05-12-2014 03:12 PM - edited 03-10-2019 09:42 PM
I am having some issues getting dot1x guest auth to work while in MDA mode. The phone is working as expected; its assigned the correct vlan and is functional. guest auth and failed auth works when i attach my computer (without supplicant) to the switch. failed auth also works when i attach to the phone.
Any thoughts?
Below is my current config I have on my test ports
interface FastEthernet0/14
switchport mode access
switchport voice vlan 100
authentication event fail retry 1 action authorize vlan 700
authentication event server dead action authorize vlan 710
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 666
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 10
spanning-tree portfast
end
05-13-2014 01:39 AM
Hi,
can you post a "show authenitcation session" of the port with IP-Phone. It should show somethin like this:
Gi0/5 xxxx.yyyy.zzzz dot1x VOICE Authz Success 0A87400D0000012D2DAF67F4
05-13-2014 06:44 AM
Fa0/14 c89c.1da3.9bc7 mab VOICE Authz Success 0000000000000055036FC28F
05-13-2014 06:52 AM
Do you authenticate the device behind the phone with MAB?
05-13-2014 07:01 AM
I am using both MAB and dot1x. So far that appears to be working correctly.
05-13-2014 08:11 AM
..usually a session behind a phone remains forever when using MAB. So you need to configure "autentication violation replace" to allow another device to connect behind the phone and starts the authentication process.
Horst
05-13-2014 11:32 AM
thanks for that tip but it didnt do anything for guest auth. the port just sits and doesnt do anything after getting a 'no response' from mab and dot1x auth attempts
05-14-2014 12:42 AM
Have a look here:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/sw8021x.html#wp1176660
But i think it won´t work with MDA
05-20-2014 03:05 PM
Well, all my issues looks to be due to a bug in 15 code. Everything works as its described in the documentation when using 12.2-55 code.
05-20-2014 03:07 PM
True but with CDP Host Presence tlv relays a state change of the pc port on the phone.
See this link:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: