Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Dot1x MAB with MDA Issue

I have configured MAB (MAC Authentication Bypass) with MDA (Multi Domain Access). All devices are successfully authenticating with their respective VLAN. MAB devices got authenticating as Voice.

I am using ACS (Radius) for authentication and DHCP relay.

Problem is voice device is not getting IP from DHCP server. There is no error reporting on switch and radius. Without Dot1x everything is working.

switchport access vlan 105

switchport mode access

switchport voice vlan 108

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x max-req 1

dot1x guest-vlan 105

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

Everyone's tags (2)
7 REPLIES

Re: Dot1x MAB with MDA Issue

Zubair,

Can you please furnish a sh ver and a sh runn from the switch? What version of ACS are you using? Are you sending back any attributes back for the phone?

Faisal

New Member

Re: Dot1x MAB with MDA Issue

we are using 3 Layer model (Core, Distribution & Access) and all VLAN interfaces are on distribution.

I am passing av-pair value device-traffic-class=voice from ACS

We are using ACS 4.1 for windows and ACS is successfully authenticating both devices.

Even show Dot1x Interface shows proper authentication with proper domain

Re: Dot1x MAB with MDA Issue

Zubair,

Please disable port-security and try again.

HTH,

Faisal

New Member

Re: Dot1x MAB with MDA Issue

Dear Faisal,

Already tried with out port security, result are the same. 

Re: Dot1x MAB with MDA Issue

Zubair,

Interesting. Have you given LLDP a shot yet with your phones? What sort of phones are you using?

Faisal

New Member

Re: Dot1x MAB with MDA Issue

Dear Faisal,

I am using Siemens OptiPoint and I think that is not supporting CDP/LLDP.

Regards,

Zubair

Re: Dot1x MAB with MDA Issue

Zubair,

Last thing I'd ask you to try is to remove the ip source verify and port-security commands both, and test.

If that doesn't fly then open a TAC case.

Thanks,

Faisal

1718
Views
0
Helpful
7
Replies
CreatePlease to create content