID: 1

  Capture filtering: enabled

  Acceptable frame type: no label

  Port 1/g1 is configured statically:

  Output name rule of VLAN

  ----    --------------------------------- -----------

  Prohibition of VLAN:

  Name of VLAN

  ----    ---------------------------------

  A lot! Thank you

  L.

  OK, you can implement other dot1x controls without having them no effect on the switch until the "dot1x system-auth-control' is given.

  I will certainly take a look at your other post.

• ISE / IBNS 2.0 - open authentication

  Anyone travelling IBNS 2.0, or everyone stick w / the legacy "authentication" of orders that have been available as forever?

  We seek in IBNS 2.0 to take advantage of its critical ACL functionality that is not available in the type of inheritance auth - manager.

  When I made a conversion of an existing style, legacy to the new style 2.0 on a 3850 IBNS, I can't tell which line is the equivalent of the command "open authentication".
  Can someone please report it to me?

  How can we make "open authentication" in the new style IBNS 2.0?
  This is important for our phases of deployment of the MONITOR & LOW - IMPACT ISE.

  ===============

  New style:

  Subscriber control policy-map type POLICY_Gi1/0/21
  event started the match-all session
  10-class until the failure
  10 authenticate using dot1x attempts 2 time try again 0 priority 10
  first game event-one authentication failure
  DOT1X_FAILED - until the failure of class 5
  10. put end dot1x
  20 authenticate using mab priority 20
  class 10 AAA_SVR_DOWN_UNAUTHD_HOST - until the failure
  10 activate service-model CRITICAL_AUTH_VLAN_Gi1/0/21
  20 activate service-model DEFAULT_CRITICAL_VOICE_TEMPLATE
  25 turn CRITICISM-ACCESS service models
  30 allow
  reauthentication 40 break
  class 20 AAA_SVR_DOWN_AUTHD_HOST - until the failure
  break 10 reauthentication
  20 allow
  DOT1X_NO_RESP - until the failure of class 30
  10. put end dot1x
  20 authenticate using mab priority 20
  class 40 MAB_FAILED - until the failure
  10 complete mab
  20 40 authentication restart
  class 60 still - until the failure
  10. put end dot1x
  20 terminate mab
  authentication-restart 30 40
  event agent found match-all
  10-class until the failure
  10 complete mab
  20 authenticate using dot1x attempts 2 time try again 0 priority 10
  AAA-available game - all of the event
  class 10 IN_CRITICAL_AUTH - until the failure
  clear-session 10
  class 20 NOT_IN_CRITICAL_AUTH - until the failure
  10 take a reauthentication
  match-all successful authentication event
  10-class until the failure
  10 activate service-model DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
  violation of correspondence event
  10-class until the failure
  10 restrict

  ================

  The old:

  interface GigabitEthernet1/0/21
  TEST-ISE description
  IP access-group ACL by DEFAULT in
  authentication event fail following action method
  action of death event authentication server allow vlan 1
  action of death event authentication server allow voice
  the host-mode multi-auth authentication
   open authentication
  authentication order dot1x mab
  authentication priority dot1x mab
  Auto control of the port of authentication
  authentication timer restart 40
  restrict the authentication violation
  MAB
  added mac-SNMP trap notification change
  deleted mac-SNMP trap notification change
  dot1x EAP authenticator
  dot1x tx-time 10

  It seems that "open authentication" is now default and as such are not not in the new configuration of style.

  Access-session closed Example: Device(config-if)# access-session closed

  Prevents access preauthentication on this port. The port is set to open access by default.

  http://www.Cisco.com/en/us/docs/iOS-XML/iOS/San/configuration/XE-3SE/3850/San-Cntrl-pol.html

• MAB Cisco phones successfully authenticated, VLANASSIGN assigned and failed authorization?

  I'm getting a strange behavior with a Catalyst switch and 802. 1 x. I use multi-auth, with a PC and phone Cisco patched in. The two devices to authenticate correctly, but only the PC is allowed depending on the switch logs.

  Switch terminal logs:

  Apr  7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr  7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr  7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID UnassignedApr  7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr  7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr  7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID Apr  7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr  7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082

  Config switch:

  aaa authentication dot1x default group RADIUS-DOT1Xaaa authorization network default group radius ip radius source-interface Loopback0 radius-server vsa send accountingradius-server vsa send authenticationdot1x system-auth-controldot1x guest-vlan supplicant

  Configuration interface:

  interface FastEthernet0/1 switchport mode access srr-queue bandwidth share 10 10 60 20 priority-queue out  authentication event fail action next-method authentication event server dead action authorize voice authentication event no-response action authorize vlan 999 authentication host-mode multi-auth authentication order dot1x mab authentication port-control auto authentication periodic authentication violation protect mab mls qos trust cos auto qos voip trust  dot1x pae authenticator no mdix auto spanning-tree portfast

  NPS Windows Server policy:

  radius_attributes.PNG

  

  
  and
  
  

  vendor_specific_attributes.PNG

  

  Hello Jim,

  Try to use the domain host instead of multi-auth mode multiplayer.

  Kind regards

  Poonam Garg

• Authentication result "no-response" of "mab".

  Hi all

  Another Ministry, another problem. Basically, we are trying to set up authentication based mab and if a client mac is not known, the port must be kept closed.

  Configuration: WS-C2960-24TC-L with IOS 12.2 (55) SE1 authentication against freeRadius (2.1.10)

  Excerpt from the running configuration

  aaa new-model
  
      !
  
      aaa authentication dot1x default group radius
  
      aaa authorization network default group radius
  
      aaa accounting delay-start
  
      aaa accounting network default start-stop group radius
  
      !
  dot1x system-auth-control
  
      !
  
      interface GigabitEthernet0/19
  
      switchport mode access
  
      switchport voice vlan 2
  
      authentication event fail retry 0 action authorize vlan 999
  
      authentication event server dead action authorize vlan 1
  
      authentication event no-response action authorize vlan 1
  
      authentication event server alive action reinitialize
  
      authentication host-mode multi-domain
  
      authentication port-control auto
  
      authentication violation restrict
  
      mab
  
      spanning-tree portfast
  
      !
  
      radius-server dead-criteria tries 1
  
      radius-server host 10.2.1.33 auth-port 1812 acct-port 1813
  
      radius-server timeout 10
  
      radius-server key 7 xxxxxxx
  
      radius-server vsa send accounting
  
      radius-server vsa send authentication
  

  Now, if I connect to a laptop computer to the port Gi0/19 freeRadius sends a rejection, but the port gets allowed VLAN 1 (we also try to get the data on another virtual local network). VLAN 999 does not exist, I tried to run this configuration to the authentication event and the other vlan, but with the same result.

  Debugging snippet (attached full debugging log)

  001608: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Black Listed Mac Address 0026.5588.491c on vlan 1
  
      001609: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Received notification for 0026.5588.491c in domain DATA
  
      001610: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_mac_address_notify: MAC 0026.5588.491c on GigabitEthernet0/19(1) consumed by MDA. termi
  
      001611: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN
  
      001612: .Mar 11 07:59:19: %AUTHMGR-5-START: Starting 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  
      001613: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN
  
      001614: .Mar 11 07:59:20: %MAB-5-FAIL: Authentication failed for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  
      001615: .Mar 11 07:59:20: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  
      001616: .Mar 11 07:59:20: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  
      001617: .Mar 11 07:59:20: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  
      001618: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: DATA
  
      001619: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Authentication failure due to non-responsi
  
      001620: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Activating guest VLAN 1
  
      001621: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) PM Actions: Setting vlan 1 in DATA domain
  
      001622: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Assigning dynamic vlan = 1 on port GigabitEthernet0/19
  
      001623: .Mar 11 07:59:20: %AUTHMGR-5-VLANASSIGN: VLAN 1 assigned to Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  ...
  001631: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Authorizing vp DATA, isLast is 1
  
      001632: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_port_vp_authorized: GigabitEthernet0/19 vp authorized in domain DATA, isLast i
  
      001633: 4w1d: AUTH-FEAT-VOICE-EVENT (Gi0/19) No transit entry
  
      001634: .Mar 11 07:59:21: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
  
      001635: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Checking data packet allowed, mac 0026.5588.491c, vlan
  
      001636: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS
  ...
  001827: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_dot1x_sub_feature_permits_pkt: Guest VLAN is active and MAC 0026.5588.491c arrived on da
  
      001828: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_is_interested_in_mac: Not interested in unsecured 0026.5588.491c(1) on GigabitEthernet0/19
  
      001829: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS
  

  So, we met with a large number of issues and unable to find the answers on the net that make sense.

  Can we see what has gone wrong?

  Thanks in advance,

  Chris Schaatsbergen

  Hello

  This happens because you have invited vlan configured... You can remove the command 'action same no-response authentication allow vlan 1' to achieve the desired result. Comments vlan is intended to allow unknown users / mac on the network by means of vlan comments.

  Let me know if it helps

  Thank you

  Mani

• Dot1x: no failling above comments - vlan

  Hello

  I am deploying dot1x in the office and I will have little difficulty with allowing to achieve the two dot1x with mab and then switch on the vlan comments.

  A simple scenario where a device of the end-user cannot provide authentication, I want the switch to automatically put the user on the vlan comments. I did not allow for periodicals of authentication at the lowest of excessive authentication and I configured maximum attemps but the switch will constantly try to authenticate the device.

  Switch model: WS-C2960-24LT-L with 15.0 (2) SE6.

  The switch configuration:

   aaa accounting dot1x default start-stop group radius aaa authentication dot1x default group radius dot1x system-auth-control

  Port configuration:

   interface FastEthernet0/15 switchport access vlan 144 switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication host-mode single-host authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x max-req 3 dot1x max-reauth-req 1 spanning-tree portfast !

  Any help will be greatly appreciated.

  UPDATE: see the comments below.

  Good job on your own Oliver problem and for taking the time to update everyone here! (+ 5 from me). If your problem is resolved you must mark the thread as answered ;)

• 802 switch Cisco 3750. 1 x: how to stop a retry of authentication for clients that are not authorized

  Hi experts,

  I'm trying to stop trying to authenticate for the guests. They will not have the credentials to be authorzied and we'll put in the guest VLAN. However, the switch always seems to default retries the authentication every 15 seconds approximately. It is fine if the guests are rare, but I'm being implemented in a hotel where most of the users are invited (like 1000 of them at the same time...).

  I really need to turn off the coast or at least find a timer to reduce the frequency... It is urgent, because the hotel is about to open... Here is the config I put on an interface:

  switchport access vlan 1055
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 657
  IP access-group ACL_PortIso_IDF21 in
  authentication event failure action allow vlan 1055
  no response from the authentication event action allow vlan 1055
  multi-domain of host-mode authentication
  Auto control of the port of authentication
  protect the violation of authentication
  MAB
  no link-status of snmp trap
  dot1x EAP authenticator
  dot1x quiet-time 300
  dot1x tx-timeout 2
  dot1x timeout supp-timeout 2
  dot1x max-reauth-req 10
  dot1x timeout that outfit-300
  No cdp enable
  spanning tree portfast
  spanning tree enable bpduguard
  no ip igmp snooping tcn flood

  Thank you!

  I guess what is happening.

  dot1x in your configuration falls down after tx-period (max-reauth-req + 1) X that for you 22 seconds.

  AUTH MGR (the software that controls (dot1x / MAB / webauth) is probably set to restart every 60 seconds.)

  You can check this with:

  ' performance show all | b X / Y'-replace x / y with the correct port you are testing with.

  Look for the command 'restart timer authentication 60'.

  Try setting it to 0. If IOS doesn't let you change it, thanks for posting your version of the software.

• Personalized with the trusted source authentication

  Hello
  
  There is a following requirement: since a user application (non-apex) klicks on a link to a page of the apex and must be authenticated without having to type his username and password (without page 101) because it is already identified in this application non-apex.
  
  My approach: create a procedure that checks if the user is authenticated in a non-apex application. Then create a custom authentication scheme where authentication is my procedure. Then of course change current authentication scheme to my authentication scheme. BUUUT what happens if the user is not properly authenticated in a non-apex application? So I think that the user should see page 101 and type the name of user and password.
  
  Is it possible to do something like this: If the procedure returns true, then use Custom authentication scheme, if set to false use Apex authentication schema (standard schema)? Or is it not the right approach?
  
  Thank you very much for your answers.
  
  Kind regards
  
  Anton
  
  PS: I know that some of the discussions in the forum about this, but I don't understand how they can help in my case.

  Hi Anton,.

  Instead of calling APEX_CUSTOM_AUTH. CONNECTION, you can call APEX_CUSTOM_AUTH. SET_SESSION_ID and APEX_CUSTOM_AUTH. SET_USER and use a sentinel of page function. You will have to search this forum for cover page features more information.

  In your authentication custom parameters are user name and password, but you can check what you want and return true or false. If you do not check the password at all you could just always return true and let all users. If you need to decide what information you will use to authenticate users. There are many ways to do what you want. The password technique to generate just allows you to do a little sign outside the authentication function that allows you to have the 2 way authentication. Some users have a password generated for them and others must provide their password. The function of authentication it don't worry about the right controls for two passwords.

  Rod West

• VLAN voice N3048P and DHCP issues

  Hello

  I just received several switches for our N3048P and 2 x 4048 access layer - WE for our base layer. Are the N3048P VLT'd between two of 4048. There are 4 x N3048P of one on the other. The 4048 possess all gateways via VRRP.

  I have 802. 1 x works with my Windows client test, and I can get the phone (Cisco 7941) to acquire a DHCP address if I put it on a port "switchport mode access. However, if I change the port to a general port with vlan enabled voice and 802. 1 x, the phone does not have a DHCP address, but the PC attached to the phone Gets a DHCP address in the VLAN correct.

  I see CDP and LLDP messages exchanged via Wireshark, and it seems that the phone and the switch are to exchange the VLAN voice correctly.

  My question is, why the phone can't one address DHCP?

  Here's the relevant config of switch below. I know that some of the config can be duplicated for troubleshooting steps:

  VLAN 75
  the name 'Test '.
  output
  VLAN 76
  name "Test_Phones".
  output

  IP helper-address 1.1.1.3 dhcp
  IP helper-address 1.1.1.4 dhcp

  interface vlan 75
  IP 172.16.75.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4
  output
  interface vlan 76
  IP 172.16.76.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4

  AAA authentication local connection to "defaultList".
  radius of start-stop AAA accounting dot1x default
  control-dot1x system-auth
  radius AAA dot1x default authentication service
  AAA authorization network default RADIUS

  VLAN, VoIP

  source-ip 172.16.75.4 RADIUS server
  Server RADIUS 'key' key
  RADIUS-server host 1.1.1.1 auth
  primary
  name "rad1.
  use of 802. 1 x
  key 'key '.
  output
  RADIUS-server host 1.1.1.2 auth
  name "rad2.
  use of 802. 1 x
  key 'key '.
  output
  Server RADIUS acct 1.1.1.1 host
  name "rad1.
  output
  host server RADIUS acct 1.1.1.2
  name "rad2.
  output

  Gi2/0/1 interface

  Description '802. 1 x client port.
  spanning tree portfast
  spanning tree guard root
  switchport mode general
  switchport general allowed vlan add 75-76 the tag
  dot1x re-authentication
  dot1x quiet-period 5
  dot1x tx-period 5
  dot1x comments - vlan 20
  dot1x Informati-vlan 20
  LLDP transmit tlv ESCR-sys sys - cap
  LLDP transmit-mgmt
  notification of LLDP
  LLDP-med confignotification
  VLAN voice 76
  disable voice vlan auth
  output

  Thanks for any input you may have. I would like to know if there is any other information, I can provide.

  -Jason

  That ends up being the correct port configuration:

  Gi2/0/1 interface

  Description '802. 1 x client port.

  spanning tree portfast

  switchport mode general

  switchport General pvid 75

  VLAN allowed switchport General add 75

  switchport general allowed vlan add 76 tag

  dot1x port-control on mac

  dot1x re-authentication

  dot1x quiet-period 5

  dot1x timeout supp-timeout 15

  dot1x tx-period 5

  dot1x comments-vlan-deadline 15

  dot1x comments - vlan 20

  dot1x Informati-vlan 20

  VLAN voice 76

  disable voice vlan auth

  The most important line here is «the dot1x port-control on mac» I got 'auto control by port dot1x' configured, but it does not work as expected. In addition, defining the comments-vlan-period and supp-timeout were necessary. If the port was shot, the switch would not necessarily reauth port.

• AAA secondary ACS entry

  Hello

  I have 802.1 x and MAB configured. I added a second ACS server and added the definition of the switch.
  My problem is that the ACS works well when it is set as primary option in the switch. But when it is configured as the backup and I force a failure on the primary, he does not try to use backup ACS th.

  Can my configuration below, someone please give me some pointers?

  Thank you

  AAA radius rrrr server group
  private server 10.4.25.117 auth-port 1645 acct-port 1646 borders 7 01100F175804575D72
  private server 10.4.25.114 auth-port 1645 acct-port 1646 borders 7 01100F175804575D72
  radius of the IP source-interface Vlan200
  !
  AAA new-model

  AAA dot1x of default authentication group rrrr
  AAA authorization exec default local authenticated by FIS
  AAA authorization network default group rrrr
  AAA accounting dot1x default start-stop rrrr group

  interface FastEthernet0/1
  switchport access vlan 200
  switchport mode access
  switchport voice vlan 2
  authentication-sense in
  authentication event failure action allow vlan 100
  action of death event authentication server allow vlan 100
  no response from the authentication event action allow vlan 100
  multi-domain of host-mode authentication
  authentication order dot1x mab
  Auto control of the port of authentication
  protect the violation of authentication
  MAB
  dot1x EAP authenticator
  dot1x quiet-period of waiting 3
  dot1x tx-period 4
  spanning tree portfast

  Hi Tiago,

  The fix was set up the following:

  restransmit RADIUS server 2

  radius0server timeout 3

  to allow the transition to the secondary ACS server before starting methods. He was trying to authenticate before it move on to the second ACS.

  Thanks for your help.

• Mac-auth-bypass fails MAC: 0000.0000.0000

  I have an old JetDirect which does not support 802.1 x. I enabled MAB on the port where it connects, but for some reason fails any MAB. I activated the debug dot1x and stick the output in a few here. I know that my config to dot1x is good... I have clients who authenticate via RADIUS to my ACS server. I also have a different port using MAB, not a JetDirect, however, the two ports are configured in the same way. Debugging, it seems that the switch can glean from the CMA of the JetDirect. Any ideas? It is a 3750 with 12.2 (44) SE2. I tried to close/no close the interface, reset the JetDirect, nothing seems to work. I see no request on my ACS server for the MAC address of the device.

  Group AAA dot1x default authentication RADIUS
  Group AAA authorization network default RADIUS

  host 192.168.x.x auth-port 1645 1646 RADIUS server acct-port

  interface FastEthernet2/0/31
  Description white A002
  switchport access vlan 112
  switchport mode access
  switchport voice vlan 800
  switchport port-security maximum 3
  switchport port-security
  aging of the switchport port security 2
  security violation restrict port switchport
  inactivity of aging switchport port-security type
  bandwidth share SRR-queue 10 10 60 20
  form of bandwidth SRR-queue 10 0 0 0
  MLS qos trust device cisco-phone
  MLS qos trust cos
  Auto qos voip cisco-phone
  dot1x mac-auth-bypass eap
  dot1x EAP authenticator

  self control-port dot1x
  multi-domain host-mode dot1x
  restrict the dot1x mode violation
  dot1x tx-timeout 2
  dot1x timeout supp-timeout 10
  spanning tree portfast
  spanning tree enable bpduguard

  012729: 5 May 14:51:31.672: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
  012730: 5 May 14:51:32.586: % LINEPROTO-5-UPDOWN: Line protocol Interface FastEthernet2/0/31, changed State to
  012731: 5 May 14:51:33.727: dot1x-package: from a package of EAP EAP request for mac 0000.0000.0000
  012732: 5 May 14:51:33.727: dot1x - sm:Posting EAP_REQ client = 4219220
  012733: 5 May 14:51:33.727: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 7 (eapReq) event
  012734: 14:51:33.727 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_request
  012735: 14:51:33.727 may 5: request_action called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_
  012736: 14:51:33.727 5: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
  012737: 5 May 14:51:33.727: dot1x-package: dot1x_mgr_send_eapol: code EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0 x 1 data:
  012738: 5 May 14:51:33.727: dot1x - ev:FastEthernet2/0/31: package EAPOL to the address of the EAP group
  012739: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_pre_process_eapol_pak: determination of role not required on FastEthernet2/0/31.
  012740: 5 May 14:51:33.727: dot1x-registry: registry: dot1x_ether_macaddr called
  012741: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_send_eapol: on FastEthernet2/0/31 EAPOL packet is sent
  012742: 14:51:33.727 may 5: dump of pak EAPOL Tx
  012743: 14:51:33.727 may 5: Version EAPOL: 0 x 2 type: 0 x 0 length: 0 x 0005
  012744: 5 May 14:51:33.727: code of the EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0x1
  012745: 5 May 14:51:33.727: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
  012746: 5 May 14:51:35.791: dot1x-ev: received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
  012747: 5 May 14:51:35.791: dot1x - sm:Posting EAP_TIMEOUT client = 4219220
  012748: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 12 (eapTimeout) event
  012749: 14:51:35.791 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_timeout
  012750: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter
  012751: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action
  012752: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: idle during the auth_bend_timeout State
  012753: 5 May 14:51:35.791: @ dot1x_auth_bend fa2/0/31: auth_bend_timeout-> auth_bend_idle
  012754: 5 May 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
  012755: 5 May 14:51:35.791: dot1x - sm:Posting AUTH_TIMEOUT client = 4219220
  012756: 14:51:35.791 may 5: dot1x_auth fa2/0/31: during the auth_authenticating State, had 15 (authTimeout) event
  012757: 14:51:35.791 may 5: @ dot1x_auth fa2/0/31: auth_authenticating-> auth_fallback
  012758: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit
  012759: 5 May 14:51:35.791: r called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente
  012760: 5 14:51:35.791: dot1x_auth_mab: mab_initialize of the initial State has enter
  012761: 5 14:51:35.791: dot1x_auth_mab: during the mab_initialize State, had 2 (mabStart) event
  012762: 14:51:35.791 may 5: @ dot1x_auth_mab: mab_initialize-> mab_acquiring
  012763: 5 14:53:08.831: dot1x_auth_mab: during the mab_acquiring State, had 3 (mabResult) event (ignored)

  HQ_1stFlr_3750 #sh int dot1x fa2/0/31 det

  Dot1x Info FastEthernet2/0/31
  -----------------------------------
  EAP AUTHENTICATOR =
  PortControl = AUTO
  ControlDirection = both
  HostMode = MULTI_DOMAIN
  Violation mode = RESTRICT
  A re-authentication = off
  QuietPeriod = 60
  ServerTimeout = 30
  SuppTimeout = 10
  ReAuthPeriod = 3600 (configured locally)
  ReAuthMax = 2
  MaxReq = 2
  TxPeriod = 2
  RateLimitPeriod = 0
  Mac-Auth-Bypass = active (EAP)
  Timeout = None

  Authenticator Dot1x customer list empty

  Port status = not ALLOWED

  The jetdirect card uses DHCP to get an IP address? If this isn't the case, then the Jetdirect will produce any traffic out to the auhenticate switch. To test this using the front panel of the printer to send a ping packet and see if it triggers the MAB.