09-10-2013 11:04 AM - edited 03-10-2019 08:53 PM
Hi
I have ISE 1.1 and cisco 2960
I configured MAB in the ISE for the IP phone and the printer
It work because user can print and use IP phone for call
But log is not good for the IP phone
PRINTER use MAB but The IP phone use dot1x instead of MAB (log below)
There is no computer connected behind the IP phone
I am planning to connect computer on some IP phone in the future, so your helps and suggestion should take care of it
Why MAB is not work on the IP PHONE
Thanks in advance for your help
PRINTER PORT
ISESWITCH#show auth sessions int f0/2
Interface: FastEthernet0/2
MAC Address: a0b3.cc9d.6ebb
IP Address: 192.168.1.150
User-Name: A0-B3-CC-9D-6E-BB
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 10
ACS ACL: xACSACLx-IP-PERMIT_ALL-52179aa0
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AFD190A00000B4E11F6003A
Acct Session ID: 0x000013FF
Handle: 0x27000B4E
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
IP PHONE PORT
ISESWITCH#show auth sessions int f0/3
Interface: FastEthernet0/3
MAC Address: 001a.7ea7.4a3f
IP Address: 192.168.2.16
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AFD190A00000B5011F7919A
Acct Session ID: 0x0000140D
Handle: 0xC3000B50
Runnable methods list:
Method State
dot1x Running
mab Not run
ISESWITCH#
configuration of each switch port
interface fastEthernet0/x
switchport access vlan 2
switchport mode access
ip access-group ACL-DEFAULT in
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
09-11-2013 12:39 AM
For Failed Auth and Authorization, I recommend the below tshoot trust sec guide by cisco
09-12-2013 07:26 AM
Hello,
Please I need help
Regards
09-15-2013 02:56 PM
switchport voice vlan
is missing.
Please turn on debug radius then collect debugs for a few minutes.
If the phone (what vendor?) has a certificate, it may attempt 802.1X EAP-TLS
09-17-2013 10:38 AM
Sample configuration on interface for MAB
interface range g0/x
switchport mode access
authentication port-control auto
dot1x pae authenticator
mab
authentication open
authentication host-mode multi-auth
switchport access vlan x
switchport voice vlan x
authentication order mab dot1x
authentication priority dot1x mab
no shutdown
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: