Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2292
Views
0
Helpful
7
Replies

Dot1x MAB with MDA Issue

Muhammad Zubair
Level 1
Level 1

‎06-19-2010 07:14 PM - edited ‎03-09-2019 11:02 PM

I have configured MAB (MAC Authentication Bypass) with MDA (Multi Domain Access). All devices are successfully authenticating with their respective VLAN. MAB devices got authenticating as Voice.

I am using ACS (Radius) for authentication and DHCP relay.

Problem is voice device is not getting IP from DHCP server. There is no error reporting on switch and radius. Without Dot1x everything is working.

switchport access vlan 105

switchport mode access

switchport voice vlan 108

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x max-req 1

dot1x guest-vlan 105

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

Labels:
0 Helpful
7 Replies 7

Faisal Sehbai
Level 7
Level 7

‎06-19-2010 08:54 PM

Zubair,

Can you please furnish a sh ver and a sh runn from the switch? What version of ACS are you using? Are you sending back any attributes back for the phone?

Faisal

0 Helpful

Muhammad Zubair
Level 1
Level 1
In response to Faisal Sehbai

‎06-19-2010 11:57 PM

we are using 3 Layer model (Core, Distribution & Access) and all VLAN interfaces are on distribution.

I am passing av-pair value device-traffic-class=voice from ACS

We are using ACS 4.1 for windows and ACS is successfully authenticating both devices.

Even show Dot1x Interface shows proper authentication with proper domain

68028-VLAN interface.txt.zip
0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to Muhammad Zubair

‎06-20-2010 10:18 AM

Zubair,

Please disable port-security and try again.

HTH,

Faisal

0 Helpful

Muhammad Zubair
Level 1
Level 1
In response to Faisal Sehbai

‎06-20-2010 09:08 PM

Dear Faisal,

Already tried with out port security, result are the same. 

68042-Dot1x Auth.txt.zip
0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to Muhammad Zubair

‎06-22-2010 06:59 AM

Zubair,

Interesting. Have you given LLDP a shot yet with your phones? What sort of phones are you using?

Faisal

0 Helpful

Muhammad Zubair
Level 1
Level 1
In response to Faisal Sehbai

‎06-22-2010 07:35 AM

Dear Faisal,

I am using Siemens OptiPoint and I think that is not supporting CDP/LLDP.

Regards,

Zubair

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to Muhammad Zubair

‎06-22-2010 02:13 PM

Zubair,

Last thing I'd ask you to try is to remove the ip source verify and port-security commands both, and test.

If that doesn't fly then open a TAC case.

Thanks,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents