DOT1X-3-INVALID_REPLAY_CTR

Hello

Nobody knows the origin of this error message, found in the diary of our Cisco 4400 WLC.

12 August 07:30:59.111 1x_eapkey.c:351 DOT1X-3-INVALID_REPLAY_CTR: Invalid replay counter customer 00:1f:9e:8 b: 8B: a6 - pulled 00 00 00 00 00 00 00 00, wait 00 00 00 00 00 00 00 01

Apparently its an authentication problem, but I can't seem to find anything about it is related on the web.

WLC Softversion: 5.0.148.0

Best regards

OLE Vik

This error because the Client authentication failed because a message contained customer EAPOL disabled a replay counter. For the recommended Action, try the upgrade of the client driver software or using different client software to isolate the cause. Also investigate the possible intruder activity.

Tags: Cisco Wireless

Similar Questions

LAP removes client connections

Hello! We have WLC 5508 (6.0.188.0), and convert some APs-AIR-AP1141N-E-K9. Everything works well except one moment:

1 of this convert APs is located outside the office building, but it is always connected to our LAN as if he was in the office (there is a channel of fiber between our cisco switch and a switch, which is connected only 1 TURN)

The problem is that users can have the normal wi - fi on it beyond LAP. I see a few pings for the customer "associated" then drops, even a small success, that long drops.

Newspapers of the WLC:

15 Feb 10:04:53 172.22.90.20 Wi-Fi_Controller: * 10:11:17.702 15 February: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 retransmissions exceeded for client XX

15 Feb 10:04:57 172.22.90.20 Wi-Fi_Controller: * 10:11:22.104 15 February: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 retransmissions exceeded for client XX

15 Feb 10:36:14 172.22.90.20 Wi-Fi_Controller: * 10:42:38.859 15 February: % DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:354 invalid against replay of the customer 00 00 00 00 00 00 00 00 XX - got, wait 00 00 00 00 00 00 00 01

15 February 10:37:07 172.22.90.20 Wi-Fi_Controller: * 10:43:32.061 15 February: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M3 retransmissions exceeded for client XX

15 February 10:37:12 172.22.90.20 Wi-Fi_Controller: * 10:43:37.061 15 February: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 retransmissions exceeded for client XX

15 February 10:37:16 172.22.90.20 Wi-Fi_Controller: * 10:43:40.888 15 February: % DOT1X-1-INVALID_WPA_KEY_STATE: 1x_eapkey.c:1638 received EAPOL-Key message while in invalid state (0) - client XX, descriptor 2, type 3, version 1

15 February 10:37:21 172.22.90.20 Wi-Fi_Controller: * 10:43:45.661 15 February: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 retransmissions exceeded for client XX

15 February 10:37:23 172.22.90.20 Wi-Fi_Controller: * 10:43:47.540 15 February: % DOT1X-1-INVALID_WPA_KEY_STATE: 1x_eapkey.c:1638 received EAPOL-Key message while in invalid state (0) - client XX, descriptor 2, type 3, version 1

15 February 10:37:26 172.22.90.20 Wi-Fi_Controller: * 10:43:50.461 15 February: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 retransmissions exceeded for client XX

What could be? Is it possible that some noise or anything that might bring him? The building with this problematic TURN is a kind of movie studio...

Well as long as the connection between the distance and the location to which is connected the wlc is good, then it can be achieved. If you click on the access point in the wireless tab wlc on the bottom of the picture you can see the availability and time of the join. If these hours are correct and not short, then the link is correct. Have you tried to exchange an ap to see if you still have the same problem and I'm guessing that customers in the main building of work very well, but when they go to the other site, they have some questions on the same SSID. If you think that it is reached, you can use a Spectrum Analyzer to determine which. Maybe some of the lighting or various wireless devices they could use there.

Sent by Cisco Support technique iPhone App

dot1x system-auth-control on 62xx and all port/traffic goes down?

Hello

with three VLANS, and now presenting only certain ports that I do the dot1x:

RD (config) #dot1x # system - auth - control enable

RD (config) #aaa authentication dot1x default # spot within a RADIUS to RADIUS

RD (config) #interface ethernet 1/g1 # bind it to a port

RD #dot1x (config-if-1/g1) auto # config dot1x port-control

I assumed dot1x must be forced/enabled on port/int per basis and before it's done there's no dot1x, but it seems that - dot1x system-auth-control - does not wait for anything and everything stops instantly.

Is this desired behavior?

And if yes then how introduced little by little dot1x, looking fixedly with an ethernet port that are configured as here:

1/g1

Flow control: enabled

Port: g1/1

Belonging to a VLAN: access mode Mode

Operating parameters:

PVID: 1

Capture filtering: enabled

Acceptable frame type: no label

Default priority: 0

GVRP status: Disabled

Protected: disabled

-Other - or ITU (q)

Port 1/g1 is a member of:

Rule of VLAN name evacuation Type

---- --------------------------------- ----------- --------

1 by default not marked by default

Static configuration:

PVID: 1

Capture filtering: enabled

Acceptable frame type: no label

Port 1/g1 is configured statically:

Output name rule of VLAN

---- --------------------------------- -----------

Prohibition of VLAN:

Name of VLAN

---- ---------------------------------

A lot! Thank you

L.

OK, you can implement other dot1x controls without having them no effect on the switch until the "dot1x system-auth-control' is given.

I will certainly take a look at your other post.

802.1 x (dot1x) with IP phone / workstation using several authentication domains (MDA)

Scenario:

Workstation (behind the phone)

8.5 (2) software IP Phone 7911

ACS 4.1 with AD on the same server

Cisco switch WS-C3750E-24PD with c3750e-universalk9 - mz.122 - 53.SE1.bin

Guide used:

http://www.Cisco.com/en/us/Tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

To accomplish:

Computer and authentication of the IP phone with 802. 1 x. The phone using EAP - MD5 and the workstation with PEAP-MSCHAP version 2.

Tried and worked:

Workstation using EAP - MD5 (with ACS username) and use PEAP (with AD user name) and it also acceded to the vlan correct according to the username.

The journal of the ACS, authentication failed:

Message-Type-name of user - Group-Name-Caller ID - network access profile name - Code failure-authentic -.

Authentic has no EAP type - CP 7911 G-SEP00254594D6BA--00-25-45-94-D6-BA VOZ - (default) - not configured

Configuration of the Switch:

Group AAA dot1x default authentication RADIUS

Group AAA authorization network default RADIUS

RADIUS-server host 10.32.250.250 auth-port 1645 acct-port 1646 borders 7 095F4B07110445425B54

interface GigabitEthernet1/0/3

switchport mode access

switchport nonegotiate

switchport voice vlan 200

multi-domain of host-mode authentication

Auto control of the port of authentication

periodic authentication

MLS qos trust device cisco-phone

MLS qos based on vlan

dot1x EAP both

dot1x quiet-time 20

dot1x timeout server-timeout 100

dot1x tx-delay 100

broadcast storm control 15.00

multicast storm-control level 10.00

spanning tree portfast

spanning tree guard root

Summary of ACS Configuration:

Configured the AAA

2 group - voice and data, each with their VLAN respective and the ACS configuration parameters (attribute / value (AV))

Added the user name and password for IP phones

Mapped the announcement to the DataSet

A certificate and installed in the workstation

Set up the configuration of global authentication, where I ticked the boxes PEAP and EAP - MD5

So, as I said, it only authenticates the workstation w / IP phone. When I add the IP phone it does not authenticate any of them.

Someone at - it one day?

Hello

First of all, you can try a different sw for phone (for example 8.4.2S). I have a similar problem with the 8.5 software and phones 7945/7965. Secondary, you must attribute av-pair confiigure side ACS for the correct placement of the voice phone to vlan.

Concerning

Stanislav

dot1x/ACS3.0/RSA ACE server 5.0

Hello

I tried to configure dot1x (cat6500) with the ACS 3.0 Server and RSA ACE. In the first step when I configured the static password GBA everything was OK, but when I changed the external user database I got an error: 'Auth type not supported by external DB.

Anyone know why?

Thank you

The supplicant dot1x on the PC will use the Extensible Authentication Protocol (EAP) authentication to send the name of user and password. This authentication method cannot be used with an external database of RSA, RSA must use PAP authentication that sends the password in clear (which is OK because it's a unique password).

See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794 for more details on the outside of the DB and password protocols. Notice how all the unique password databases can use the PAP.

Dot1x / NAC without account AD

Hello

I've already implemented some networks dot1x with ACS 4.2 linked to an Active Directory server, but I've never implemented of the NAC.

But now we have a customer with a Citrix environment and they have devices running Windows XP embedded, but they are not integrated with Active Directory. Is there a possibility - other authentications do Mac - to check if this machine is a machine of the company?

If I understand correctly, NAC will not work if the base 802. 1 x (authentication) does not work, it?

Thank you in advance and best regards

Dominic

If you're referring to the Cisco NAC appliance, it is not compatible with 802. 1 x (except if you deploy NAC device in the Strip, which is not recommended).

On authentication, it is mainly authentication of users. So he would recognize if the user is in Active Directory, not if the machine is in Active Directory.

Machine authentication is used only as an exception to the access points, printers, ip phones, which cannot use the authentication of the user.

dot1x auth-fail vlanX does not

Hello

I have configured 802. 1 x on a fas0/3 and works very well.

I'm testing to set up a restricted VLAN on that port, and it does not work.

This is the configuration:

interface FastEthernet0/3
switchport access vlan 11
switchport mode access
dot1x EAP authenticator
self control-port dot1x
LAN virtual auth failure of dot1x 30
dot1x max-authentication failure 2 attempts

When the PC connected to the Fas0/3 authentication failed twice, he should go to 30 of VLAN, but this isn't the case (port fas0/3 remains 11 VLAN in down state)

VLANS SHOW:

11 active VLAN0011 Fa0/2, Fa0/3, Fa0/4
30 active LIMITED

SW1 #sh dot1x interface FAS 0/3
Dot1x FastEthernet0/3 information
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = SINGLE_HOST
A re-authentication = off
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
AUTH-Fail-Vlan = 30
Fail-Max-des authentication attempts = 2

It is a 2960 running c2960-lanbase - mz.122 - 35.SE5, what Miss me?

Federico.

Ferderico,

How do you test the VLAN Auth failure? If you test with a bad password and using the PEAP Protocol it is considerred a reproducible error which should not cause a rejection of the RADIUS server, instead the password can be retried without ripping first in the tunnel TLS via an Access-Reject. As long as it is configured, it should be 3 access - reject the server RADIUS must be filed in the VLAN auth failure. If I remember correctly a bad username is also reproducible.

If you use DCC 5 you can lower the number of retries PEAP 1 in which case you will have failed connection 6 times with a wrong password to hit the VLAN auth failure.

-Jesse

Dot1x question: authentication MAB will never be failure or timeout

Hello

I have a problem when the switch will try to authenticate a device with MAB and it will never, or timeout.

Here's the situation: where a device has 802 authentication. 1 x active but not a invalid parameters (or missing certificate).

The switch will start dot1x for the customer and it will not be (a). He will switch to dot1x to MAB and... silence.

I use a WS-C2960-24LT-L with IOS 15.0 (2) SE.

Config:

 interface FastEthernet0/16 switchport access vlan 155 switchport mode access authentication event fail action authorize vlan 550 authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication port-control auto mab dot1x pae authenticator dot1x timeout quiet-period 3 dot1x timeout tx-period 1 spanning-tree portfast spanning-tree bpduguard enable end

Newspapers:

 Dec 4 17:34:51.064 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up Dec 4 17:34:51.147 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:52.070 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up Dec 4 17:34:54.234 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:54.234 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:35:00.601 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094

SH int fa0/16 session auth

 Interface: FastEthernet0/16 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A011246000001197AA21094 Acct Session ID: 0x00000380 Handle: 0x1700011A Runnable methods list: Method State dot1x Failed over mab Running

You can see above that is still running MAB but this device is not listed on the local store ID sequence or any where. If I run the command 'No mab', the switch will respond will be unavailable methods more and nothing more.

 Interface MAC Address Method Domain Status Session ID Fa0/16 (unknown) N/A UNKNOWN No Methods 0A011246000001197AA21094

However, when I remove the command MAB; reset the port; He eventually fail to dot1x and move to restricted VLAN.

It is this value by default design or the drop between the switch and the ACS authentication? Should I just use MAB where it is needed?

Thank you in advance.

On your configuration of the interface, I normally expect to see flex active thus auth:

 authentication priority dot1x mab authentication order dot1x mab authentication event fail action next-method

Dot1x: no failling above comments - vlan

Hello

I am deploying dot1x in the office and I will have little difficulty with allowing to achieve the two dot1x with mab and then switch on the vlan comments.

A simple scenario where a device of the end-user cannot provide authentication, I want the switch to automatically put the user on the vlan comments. I did not allow for periodicals of authentication at the lowest of excessive authentication and I configured maximum attemps but the switch will constantly try to authenticate the device.

Switch model: WS-C2960-24LT-L with 15.0 (2) SE6.

The switch configuration:
```
 aaa accounting dot1x default start-stop group radius aaa authentication dot1x default group radius dot1x system-auth-control
```
Port configuration:
```
 interface FastEthernet0/15 switchport access vlan 144 switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication host-mode single-host authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x max-req 3 dot1x max-reauth-req 1 spanning-tree portfast !
```
Any help will be greatly appreciated.

UPDATE: see the comments below.

Good job on your own Oliver problem and for taking the time to update everyone here! (+ 5 from me). If your problem is resolved you must mark the thread as answered ;)

DHCP client when the auth-fail dot1x vlan not asking not

Switching VLAN works very well when the user is authenticated. The machine is on vlan X, the user connects, port goes to vlan and then receives an ip address of the vlan Y. When the user disconnects, machine reauths and dates back to the vlan X.

However, when I use the LAN virtual auth failure of dot1x on the port, the switch will change to vlan Z, but the computer (XP) still has an ip address of the vlan x XP still shows as "trying to authenticate" which I suppose may be the problem with her not asking not DHCP (normally it only until after auth).

Is there an authentication timeout setting somewhere in XP? Or y at - it another way this problem? It's XP with SP3.

Is there not another way around the issue. The 'problem' is that the machine already has an IP address.

Basically, Auth-Fail-VLAN works as if a network connected to a switch, watched x-number of chess administrator happening consecutively, and the admin allows the port anyway in mode authorized strength and hard-sets it in one VLAN specific. At this point, it's the supplicant on how / if she needs to get on the network.

IOW, it's a bit as if you just change the VLAN on a port on the fly for any other reason... same question.

One workaround might be of course ensure it fails at time of initial plugin, when machine requests an IP address at first (assuming only for Windows platform anyway).

Hope this helps,

Home-DOT1X authentication mode

Question - which to choose?

Scenarios with devices attached to 3850 s 150 - 1.EZ2, ISE v1.2

1 IP Phone with PC connected in Garland

2 dumb hub with several PC and IP phone

multi-domain of host-mode authentication

or

the host-mode multi-auth authentication

AND

authentication violation replace

or

restrict the authentication violation

Concerning

For all of my tours, I used "host-mode multi-auth authentication" in this way, I generate a more generic model and not go back and touch ports that might have a switch connected to it. So I suggest to use this as well unless there is a pilot behing not to.

Be careful with 'silent hubs' connection to a port 802. 1 x active. I've run into situations where the hub/switch mute would leave dot1x authenticatons pass but then wouldn't the logg-off EAPoL message, thus causing problems when connecting a new device. I guess in such situation, the "authentication violation replace" might help, but you can then run other unforeseen issues. I had a couple of deployments where EAPoL traffic was completely abandoned and never reached the Radius server. So I had the chance to convince my clients to replace those who have a "compact" version of the family of Cisco (2960c, 3560 c) switches, so I've always used "Restrict authentication violation".

I know that that does not answer your questions directly, but I hope it helps

Thank you for evaluating useful messages!

WiFi using Dot1x comments

Hi all

I have been using the comments in ISE 1.1.4 feature (and earlier versions) for some time and I've always been frustrated with it. I am now in the process of establishing another feedback network using dot1x to refer to the internal source of Userids (where all registered customers are stored) in ISE to authenticate clients.

It seems to work perfectly for all enabled guests, but newly created account receives the following...

Status of RADIUS:
Failed authentication: 24206 disabled user

Is there a way to bypass activation through the NCB and thus make it possible for customers registered to authenticate using dot1x?

Political will to change the Configuration of comments portal (not used (s) / first logon / each logon) or the Type of authentication (comments/CWA/the two) solve this problem? Las to change on the fly in a production environment.

Thank you

http://www.Cisco.com/c/en/us/support/docs/security/identity-services-Eng...

ISE/Wireless NAC... A SSID for MAB and Dot1X?

Hello

I'm under ISE 1.2 and WLC 7.5.102.

I would really like an SSID, which can do a few different things in the following order...

(1) a device could connect, hit the MAB rule and be allowed to go without any type of authentication (other than MAB) and be placed in the VLAN x.

(2) a device would be checked for the appropriate certificate. If the certificate exists, access is granted to the device.

(3) If a device is not allowed in the LAM, it will hit the following rule, which is the rule of dot1x. The user is then authenticated on the AD server.

(4) all the rest hit the default rule and is sent to the web-auth portal.

I can't really think of a way to make this work with an SSID, because as I understand it, you need dot1x disabled on the SSID so MAB work.

Any suggestions?
Thank you.

two of the ssid. no way around it

Dot1x multidomain on Catalyst 2960

Hello

I improved my 2960 with the latest basic version of LAN 12.2 (46) which includes the authentication of domain Multi (MDA) and I tried to configure what is described here:

http://www.Cisco.com/en/us/Tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

I have the following exceptions in my configuration:

(1) SE - cat 2960 with the latest version of IOS 12.2 (46) that supports the MDA;

(2) using the Win2K IAS as a server radius. and

(3) third party (Avaya) with active begging dot1x IP phone. I have a PC with ability to dot1x connected to the second port of the IP phone.

That's what I set up on the phone IP port:

interface FastEthernet0/9

switchport access vlan 221

switchport mode access

switchport voice vlan 222

dot1x EAP authenticator

self control-port dot1x

multi-domain host-mode dot1x

protect the dot1x violation-mode

dot1x reauth-deadline 30

dot1x re-authentication

spanning tree portfast

I also configured the server Radius IAS Win2K to send RADIUS 'cisco-av-pair attribute' tell the authenticator (Cisco Catalyst 2960) that a supplicant (IP phone) is authorized on the voice VLAN as described in config-notes above link.

When the supplicant IP phone starts to authenticate, he succeeds, but that the port does not allow the field of VOICE, even though the 2960 receives the attribute "cisco-av-pair" of the Radius Server RADIUS. I confirmed the reception of this attribute of debugging on the switch.

RADIUS: Receipt of id 160.2.100.74:1645 1645/64, Access-Accept, len

110

17:02:38: RADIUS: authenticator 7 d AC 50 FE 14 B4 FC DC - 3A A4 E5 3F 1E 76 62

C3

17:02:38: RADIUS: EAP-Message [79] 6

17:02:38: RADIUS: 03 05 00 04

17:02:38: RADIUS: [25] in class 32

17:02:38: RADIUS: 44 05 05 A2 00 00 01 37 00 01 A0 02 64 4A C9 01 1 33 79 52

D8 58 00 00 00 00 00 00 1 b E7 [D7dJ3yRX]

17:02:38: RADIUS: seller, Cisco [26] 34

17:02:38: RAY: Cisco-AVpair [1] 28 'device-traffic-class = voice.

17:02:38: RADIUS: Message-Authenticato [80] 18

17:02:38: RADIUS: D9 42 78 88 26 5A 65 83 68 B0 E0 C7 AF 5TH 0F 51 [B

[x & Zeh ^ Q]

17:02:38: RADIUS (00000009): receipt of id 1645/64

17:02:38: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

Cat2960 #show dot1x int fa0/9 details

Dot1x FastEthernet0/9 information

-----------------------------------

EAP AUTHENTICATOR =

PortControl = AUTO

ControlDirection = both

HostMode = MULTI_DOMAIN

Violation mode = PROTECT

A re-authentication = on

QuietPeriod = 60

ServerTimeout = 0

SuppTimeout = 30

ReAuthPeriod = 30 (configured locally)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Dot1x authenticator customer list

-------------------------------

Domain = DATA

"Supplicant" = 0004.0d9b.46d8

AUTH State = AUTHENTICATED SM

AUTH BEND State IDLE = SM

Port status = AUTHORIZED

ReAuthPeriod = 30

ReAuthAction = is re-authenticated

TimeToNextReauth = 20

Authentication method = Dot1x

Authorized by = authentication server

Policy of VLAN = n/a

I don't think I need CDP to allow the field of voice, if the Radius server sends the attribute "cisco-av-pair".

Have I misunderstood the concept?

Thank you!

You can share the config switch?

Missing for example aaa authorization network default radius group?

IP Phone + dot1x + ACS 3.2

Hello everyone!

The main idea: I need to authenticate Cisco IP Phone connected to C3750 and put it in voice VLAN. Authentication in v.3.2 ACS using the phone IP MAC address.

There are configuration port on C3750:

interface GigabitEthernet1/0/2

switchport mode access

switchport voice vlan 12

dot1x mac-auth-bypass

dot1x EAP authenticator

self control-port dot1x

multi-domain host-mode dot1x

spanning tree portfast

end

GBA I created the group "IP telephony", and in its configuration, I checked:

(1) support Voice-over-IP

(2) IETF RADIUS attributes:

Tunnel-Type [064] = VLAN

[065] tunnel-Medium-Type = 802

[081] tunnel-private-Group-ID = 12

There is 000d65707e7a of the user (the IP phone MAC address) in this ACS group.

When I connect the IP phone to the GigabitEthernet1/0/2 interface, it don't you voice VLAN.

C3750 #show interface mac address table gigabitEthernet 0/1/2

Mac address table

-------------------------------------------

VLAN Mac Address Type Ports

---- ----------- -------- -----

1 000d.6570.7e7a STATIC drop

12 000d.6570.7e7a STATIC drop

In ACS choose 'Reports and activity'-> "Has no tent", I see an error:

Failure of authentic - 000d65707e7a - access denied the Group Voice-over-IP

What's wrong? How to configure a group ACS to authenticate IP phone by it of MAC-address and put it in voice VLAN 12 on C3750?

Thanks for any help!

7940 will never be 802. 1 X. Neither will 7960. New phones will be.

DOT1X-3-INVALID_REPLAY_CTR

Similar Questions

Maybe you are looking for