cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
9
Replies

guest vlan does not work with dot1x mda

Ryan
Level 1
Level 1

I am having some issues getting dot1x guest auth to work while in MDA mode. The phone is working as expected; its assigned the correct vlan and is functional. guest auth and failed auth works when i attach my computer (without supplicant) to the switch. failed auth also works when i attach to the phone.

Any thoughts?

 

Below is my current config I have on my test ports

 

interface FastEthernet0/14
 switchport mode access
 switchport voice vlan 100
 authentication event fail retry 1 action authorize vlan 700
 authentication event server dead action authorize vlan 710
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 666
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 10
 dot1x timeout ratelimit-period 10
 spanning-tree portfast
end

 

9 Replies 9

hdussa
Level 1
Level 1

Hi,

can you post a "show authenitcation session" of the port with IP-Phone. It should show somethin like this:

Gi0/5      xxxx.yyyy.zzzz  dot1x    VOICE    Authz Success  0A87400D0000012D2DAF67F4

Fa0/14     c89c.1da3.9bc7  mab      VOICE    Authz Success  0000000000000055036FC28F

hdussa
Level 1
Level 1

Do you authenticate the device behind the phone with MAB?
 

I am using both MAB and dot1x. So far that appears to be working correctly.

hdussa
Level 1
Level 1

..usually a session behind a phone remains forever when using MAB. So you need to configure "autentication violation replace" to allow another device to connect behind the phone and starts the authentication process.

 

Horst

thanks for that tip but it didnt do anything for guest auth. the port just sits and doesnt do anything after getting a 'no response' from mab and dot1x auth attempts

Have a look here:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/sw8021x.html#wp1176660

But i think it won´t work with MDA

Well, all my issues looks to be due to a bug in 15 code. Everything works as its described in the documentation when using 12.2-55 code.

 

True but with CDP Host Presence tlv relays a state change of the pc port on the phone.

See this link:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: