Hi guys,
I just added a Cisco Catalyst 2960-S (running latest IOS version) to my test
environment using 802.1X with MAC Authentication bypass (MultiĀDomain)
following the Packetfence official documentation.
I hooked up a Voice-IP phone (Cisco SPA514) on one a switch port, the phone was
successfully registered on my voice VLAN, then I hooked up a PC on the phone's
switch port, went thru the registration process and got it successfully
registered on my production VLAN.
Everything was working as expected, until I decided to connect another PC
(never registered before) to the phone's switch port....the phone went
completely off, then I checked the switch port status, here is the result:
GigabitEthernet1/0/37 is down, line protocol is down (err-disabled)
Port Name Status Vlan Duplex Speed TypeGi1/0/37
err-disabled 162 auto auto 10/100/1000BaseTX
I re-plugged the phone to the switch port, but it did not help at all, then I
ran "shutdown" on the interface and then "no shutdown", then everything when
back to normal and I was able to register this new PC.
I was able to reproduce this issue twice.
I tested with both de-auth methods: SNMP and RADIUS.
Anything showed up on the packetfence.log
Here is my switch config on the device and Packetfence:
[192.168.1.59]description=SWITCH03group=Cisco_Catalyst_2960
[group
Cisco_Catalyst_2960]RoleMap=Nmode=productionAD01Vlan=162SNMPCommunityRead=SNMPpassuseCoA=YSNMPCommunityWrite=SNMPpassVoIPCDPDetect=NdeauthMethod=RADIUSVoIPDHCPDetect=YAccessListMap=Ndescription=Switch
_01type=Cisco::Catalyst_2960VoIPLLDPDetect=NVoIPEnabled=YisolationVlan=360radiusSecret=StrongRadiusUrlMap=NregistrationVlan=260voiceVlan=20
-----------------------------------------------------------------------------------------------------------------
dot1x system-auth-controlaaa new-modelaaa group server radius packetfence
server name pfnacaaa authentication login default localaaa authentication dot1x
default group packetfenceaaa authorization network default group packetfence
radius server pfnacaddress ipv4 192.168.1.31 auth-port 1812 acct-port
1813automate-tester username dummy ignore-acct-port idle-time 3key 0
StrongRadius
radius-server vsa send authentication
aaa server radius dynamic-authorclient StrongRadius server-key StrongRadiusport
3799
snmp-server community SNMPpass ROsnmp-server community SNMPpass RW
switchport mode accessswitchport voice vlan 20authentication host-mode
multi-domainauthentication order dot1x mabauthentication priority dot1x
mabauthentication port-control autoauthentication periodicauthentication timer
restart 10800authentication timer reauthenticate 10800mabno snmp trap
link-statusdot1x pae authenticatordot1x timeout quiet-period 2dot1x timeout
tx-period 3spanning-tree portfast
Any thoughts?
Thank you.
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
