Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NEAT configuration issue

Hi,

I´m currently setting a LAB in order to test NEAT feature. The Supplicant switch (sSW) is able to authenticate toward the Authenticator Switch (aSW).

sSW#sh cisp summary

CISP is running on the following interface(s):

----------------------------------------------

  Fa0/8 (supplicant)

When I connect a PC with X.509 certificate to the sSW, I see the EAPOL request coming from the PC to the sSW on Fa0/1:

*Mar  6 23:25:12.600: dot1x-ev(Fa0/1): Role determination not required

*Mar  6 23:25:12.600: dot1x-ev(Fa0/1): New client detected, issuing Start Request to AuthMgr

But the sSW does not forward the packet to the aSW.

sSW#sh cisp interface fastEthernet 0/1

CISP not enabled on specified interface

Do I need additional configuration on the port toward the PC?

Why the CISP is not enabled on the Fa0/1?

Topology and config is below:

Topolgy: 

PC-------------0/1|sSW|0/8--------------4/10|aSW|

Configuration:

-----------------------------------------

aSW: WS-C4510R-E

System image file is "bootflash:cat4500e-entservicesk9-mz.150-2.SG3.bin"

interface GigabitEthernet4/10

description toward sSW

switchport trunk native vlan 332

switchport mode trunk

switchport voice vlan 335

logging event link-status

authentication host-mode multi-domain

authentication open

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast trunk

----------------------------------------------

sSW> 2960

"flash:c2960-lanbasek9-mz.150-1.SE2.bin"

dot1x credentials cisco

username cisco

password 0 cisco

!

cisp enable

dot1x supplicant force-multicast

interface FastEthernet0/8

description toward 4/10-aSW

switchport trunk native vlan 332

switchport mode trunk

duplex full

dot1x pae supplicant

dot1x credentials cisco

interface FastEthernet0/1

description toward PC

switchport access vlan 332

switchport mode access

speed 100

duplex full

spanning-tree portfast

sh cisp interface fastEthernet 0/1

CISP not enabled on specified interface

*Mar  6 23:25:12.600: dot1x-ev(Fa0/1): Role determination not required

*Mar  6 23:25:12.600: dot1x-ev(Fa0/1): New client detected, issuing Start Request to AuthMgr

sSW#sh cisp summary

CISP is running on the following interface(s):

----------------------------------------------

  Fa0/8 (supplicant)

sSW#sh cisp clients

Supplicant Client Table:

------------------------

  MAC Address     VLAN    Interface

  ---------------------------------

  0000.0c07.ac01   332    Fa0/8

  0024.14af.3e09     1    Fa0/8

  8cb6.4fab.c7c1   332    Vl332

  0022.9031.53ff   332    Fa0/8

  0024.14af.3e09   332    Fa0/8

  8cb6.4fab.c7c0     1    Vl1

sSW#sh cisp interface fastEthernet 0/1

CISP not enabled on specified interface

2 REPLIES
New Member

NEAT configuration issue

Hi Amin,

Please have a look on the brief of CISP:

http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=9434

In my understanding, the CISP is only working on the switch to switch port.

----------

Which can win the race: increasing bandwidth with new technologies VS QoS?

-- Best Regards

NEAT configuration issue

Hi,

When using neat the switch authenticates itself to the upstream switch so that the link becomes a trunking port. The switch that the client is connecting to must have the radius configuration to support dot1x much like your other switches. That switch that authenticates itself must have its ip address added to the radius server database so it can authenticate.

Let me know if that helps point you in the right direction.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
1274
Views
0
Helpful
2
Replies
CreatePlease to create content