Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1387
Views
0
Helpful
1
Replies

Catalyst 45 Series SUP8E ,802.1X ports getting error disabled randomly

MEB
Level 1
Level 1

ā€Ž02-27-2018 06:33 AM - edited ā€Ž03-08-2019 02:02 PM

Good Day All,

Facing a strange issue with Catalyst 45 Series  SUP 8E

802.1X (ISE) ports (that are both in Data and Voice VLAN) getting errors disabled  in a very random manner (because of security Violation) ,although the exact same ISE related configurations are working perfectly in R-E and R+E chassis' with SUP6 and SUP7!!!

 

The main ISE config. :

**************************

aaa server radius dynamic-author
client 172.17.17.36 server-key 7 <>
client 172.20.9.5 server-key 7 <>

**************************

dot1x system-auth-control
dot1x critical eapol

*************************

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host 172.17.17.36 auth-port 1812 acct-port 1813 key 7 <>
radius-server host 172.20.9.5 auth-port 1812 acct-port 1813 key 7 <>
radius-server host 172.20.9.5 auth-port 1645 acct-port 1646 test username XXX
radius-server host 172.17.17.36 auth-port 1645 acct-port 1646 test username XXX
radius-server deadtime 10
radius-server vsa send accounting
radius-server vsa send authentication

*******************************************

Interface Configuration

&&&&&&&&&&&&&&&&&&

interface GigabitEthernet1/0/1

switchport access vlan 103
switchport mode access
switchport voice vlan 203
ip access-group ACL-ALLOW in
no logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 103
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast

******************************************

randomly accross different floors

I tried "MULTI AUTH" instead of "Multi Domain",problem decreased significantly ,yet some few ones are always not working 
is there a new ISE related config. I must configure on SUP 8E that is unique compared to SUP6 and SUP7 ?

Appreciate your urgnet support

Bregards

 

Labels:
0 Helpful
1 Reply 1

charlesjaynes
Level 1
Level 1

ā€Ž02-27-2018 08:27 AM

Something that seems off to me is your auth server dead action is set to authorize vlan 103 which appears to be the vlan for your data domain. I could see that if the switch momentarily loses connectivity with your AAA server, it would fail both devices into that VLAN and trigger an AUTHMGR port violation and err-disable the port. Can you share the err-disable log message you receive when a port shuts down.

 

I don't understand why you would receive a port violation when in multi-auth mode though.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card