Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

guest vlan does not work with dot1x mda

I am having some issues getting dot1x guest auth to work while in MDA mode. The phone is working as expected; its assigned the correct vlan and is functional. guest auth and failed auth works when i attach my computer (without supplicant) to the switch. failed auth also works when i attach to the phone.

Any thoughts?

 

Below is my current config I have on my test ports

 

interface FastEthernet0/14
 switchport mode access
 switchport voice vlan 100
 authentication event fail retry 1 action authorize vlan 700
 authentication event server dead action authorize vlan 710
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 666
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 10
 dot1x timeout ratelimit-period 10
 spanning-tree portfast
end

 

Everyone's tags (1)
9 REPLIES
Community Member

Hi,can you post a "show

Hi,

can you post a "show authenitcation session" of the port with IP-Phone. It should show somethin like this:

Gi0/5      xxxx.yyyy.zzzz  dot1x    VOICE    Authz Success  0A87400D0000012D2DAF67F4

Community Member

Fa0/14     c89c.1da3.9bc7

Fa0/14     c89c.1da3.9bc7  mab      VOICE    Authz Success  0000000000000055036FC28F

Community Member

Do you authenticate the

Do you authenticate the device behind the phone with MAB?
 

Community Member

I am using both MAB and dot1x

I am using both MAB and dot1x. So far that appears to be working correctly.

Community Member

..usually a session behind a

..usually a session behind a phone remains forever when using MAB. So you need to configure "autentication violation replace" to allow another device to connect behind the phone and starts the authentication process.

 

Horst

Community Member

thanks for that tip but it

thanks for that tip but it didnt do anything for guest auth. the port just sits and doesnt do anything after getting a 'no response' from mab and dot1x auth attempts

Community Member

Have a look here:http://www

Have a look here:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/sw8021x.html#wp1176660

But i think it won´t work with MDA

Community Member

Well, all my issues looks to

Well, all my issues looks to be due to a bug in 15 code. Everything works as its described in the documentation when using 12.2-55 code.

 

Community Member

True but with CDP Host

True but with CDP Host Presence tlv relays a state change of the pc port on the phone.

See this link:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.pdf

95
Views
0
Helpful
9
Replies
CreatePlease to create content