Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No auth session for non dot1x device behind phone

I have a 3560 running 15.0 code configured for dot1x and mab auth with ISE 1.2.  We're having trivial experiences with the auth session starting for a non dot1x device connected behind a phone that has already passed MAB.  There does not appear to be an auth session starting for the device, but it acquires an IP and traffic is subjected to the ACL-DEFAULT on the port, but since no auth session, there is no web-auth redirect.  ARP shows the device as well as IP Device Tracking.  A non-dot1x device connected directly to the port works as expected.  A dot1x device behind the phone works fine.  Any suggestions would be appreciated

3560G#sho ip device track all

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

IP Device Tracking Probe Delay Interval = 0

-----------------------------------------------------------------------

  IP Address     MAC Address   Vlan  Interface                STATE   

-----------------------------------------------------------------------

10.1.3.8        d824.bd26.0ee3  103  GigabitEthernet0/3       ACTIVE

10.1.1.39       008c.fa3d.1c78  101  GigabitEthernet0/3       ACTIVE

Total number interfaces enabled: 2

Enabled interfaces:

  Gi0/3

3560G#sho auth sess int g0/3

            Interface:  GigabitEthernet0/3

          MAC Address:  d824.bd26.0ee3

           IP Address:  10.1.3.8

            User-Name:  D8-24-BD-26-0E-E3

               Status:  Authz Success

               Domain:  VOICE

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4e4d854b

      Session timeout:  3600s (local), Remaining: 3528s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0A010003000000520377A661

      Acct Session ID:  0x00000057

               Handle:  0x28000053

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

3560G#sho run int g0/3

Building configuration...

Current configuration : 669 bytes

!

interface GigabitEthernet0/3

switchport access vlan 101

switchport mode access

switchport voice vlan 103

ip access-group ACL-DEFAULT in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 99

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark traffic to ISE-PSNs

permit ip any host 10.1.0.13

permit ip any host 10.1.0.17

remark Drop all the rest

deny   ip any any log

Thanks,

Jason

174
Views
0
Helpful
0
Replies
CreatePlease login to create content