I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
I create new authentication policy and use mab, and new authorization police.
The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
switchport access vlan 10
switchport mode access
switchport voice vlan 14
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
do you need ISE configuration??
I would use <authentication host-mode multi-auth> with caution. With that state it is possible for a switch or hub to be attached to the phone and multiple devices attached to the hub.
With <authentication host-mode multi-domain> you restrict it to one device per domain. 1 phone and 1 data device. any more then that and the port is err-disabled.
Your switch interface configuration seems to be fine for authenticating Phone with PC connected behind it.If you can provide screenshot of live authentication then we can find the reason why its failing
Can you provide the output from the following command:
show authentication session interface interface_name
Replace the interface_name the the interface that the phone/pc are connecting
Also, please proivde answers to the following questions:
1. What happens if you plug in the PC directly (bypassing the phone)
2. Model and firmware of Cisco Phone
3. PC OS type and supplicant used
4. Make, model and OS version of switch
Thank you for rating helpful posts!
Thank you your helping.
When i connect only pc on that port of switch the authentication is OK(normal working). when i connect both of them the same port the phone is authenticate normaly. the pc want to authenticate but it can not. i think it is oouthorization problems. do you need ise configuration??
Pc: windows 7
Sw:Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE7,
I can connect remotely the sites. i will send you the others information asap.
The more info you provide the better :) In addition to what I already requested please post screen shots from the live authenticaiton screen and then screen shot from the detailed screen for the mac address of the PC (when it fails authenticaiton).