Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

dot1X and multi-domain

Unanswered Question
Sep 29th, 2010
User Badges:

I have an C4506 with a  WS-X4548-GB-RJ45V module. I am running version  Version 12.2(54)SG, I have implementet 802.1X on the access-ports but I can´t get multi-domain configuration to work.

Mostly the PC-client is connected to the phone and the phone is connected to the switchport. In the ACS5.1 loggs the client and telephone are authenticated correctly, The client runns EAP-TLS and the phone does MAB. The PC gets an IP address but it can´t reach anything, not even his default gateway.

When I switch to multi-host it works and the client , and phone is able to communicate, but then I have security issues and timeout problems.


Below is my portconfiguration.

interface GigabitEthernet6/40
description 802.1X enablad port  ANC70101D03
switchport mode access
switchport voice vlan 94
qos trust device cisco-phone
authentication event fail action authorize vlan 229
authentication event server dead action authorize vlan 229
authentication event no-response action authorize vlan 229
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
service-policy input voice-services

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Yudong Wu Thu, 09/30/2010 - 14:25
User Badges:
  • Gold, 750 points or more

Could you please collect "sh dot1x int Gx/y details" in both multi-host and multi-domain mode after the authentication?

By the way, are you using vlan 1 as data vlan?

MAGNUS SVENSSON Fri, 10/01/2010 - 00:40
User Badges:

Hi , It has to be a bug, I have logged a case with TAC " CaseID:615560039. The thing is that if I run multi-host mode everythning works , but then you have security issues, if I run multi-domain the client and phone gets an IP address but are not able to communicate (ex ping there default GW). The output of the commands you requested looks okej, in multi-domain you have one voice and one data , and in multi-host you have one data....


MAGNUS SVENSSON Mon, 10/18/2010 - 06:39
User Badges:

Now Cisco TAC has find out that there is a bug in the 12.2 (54) SG release regarding multi-domain and C4506. I have now downgraded the IOS to 12.2 (53) SG3. And now it works.

Bug ID is: CSCtj56811 (It was just posted).


Yudong Wu Mon, 10/18/2010 - 08:01
User Badges:
  • Gold, 750 points or more

Thanks a lot Magnus for keeping us posted.


This Discussion

Related Content