Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3719
Views
5
Helpful
4
Replies

dot1X and multi-domain

MAGNUS SVENSSON
Level 1
Level 1

‎09-29-2010 01:57 AM - edited ‎03-10-2019 05:27 PM

I have an C4506 with a  WS-X4548-GB-RJ45V module. I am running version  Version 12.2(54)SG, I have implementet 802.1X on the access-ports but I can´t get multi-domain configuration to work.

Mostly the PC-client is connected to the phone and the phone is connected to the switchport. In the ACS5.1 loggs the client and telephone are authenticated correctly, The client runns EAP-TLS and the phone does MAB. The PC gets an IP address but it can´t reach anything, not even his default gateway.

When I switch to multi-host it works and the client , and phone is able to communicate, but then I have security issues and timeout problems.

DOES ANY ONE OUT THERE HAVE THE SAME PROBLEM ??

Below is my portconfiguration.

interface GigabitEthernet6/40
description 802.1X enablad port  ANC70101D03
switchport mode access
switchport voice vlan 94
qos trust device cisco-phone
authentication event fail action authorize vlan 229
authentication event server dead action authorize vlan 229
authentication event no-response action authorize vlan 229
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
service-policy input voice-services
end

Labels:
0 Helpful
4 Replies 4

Yudong Wu
Level 7
Level 7

‎09-30-2010 02:25 PM

Could you please collect "sh dot1x int Gx/y details" in both multi-host and multi-domain mode after the authentication?

By the way, are you using vlan 1 as data vlan?

0 Helpful

MAGNUS SVENSSON
Level 1
Level 1
In response to Yudong Wu

‎10-01-2010 12:40 AM

Hi , It has to be a bug, I have logged a case with TAC " CaseID:615560039. The thing is that if I run multi-host mode everythning works , but then you have security issues, if I run multi-domain the client and phone gets an IP address but are not able to communicate (ex ping there default GW). The output of the commands you requested looks okej, in multi-domain you have one voice and one data , and in multi-host you have one data....

/Magnus

0 Helpful

MAGNUS SVENSSON
Level 1
Level 1
In response to MAGNUS SVENSSON

‎10-18-2010 06:39 AM

Now Cisco TAC has find out that there is a bug in the 12.2 (54) SG release regarding multi-domain and C4506. I have now downgraded the IOS to 12.2 (53) SG3. And now it works.

Bug ID is: CSCtj56811 (It was just posted).

/Magnus

Yudong Wu
Level 7
Level 7
In response to MAGNUS SVENSSON

‎10-18-2010 08:01 AM

Thanks a lot Magnus for keeping us posted.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents