Meraj, Adding this ACL solved the problem. but my IOS is 15.
interestingly I removed the ACL and its still working. is that a bug ? On Thu, Nov 14, 2013 at 5:31 AM, MERAJ Khalid <merajkha...@hotmail.com>wrote: > > have you created the acl's on the switch ? > > > Define Local (Default) ACLs on the Switch > > Enable these functions on older switches (with Cisco IOS software releases > earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic > ACL updates required for authentication and authorization by entering the > following commands: > > *ip access-list extended ACL-ALLOW > * > > * permit ip any any > * > > ! > > *ip access-list extended ACL-DEFAULT > * > > * remark DHCP > * > > * permit udp any eq bootpc any eq bootps > * > > * remark DNS > * > > * permit udp any any eq domain > * > > * remark Ping > * > > * permit icmp any any > * > > * remark Ping > * > > * permit icmp any any > * > > * remark PXE / TFTP > * > > * permit udp any any eq tftp > * > > * remark Allow HTTP/S to ISE and WebAuth portal > * > > * permit tcp any host* <*Cisco_ISE_IP_address*> *eq www > * > > *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 443 > * > > *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 8443 > * > > *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 8905 > * > > *permit udp any host* <*Cisco_ISE_IP_address*> *eq 8905 > * > > *permit udp any host* <*Cisco_ISE_IP_address*> *eq 8906 > * > > *permit tcp any host* <*Cisco_ISE_IP_address*> *eq 8080 > * > > *permit udp any host* <*Cisco_ISE_IP_address*> *eq 9996 > * > > *remark Drop all the rest > * > > * deny ip any any log* > > > ------------------------------ > Date: Thu, 14 Nov 2013 05:00:22 -0800 > From: jeremy.coo...@gmail.com > To: ccie...@groupstudy.com; ccie_security@onlinestudylist.com; > pio...@ipexpert.com; jay.mcmic...@yahoo.com > > Subject: [OSL | CCIE_Security] ANY ONE ? strange issue :wired 802.1x > windows through ipphone problem not directly! > > Hi, > > > If I plug pc directly to sw it works fine. but if I put it through ipphone > ,it doesnt work. > > phone authenticate via mab just fine and then I get below error. > %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for > client > > > aaa new-model > ! > ! > aaa authentication login default local > aaa authentication dot1x default group radius > aaa authorization network default group radius > ! > ! > ! > ! > ! > aaa server radius dynamic-author > client 100.0.0.10 > server-key cisco123 > > ! > ! > ip device tracking > > ! > dot1x system-auth-control > > ! > ! > interface GigabitEthernet1/0/5 > switchport mode access > switchport voice vlan 9 > logging event spanning-tree > authentication host-mode multi-auth > authentication order mab dot1x > authentication priority dot1x mab > authentication port-control auto > mab > dot1x pae authenticator > spanning-tree portfast > > interface Vlan1 > ip address 100.0.0.3 255.255.255.0 > ! > ! > ip radius source-interface Vlan1 > ! > radius-server attribute 6 on-for-login-auth > radius-server attribute 8 include-in-access-req > radius-server attribute 25 access-request include > radius-server host 100.0.0.10 auth-port 1812 acct-port 1813 key cisco123 > radius-server vsa send accounting > radius-server vsa send authentication > ! > > SW1#$ sh authentication sessions int > f1/0/5 > Interface: FastEthernet1/0/5 > MAC Address: 48f8.b32b.24a3 > IP Address: Unknown > User-Name: 48f8b32b24a3 > Status: Running > Domain: DATA > Security Policy: Should Secure > Security Status: Unsecure > Oper host mode: multi-auth > Oper control dir: both > Session timeout: N/A > Idle timeout: N/A > Common Session ID: 640000010000000E01DFBAEC > Acct Session ID: 0x00000011 > Handle: 0x0D00000E > > Runnable methods list: > Method State > dot1x Running > > ---------------------------------------- > Interface: FastEthernet1/0/5 > MAC Address: 000f.2340.71cb > > IP Address: Unknown > User-Name: 00-0F-23-40-71-CB > Status: Authz Success > Domain: VOICE > Security Policy: Should Secure > Security Status: Unsecure > Oper host mode: multi-auth > Oper control dir: both > Authorized By: Authentication Server > ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2 > Session timeout: N/A > Idle timeout: N/A > Common Session ID: 640000010000000F01DFD428 > Acct Session ID: 0x00000012 > Handle: 0x8C00000F > > Runnable methods list: > Method State > dot1x Failed over > > > *eventually it times out. My suspision is it never pass 802.1x to the PC.* > > ----------------------------------------------------------------------------------------------------------------- > %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for > client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID > 640000010000000E01DFBAEC > dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x660000A7 > (48f8.b32b.24a3) > dot1x-ev(Fa1/0/5): Deleting client 0x660000A7 (48f8.b32b.24a3) > %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (48f8.b32b.24a3) > on Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC > %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client > (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID > 640000010000000E01DFBAEC > %AUTHMGR-5-FAIL: Authorization failed for client (48f8.b32b.24a3) on > Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC > dot1x-ev:Delete auth client (0x660000A7) message > dot1x-ev:Auth client ctx destroyed > dot1x-ev:Aborted posting message to authenticator state machine: Invalid > client > SW1#$ > > dot1x-ev(Fa1/0/5): Couldn't find the supplicant in the list > dot1x-ev(Fa1/0/5): Sending create new context event to EAP for 0xED0000A8 > (48f8.b32b.24a3) > dot1x-ev(Fa1/0/5): Created a client entry (0xED0000A8) > dot1x-ev(Fa1/0/5): Dot1x authentication started for 0xED0000A8 > (48f8.b32b.24a3) > %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on > Interface Fa1/0/5 AuditSessionID 640000010000000E01DFBAEC > SW1#$ > > dot1x-ev(Fa1/0/5): Sending EAPOL packet to 48f8.b32b.24a3 > dot1x-ev(Fa1/0/5): Role determination not required > dot1x-ev(Fa1/0/5): Sending out EAPOL packet > > > > > _______________________________________________ Free CCIE R&S, > Collaboration, Data Center, Wireless & Security Videos :: iPexpert on > YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
