Re: [PacketFence-users] Dot1x working but MAB not

[Thomas Michel via PacketFence-users]

Hi,








If using cisco phones make sure CDP is enabled on the switch.



"show cdp neighbors" will show you if a cisco phone is discovered.

Regards,

Tom.

Am 22.03.2021 um 18:14 schrieb NITISH AGGARWAL via PacketFence-users:

authentication host-mode multi-host means that if a single device is authenticated all devices can access the network. So in your configuration it works as expected. Are you using Cisco phones? If not, try to use authentication host-mode multi-auth, which means each new mac address needs to authenticate itself. Otherwise you can use multi-domain mode. Also, you might want to remove the switchport port-security command, they are not needed in a dotx environment. Usefull troubleshooting command is "debug dot1x events" to see what happens when you connect a device and show authetication session interface <interface> detail to see all dot1x configuration and authentications on the switchport.

Only my pc got authenticated via dot1x and no authentication for phone . Although my phone keeps on working no matter it is not authenticated.

But if I used "authentication host mode as multi-domain" instead of multi-host all stops because my phone not gets authenticated then and struck in provisioning. On Mon, Mar 22, 2021, 22:32 Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> wrote:

    Connect both of them and show me the result of this command:

    show authentication session int YOUR_INTERFACE detail

    Thanks,

    Ludovic Zammit
    lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918
    (x145) :: www.inverse.ca <https://www.inverse.ca/>
    Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
    <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
    <http://packetfence.org/>)

    On Mar 22, 2021, at 12:55 PM, NITISH AGGARWAL
    <nitishag.i...@gmail.com <mailto:nitishag.i...@gmail.com>> wrote:

    Voice vlan 100 and access vlan 10

    On Mon, Mar 22, 2021, 22:23 Ludovic Zammit <lzam...@inverse.ca
    <mailto:lzam...@inverse.ca>> wrote:

        What’s your voice VLAN id ?

        Thanks,

        Ludovic Zammit
        lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::
         +1.514.447.4918 (x145) :: www.inverse.ca
        <https://www.inverse.ca/>
        Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
        <http://www.sogo.nu/>) and PacketFence
        (http://packetfence.org <http://packetfence.org/>)

        On Mar 22, 2021, at 12:13 PM, NITISH AGGARWAL
        <nitishag.i...@gmail.com <mailto:nitishag.i...@gmail.com>>
        wrote:

        switchport mode access
        Switchport access vlan 10
        switchport voice vlan 100
        switchport port-security mac-address sticky 0200.000x.xxxx
        switchport port-security maximum 2
        authentication host-mode multi-host
        authentication order dot1x mab
        authentication priority dot1x mab
        authentication port-control auto
        authentication periodic
        mab
        no snmp trap link-status
        dot1x pae authenticator
        dot1x timeout quiet-period 2
        dot1x timeout tx-period 3

        On Mon, Mar 22, 2021, 20:12 Ludovic Zammit
        <lzam...@inverse.ca <mailto:lzam...@inverse.ca>> wrote:

            Hello,

            Show me the interface configuration that you have on
            your switch where you plug your phone.

            Thanks,

            Ludovic Zammit
            lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::
             +1.514.447.4918 (x145) :: www.inverse.ca
            <https://www.inverse.ca/>
            Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
            <http://www.sogo.nu/>) and PacketFence
            (http://packetfence.org <http://packetfence.org/>)

            On Mar 18, 2021, at 8:27 AM, NITISH AGGARWAL via
            PacketFence-users
            <packetfence-users@lists.sourceforge.net
            <mailto:packetfence-users@lists.sourceforge.net>> wrote:

            Hi,

            I have setup PacketFence as per guide. Dot1x is enabled
            and working but I am not able to use MAB. Due to which
            my ip phones are not get authenticated.

            In switch (cisco 2960) I was using authentication
            host-mode as multi-domain and MAB is enable. But since
            it was not authenticating I am using host-mode as
            multi-host. Now my system and phone is working but it
            is not authenticating my ip phone which is causing
            problem sometimes. I am not able to resolve the issue
            please suggest what needs to be done
            _______________________________________________
            PacketFence-users mailing list
            PacketFence-users@lists.sourceforge.net
            <mailto:PacketFence-users@lists.sourceforge.net>
            https://lists.sourceforge.net/lists/listinfo/packetfence-users
            <https://lists.sourceforge.net/lists/listinfo/packetfence-users>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

OpenPGP_0x8049779A866B418C.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users