What about the ipphone problem I have? If I connect it through ipphone ,it doesnt work anymore. Have you ever faced this issue before ?
Does IPphone needs to be registered to CUCME to pass the 802.1x to PC ? On Thu, Nov 14, 2013 at 5:47 AM, jeremy co <jeremy.coo...@gmail.com> wrote: > Meraj, > > Adding this ACL solved the problem. but my IOS is 15. > > interestingly I removed the ACL and its still working. is that a bug ? > > > > On Thu, Nov 14, 2013 at 5:31 AM, MERAJ Khalid <merajkha...@hotmail.com>wrote: > >> >> have you created the acl's on the switch ? >> >> >> Define Local (Default) ACLs on the Switch >> >> Enable these functions on older switches (with Cisco IOS software >> releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform >> the dynamic ACL updates required for authentication and authorization by >> entering the following commands: >> >> *ip access-list extended ACL-ALLOW >> * >> >> * permit ip any any >> * >> >> ! >> >> *ip access-list extended ACL-DEFAULT >> * >> >> * remark DHCP >> * >> >> * permit udp any eq bootpc any eq bootps >> * >> >> * remark DNS >> * >> >> * permit udp any any eq domain >> * >> >> * remark Ping >> * >> >> * permit icmp any any >> * >> >> * remark Ping >> * >> >> * permit icmp any any >> * >> >> * remark PXE / TFTP >> * >> >> * permit udp any any eq tftp >> * >> >> * remark Allow HTTP/S to ISE and WebAuth portal >> * >> >> * permit tcp any host* <*Cisco_ISE_IP_address*> *eq www >> * >> >> *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 443 >> * >> >> *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 8443 >> * >> >> *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 8905 >> * >> >> *permit udp any host* <*Cisco_ISE_IP_address*> *eq 8905 >> * >> >> *permit udp any host* <*Cisco_ISE_IP_address*> *eq 8906 >> * >> >> *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 8080 >> * >> >> *permit udp any host* <*Cisco_ISE_IP_address*> *eq 9996 >> * >> >> *remark Drop all the rest >> * >> >> * deny ip any any log* >> >> >> ------------------------------ >> Date: Thu, 14 Nov 2013 05:00:22 -0800 >> From: jeremy.coo...@gmail.com >> To: ccie...@groupstudy.com; ccie_security@onlinestudylist.com; >> pio...@ipexpert.com; jay.mcmic...@yahoo.com >> >> Subject: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x >> windows through ipphone problem not directly! >> >> Hi, >> >> >> If I plug pc directly to sw it works fine. but if I put it through >> ipphone ,it doesnt work. >> >> phone authenticate via mab just fine and then I get below error. >> %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for >> client >> >> >> aaa new-model >> ! >> ! >> aaa authentication login default local >> aaa authentication dot1x default group radius >> aaa authorization network default group radius >> ! >> ! >> ! >> ! >> ! >> aaa server radius dynamic-author >> client 100.0.0.10 >> server-key cisco123 >> >> ! >> ! >> ip device tracking >> >> ! >> dot1x system-auth-control >> >> ! >> ! >> interface GigabitEthernet1/0/5 >> switchport mode access >> switchport voice vlan 9 >> logging event spanning-tree >> authentication host-mode multi-auth >> authentication order mab dot1x >> authentication priority dot1x mab >> authentication port-control auto >> mab >> dot1x pae authenticator >> spanning-tree portfast >> >> interface Vlan1 >> ip address 100.0.0.3 255.255.255.0 >> ! >> ! >> ip radius source-interface Vlan1 >> ! >> radius-server attribute 6 on-for-login-auth >> radius-server attribute 8 include-in-access-req >> radius-server attribute 25 access-request include >> radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123 >> radius-server vsa send accounting >> radius-server vsa send authentication >> ! >> >> SW1#$ sh authentication sessions int >> f1/0/5 >> Interface: FastEthernet1/0/5 >> MAC Address: 48f8.b32b.24a3 >> IP Address: Unknown >> User-Name: 48f8b32b24a3 >> Status: Running >> Domain: DATA >> Security Policy: Should Secure >> Security Status: Unsecure >> Oper host mode: multi-auth >> Oper control dir: both >> Session timeout: N/A >> Idle timeout: N/A >> Common Session ID: 640000010000000E01DFBAEC >> Acct Session ID: 0x00000011 >> Handle: 0x0D00000E >> >> Runnable methods list: >> Method State >> dot1x Running >> >> ---------------------------------------- >> Interface: FastEthernet1/0/5 >> MAC Address: 000f.2340.71cb >> >> IP Address: Unknown >> User-Name: 00-0F-23-40-71-CB >> Status: Authz Success >> Domain: VOICE >> Security Policy: Should Secure >> Security Status: Unsecure >> Oper host mode: multi-auth >> Oper control dir: both >> Authorized By: Authentication Server >> ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2 >> Session timeout: N/A >> Idle timeout: N/A >> Common Session ID: 640000010000000F01DFD428 >> Acct Session ID: 0x00000012 >> Handle: 0x8C00000F >> >> Runnable methods list: >> Method State >> dot1x Failed over >> >> >> *eventually it times out. My suspision is it never pass 802.1x to the PC.* >> >> ----------------------------------------------------------------------------------------------------------------- >> %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for >> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 640000010000000E01DFBAEC >> dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x660000A7 >> (48f8.b32b.24a3) >> dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3) >> %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 640000010000000E01DFBAEC >> %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 640000010000000E01DFBAEC >> %AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on >> Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC >> dot1x-ev:Delete auth client (0x660000A7) message >> dot1x-ev:Auth client ctx destroyed >> dot1x-ev:Aborted posting message to authenticator state machine: Invalid >> client >> SW1#$ >> >> dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list >> dot1x-ev(Fa1/0/5): Sending create new context event to EAP for 0xED0000A8 >> (48f8.b32b.24a3) >> dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8) >> dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8 >> (48f8.b32b.24a3) >> %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on >> Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC >> SW1#$ >> >> dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3 >> dot1x-ev(Fa1/0/5): Role determination not required >> dot1x-ev(Fa1/0/5): Sending out EAPOL packet >> >> >> >> >> _______________________________________________ Free CCIE R&S, >> Collaboration, Data Center, Wireless & Security Videos :: iPexpert on >> YouTube: www.youtube.com/ipexpertinc >> > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
