Sadigh, You understand issues correctly.
1. Maraj solved it, Multi-auth also works. 2- Its the same OS that I conenct directly to sw and works fine. I have to try with multi domain to see if it is different On Thu, Nov 14, 2013 at 6:03 AM, Sadiq Yakasai <sadiqta...@gmail.com> wrote: > Hi Jeremy, > > So are there two issues here? 1. You cannot ping when PC directly attached > to this? 2. When the PC is behind the IP phone, dot1x does not authenticate > for the PC? > > 1. Multi-auth host mode does not allow dynamic VLAN assignment (I dont > know if the newer code on the switches allows this). This means the client > is placed in VLAN 1 after successful authentication. The SVI has a > different IP address to the client and hence no ping. Configure the client > in the same subnet as the SVI and let us know if it works. > > 2. Is this a Cisco IP phone? After the session times out, can you disable > and re-enable dot1x under the PC interface? I am hoping the OS you are > using is configured to send out EAPoL Start frames (as not all OSs can do > this). Does that trigget anything on the switch? Can you try this all with > the host-mode configured as multi-domain (and not multi-auth)? > > What switch hardware and software are you running? > > HTH, > > Sadiq > > > On Thu, Nov 14, 2013 at 1:19 PM, jeremy co <jeremy.coo...@gmail.com>wrote: > >> I just check, even when I connect directly and it passes the >> authentication >> and authorization, I cant ping anywhere. >> >> its using static ip. >> >> >> >> SW3#sh authentication sessions int g1/0/5 >> Interface: GigabitEthernet1/0/5 >> MAC Address: 48f8.b32b.24e7 >> IP Address: 169.254.222.218 >> User-Name: test-pc >> Status: Authz Success >> Domain: DATA >> Oper host mode: multi-auth >> Oper control dir: both >> Authorized By: Authentication Server >> Vlan Policy: 1 >> ACS ACL: xACSACLx-IP-DATA_VLAN_DACL-5284a641 >> Session timeout: N/A >> Idle timeout: N/A >> Common Session ID: 64000003000000280025DE50 >> Acct Session ID: 0x0000002C >> Handle: 0x6D000029 >> >> Runnable methods list: >> Method State >> mab Not run >> dot1x Authc Success >> >> Extended IP access list xACSACLx-IP-DATA_VLAN_DACL-5284a641 (per-user) >> 10 permit ip any any >> >> >> >> *any idea ?* >> >> >> >> >> >> >> On Thu, Nov 14, 2013 at 5:00 AM, jeremy co <jeremy.coo...@gmail.com> >> wrote: >> >> > Hi, >> > >> > >> > If I plug pc directly to sw it works fine. but if I put it through >> ipphone >> > ,it doesnt work. >> > >> > phone authenticate via mab just fine and then I get below error. >> > %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for >> > client >> > >> > >> > aaa new-model >> > ! >> > ! >> > aaa authentication login default local >> > aaa authentication dot1x default group radius >> > aaa authorization network default group radius >> > ! >> > ! >> > ! >> > ! >> > ! >> > aaa server radius dynamic-author >> > client 100.0.0.10 >> > server-key cisco123 >> > >> > ! >> > ! >> > ip device tracking >> > >> > ! >> > dot1x system-auth-control >> > >> > ! >> > ! >> > interface GigabitEthernet1/0/5 >> > switchport mode access >> > switchport voice vlan 9 >> > logging event spanning-tree >> > authentication host-mode multi-auth >> > authentication order mab dot1x >> > authentication priority dot1x mab >> > authentication port-control auto >> > mab >> > dot1x pae authenticator >> > spanning-tree portfast >> > >> > interface Vlan1 >> > ip address 100.0.0.3 255.255.255.0 >> > ! >> > ! >> > ip radius source-interface Vlan1 >> > ! >> > radius-server attribute 6 on-for-login-auth >> > radius-server attribute 8 include-in-access-req >> > radius-server attribute 25 access-request include >> > radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123 >> > radius-server vsa send accounting >> > radius-server vsa send authentication >> > ! >> > >> > SW1#$ sh authentication sessions int >> > f1/0/5 >> > Interface: FastEthernet1/0/5 >> > MAC Address: 48f8.b32b.24a3 >> > IP Address: Unknown >> > User-Name: 48f8b32b24a3 >> > Status: Running >> > Domain: DATA >> > Security Policy: Should Secure >> > Security Status: Unsecure >> > Oper host mode: multi-auth >> > Oper control dir: both >> > Session timeout: N/A >> > Idle timeout: N/A >> > Common Session ID: 640000010000000E01DFBAEC >> > Acct Session ID: 0x00000011 >> > Handle: 0x0D00000E >> > >> > Runnable methods list: >> > Method State >> > dot1x Running >> > >> > ---------------------------------------- >> > Interface: FastEthernet1/0/5 >> > MAC Address: 000f.2340.71cb >> > >> > IP Address: Unknown >> > User-Name: 00-0F-23-40-71-CB >> > Status: Authz Success >> > Domain: VOICE >> > Security Policy: Should Secure >> > Security Status: Unsecure >> > Oper host mode: multi-auth >> > Oper control dir: both >> > Authorized By: Authentication Server >> > ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2 >> > Session timeout: N/A >> > Idle timeout: N/A >> > Common Session ID: 640000010000000F01DFD428 >> > Acct Session ID: 0x00000012 >> > Handle: 0x8C00000F >> > >> > Runnable methods list: >> > Method State >> > dot1x Failed over >> > >> > >> > *eventually it times out. My suspision is it never pass 802.1x to the >> PC.* >> >> > >> > >> ----------------------------------------------------------------------------------------------------------------- >> > %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for >> > client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> > 640000010000000E01DFBAEC >> > dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x660000A7 >> > (48f8.b32b.24a3) >> > dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3) >> > %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client >> (48f8.b32b.24a3) >> > on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC >> > %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for >> client >> > (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> > 640000010000000E01DFBAEC >> > %AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on >> > Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC >> > dot1x-ev:Delete auth client (0x660000A7) message >> > dot1x-ev:Auth client ctx destroyed >> > dot1x-ev:Aborted posting message to authenticator state machine: Invalid >> > client >> > SW1#$ >> > >> > dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list >> > dot1x-ev(Fa1/0/5): Sending create new context event to EAP for >> 0xED0000A8 >> > (48f8.b32b.24a3) >> > dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8) >> > dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8 >> > (48f8.b32b.24a3) >> > %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on >> > Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC >> > SW1#$ >> > >> > dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3 >> > dot1x-ev(Fa1/0/5): Role determination not required >> > dot1x-ev(Fa1/0/5): Sending out EAPOL packet >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > > > -- > CCIEx2 (R&S|Sec) #19963 >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc