Dot1x authentication some problom

Similar Messages

• ISE; machine based dot1x authentication not working

  Hi there,
  I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
  I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
  In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
  Does anybody have a tip on how to solve this?
  Thanks in advance

  If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
  This is what I got from the documentation:
  "Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."
  I intend to use machine based authentication without contacting an external identity source.
  I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
  This brings me to another question.
  If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
  Thanks in advance
  Regards,
  Patrick

• Dot1x authentication - Switch 3650 / Polycom phone 430

  Hi,
  I have a switch 3650 with the IP base image IOS 12.2(25) SEE3, a polycom phone SoundPoint IP 430 SIP, A radius server IAS 2003 and a Windows XP PC.
  I enabled the windows XP pc for wired authentication ( started the service Wired AutoConfig, added the registry entries AuthMode, SupplicantMode,  choose Enable IEEE 802.1x authenticaiton with PEAP, then secured password EAP-MSCHAP-v2.
  I configured the RADIUS server for ethernet authentication and domain users. In the profile I choose Eap, mschap v2
  The port configuration of the switch is as following:
  Switch#sh run int fa0/1
  Building configuration...
  Current configuration : 590 bytes
  interface FastEthernet0/1
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 155
  switchport priority extend trust
  service-policy input QoS-Policy-LAN
  speed 100
  duplex full
  spanning-tree portfast
  end
  I configured the switch as the following:
  switch(config)#dot1x system-auth-control
  Under the interface configuration mode:
  switch(config-if)#dot1x port-control auto
  switch(config-if)#dot1x pae authenticator
  switch(config-if)#dot1x host-mode multi-host
  I plugged the PC directly into the switch port, I got that additional credentials are required for the PC to connect to the network, So I put my username and password for windows and was successfully authenticated.
  Then I plugged the PC to the phone( Polycom 430) and the phone into the switch port. the network card appears as attempting to authenticate but it doesn't prompt, and I am not able to access the network, neither I am able to use the phone.( the problem that the authentication packets sent from the PC do not reach the switch, as I see in the debug dot1x (on the switch) comparison when I was connecting the PC alone and when I connected the PC&Phone, the client ID trying to authenticate is different in each case. I will put the debug for both down, when it connects and when it was unable to connect)
  I tried dot1x host-mode single-host
  I did many changes , one time with single-host and then with multi-host: ( each time , I tried to disable/enable Network card of the PC, and make a phone call in order generate traffic)
  First added dot1x mac-auth-bypass  - disconnected and reconnected -- didn't work(neither phone , nor PC)
  Second in addition to First , i added dot1x control-direction in   --- didn't work (neither phone , nor PC).
  Then I removed both these settings and I set:
  dot1x guest-vlan 155 where 155 is the voice vlan
  dot1x auth-fail vlan 155
  Nothing was working
  Then I added these 2 records, in addition to the dot1x mac-auth-bypass, nothing was working.
  In the attachment, I marked with blue font, where I saw the ClientID, After that state-machine record that shows the client ID, I saw that the debug output of the debug changed
  CDP is enabled on both the phone and the switch, and when I use show cdp , i see the phone connected to the port.
  Thanks
  Sayed

  I run a  test that I run was making the duplex to half on all switches/phone/PC,
  I brought a small switch, connected to the the cisco 3650 with the port configuration
  and I did two more tests:
  test1,     
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode multi-host
  the PC authenticated successfully and I was able to to access the network as well as to make phone calls.
  Test2.
       dot1x port-control auto
       dot1x authenticator pae
       dot1x host-mode single-host
  The PC was able to authenticate  and access the network but the phone was not able.
  The problem that I am thinking is that the phone wants to try to authenticate, and doesn't let the authentication of the PC to pass.
  I hope somebody can help me, regarding this problem
  Thanks

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Delay the first dot1x authentication message after a port comes up

  Cisco ISE: 1.2
  Switch IOS: 15.0.2.EX4
  Hello,
  I have configured the APs to authenticate with 802.1X via the switch.
  When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
  I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
  I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
  When I use debug commands I see
  %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
  NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
  Thank you for all answers

  Hello,
  Thank you for your reply. That document is very interesting.
  I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
  However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
  - You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
  - A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
  That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
  It's possible to do this with the Cisco APs
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
  I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
  So in my humble opinion, the mab/profiling solution is good but not optimal.

• ISE 1.2 Guest Access for EAP(Dot1x) Authentication

  Hi.
  I want to use encryption for guest access. 
  In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
  (Specification of the WLC) 
  When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
  (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
  If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
  (Because the account has been revoked) 
  I want to make even dot1x this environment. 
  However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
  In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
  (Status of the WLC remains "Auth Yes") 
  (Session of the ISE remains "Started") 
  Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
  Thank you.

  Note：
  Cisco ISE:Version1.2.0.899-8
  Cisco WLC(5508):Version 7.6.120

• Dot1x "authentication event fail action authorize" missing vlan info in show running-config 3750 12.2.55-SE7

  has anyone seen this on their dot1x configurations where the vlan info is missing on the show running-config? see port fast 2/0/3 below. the 3750 POE switch is running 12.2.55-SE7.
  interface FastEthernet2/0/1
   switchport access vlan 18
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 101
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape 10 0 0 0
   priority-queue out
   authentication event fail action authorize vlan 34
   authentication event server dead action authorize
   authentication event server dead action authorize voice
   authentication event no-response action authorize vlan 34
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust dscp
   auto qos voip trust
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   storm-control broadcast level 1.00
   spanning-tree portfast
   spanning-tree bpduguard enable
  interface FastEthernet2/0/2
   switchport access vlan 18
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 101
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape 10 0 0 0
   priority-queue out
   authentication event fail action authorize vlan 34
   authentication event server dead action authorize
   authentication event server dead action authorize voice
   authentication event no-response action authorize vlan 34
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust dscp
   auto qos voip trust
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   storm-control broadcast level 1.00
   spanning-tree portfast
   spanning-tree bpduguard enable
  interface FastEthernet2/0/3
   switchport access vlan 18
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 101
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape 10 0 0 0
   priority-queue out
   authentication event fail action authorize
   authentication event server dead action authorize
   authentication event server dead action authorize voice
   authentication event no-response action authorize vlan 34
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust dscp
   auto qos voip trust
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   storm-control broadcast level 1.00
   spanning-tree portfast
   spanning-tree bpduguard enable
  interface FastEthernet2/0/4
   switchport access vlan 18
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 101
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape 10 0 0 0
   priority-queue out
   authentication event fail action authorize
   authentication event server dead action authorize
   authentication event server dead action authorize voice
   authentication event no-response action authorize vlan 34
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust dscp
   auto qos voip trust
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   storm-control broadcast level 1.00
   spanning-tree portfast
   spanning-tree bpduguard enable
  interface FastEthernet2/0/5
   switchport access vlan 18
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 101
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape 10 0 0 0
   priority-queue out
   authentication event fail action authorize
   authentication event server dead action authorize
   authentication event server dead action authorize voice
   authentication event no-response action authorize vlan 34
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust dscp
   auto qos voip trust
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   storm-control broadcast level 1.00
   spanning-tree portfast
   spanning-tree bpduguard enable
  interface FastEthernet2/0/6
   switchport access vlan 18
   switchport mode access
   switchport nonegotiate
   switchport voice vlan 101
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape 10 0 0 0
   priority-queue out
   authentication event fail action authorize vlan 34
   authentication event server dead action authorize
   authentication event server dead action authorize voice
   authentication event no-response action authorize vlan 34
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust dscp
   auto qos voip trust
   dot1x pae authenticator
   dot1x timeout quiet-period 3
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 3
   storm-control broadcast level 1.00
   spanning-tree portfast
   spanning-tree bpduguard enable

  The vlan info isn't missing, you have the option of either specifying which VLAN you want it dropped in to, or you can just say authorize the vlan that is configured with the 'switchport access vlan' command.

• Remote desktop not working with dot1x authenticated machines

  Hi,
     we are using machine and user authentication , when machine at logoff the machine is authenticated so users can RDP to it 
  but after logging in the remote desktop session goes down because after user authentication the machine gets a new ip address .
  is there any way to avoid this issue ?

  I am back after a hectic week on this issue...I could find out something very interesting... At times of convergence, the new path takes sometime to calculate the MRU... Mean to say when you issue the command ping mpls pseudowire destn .. The new path has an MRU of 0 for some 5 seconds..After 5-6 seconds MRU comes back with 1700..This screws up the applications like mail synchronization etc.
  Apart from this I found a lot of OSPF flapping due to aggresive BFD timers also, which creates issues with remote desktop. I am unable to convince myself on the MRU issue why it happens. IOS issues on 6524??

• Wireless dot1x authenticated but no IPv4 DHCP assignment

  Hi all, facing some issue on wireless not getting IP from the external DHCP server.
  01. Problem statement
  After authentication success, client PC cannot get IP from DHCP server.
  This is the error log found at the WLC
  *RRM-MGR-2_4-GRP: May 21 15:23:02.643: #LOG-3-Q_IND: dhcp_proxy.c:3944 Received a DHCP packet sent by the controller itself possible network loop![...It occurred 3 times.!]
  *DHCP Socket Task: May 21 15:23:02.171: #DHCP-3-DHCP_PKT_LOOPED: dhcp_proxy.c:3944 Received a DHCP packet sent by the controller itself possible network loop!
  *DHCP Socket Task: May 21 15:22:47.140: #DHCP-3-DHCP_PKT_LOOPED: dhcp_proxy.c:3944 Received a DHCP packet sent by the controller itself possible network loop!
  *DHCP Socket Task: May 21 15:22:43.009: #DHCP-3-DHCP_PKT_LOOPED: dhcp_proxy.c:3944 Received a DHCP packet sent by the controller itself possible network loop!
  *RRM-MGR-5_0-GRP: May 21 15:22:04.188: #LOG-3-Q_IND: acl.c:371 Unable to find an ACL by name ""
  02. Troubleshooting effort and finding
  There's 2 SSID create on the WLC, with different VLAN on each.
  When connecting to the first SSID, it's successfully authenticate and able to get IP from the DHCP
  When disconnect the client PC from first SSID, and connecting to the second SSID, from the client detail it is showing the connection is associated, no IP assigned, and policy manager state is "DHCP_REQD"
  There is no IP lease at DHCP server (using window server 2008 as external DHCP, because virtual WLC is not support hosting internal DHCP server)
  03. Existing Cisco device config and infrastructure setup
  WLC version     : virtual WLC 7.6.100.0
  client PC         :  window 7
  Any suggestion and idea on this? 
  million thanks in advance

  Hi,
  1. As per my understanding you have not properly configure the DHCP proxy, recheck you configuration and commands.
  2.   DHCP option 82 is a king of enhancement specifically employed for distributed DHCP/relay enviornments, using this option relays insert specific information to the request, for to get an idea of clients physical point of attachment or first interaction to the network.
     For understanding DHCP option 82 check the below blog.
     http://blog.ine.com/2009/07/22/understanding-dhcp-option-82/

• After JDBCRealm Authentication some jsp/servlet to be executed

  Software
  JDK1.5
  jakarta-tomcat-5.5.2
  Requirement
  After the user Logins in the Server through JDBCRealm Authentication I want to
  store the user Details in the session
  I know there is something called request.getUserPrincipal().getName()But i need to store the whole companydetails in the Session
  I mean the other details
  so for this I have to write the code in all the jsp files
  Is there any better way out
  Thanks in advance
  CSJakharia

  Thanks for trying to help me
  But actually may be you did not got my requirement Clearly
  Anyway I found my answer
  We can use ServletFilter and can get the thing out
  Thanks for trying to help me
  Bye for now
  CSJakharia

• Dot1x clients not authenticated after reload

  Hi all,
  I have a switch setup with dynamic vlan assignment. Everything works fine until the switch is rebooted. Then none of the pc's are authenticated anymore. I have to do a shut/no shut of all the user ports to start the re-authentication of the pc's.
  This is the config I have so far. Am I missing something?
  Thanks,
  Best Regards,
  Joris
  Global commands
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa authorization exec default local if-authenticated
  aaa authorization commands 1 default local if-authenticated
  aaa authorization commands 15 default local if-authenticated
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  dot1x critical eapol
  radius-server host x.x.x.x auth-port 1645 acct-port 1646 key *****
  radius-server vsa send accounting
  radius-server vsa send authentication
  Interface-specific commands
  switchport mode access
  switchport nonegotiate
  switchport port-security maximum 5
  switchport port-security
  switchport port-security violation restrict
  authentication event fail action authorize vlan 200
  authentication event server dead action authorize vlan 110
  authentication event no-response action authorize vlan 200
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 3
  dot1x timeout tx-period 3
  dot1x max-req 1
  storm-control broadcast level 1.00
  storm-control multicast level 1.00
  storm-control action shutdown
  storm-control action trap
  no cdp enable
  no cdp tlv server-location
  no cdp tlv app
  spanning-tree portfast

  I believe you will need to tell your ports what action to take when the AAA server becomes available. It knows what to do when it's dead or unavailable, but has the default setting when it is returned to service. Likely the switch is tripping AAA dead or non-responsive for a bit during boot and its a race. You want the port to reauth when the AAA server becomes avail.
  Sent from Cisco Technical Support iPhone App

• Question about dot1x & Web Authentication

  I'm not sure if what I want to do is possible so hopefully someone can set me straight.
  Right now when a user doesn't have a 802.1x capable machine, they are assigned to the guest VLAN. Then using the dot1x fallback command we could force them to use authenticate using the web if we so choose. At least this is how I understand web-auth to work. Please correct me if I'm wrong.
  But what about when someone is using an 802.1x capable machine but fails auth? Like say a user logging in locally on a domain machine or a vendor using his companies laptop. Currently those ports go into an unauthorized state and are not active. If I use the dot1x auth-fail-vlan command, it authorizes the ports for that vlan just fine.
  What I'd like to do in those cases is to put them in a restricted vlan and then force them to use web authentication to gain access to the network.
  Is that possible? I can't seem to find a way to use web authentication after a failed dot1x auth. Or is that it, a failure is a failure and there is no way to try and reauthenticate a different way?

  Hi,
  dot1x authentication and mac-authentication bypass are layer 2 authentication mechanism and webauth is a layer 3 authentication mechanism.
  u can set multiple authentication profiles and set the priority as well.
  like u can have dot1x authentication first and second webauth and third as mac-authentication bypass.
  remember the other authentication mechanism will only come into place if the first authentication is not possible that is the client is not having a suplicant for dot1x.
  if a user doesn;t have dot1x supplicant and u have configured guest vlan then the user will be put into the guest vlan otherwise the user will be in the access vlan in which the port is configured.
  if u have configured auth-fail vlan and the user gives wrong credentials the user will be put into the auth-fail vlan.
  if a user is a dot1x client and dot1x is configured then the user must pass the dot1x authentication .
  the fallback mechanism is only when the dot1x authentication cannot be executed because the client is not having dot21x supplicant. then the next mode of authentication will be triggered that is either webauth or MAB.
  if a user fails the dot1x authentication dues to wrong credentials then he cannot be prompted for a another authentication mechanism. this is to avoid security breaches.
  hope this helps.
  regards
  Sushil

• Q: How can ISE 1.2 be configured to display "IP Address" in the Operations-Authentication view ?

  Hi Forum !
  I have several ISE installations running, and I have come across an Issue, that may or may not be a real issue.
  How can ISE 1.2 and/or the WLC be configured to display "IP Address" in the Operations-Authentication view ?
  I simply can not see any IP address in this field, when the dot1x Authentication is done on a WLC.
  This may be "works as designed" due to the fact that dot1x runs before the IP is assigned, but then again I do get profiler date etc, and hence I would expect the IP to be displayed.
  Please see attachment for clarification of the field in the ISE dashboard.
  FYI
  I do see IP in WIRED dot1x senarios, but then again I run LowImpact modes, as opposed to CloseMode in the WiFi senarios
  I have the same ono WLC OS 7.0, aswell as on 7.5 & 7.6 (i.e. no IP address shown in dashboard)
  Have Fun !
  Regards
  Martin

  I have seen this before but never really bothered to look more into it. It has always showed for wired but not wireless. I did some digging and it appears that the "framed-ip-address" is being sent/honored by the NAS in the "access-accept" packet.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0101001.html#ID676
  Why is it not showing in ISE's screen is now another quesiton. I would say a bug but I recall this since the 1.0 days and I have done several deployments. Perhaps Cisco can chime in here or if you can open a TAC case and report back your findings :)
  Thank you for rating helpful posts!

• 'authentication control-direction in' in authentication CLOSED mode

  Switch: 4510R+E, running a DEV version based off 3.6.0
  ISE: 1.2.0.899 patch 7
  Hi, I have been working on a weird issue where some of my clients would randomly drop their IP address and the only way I could get it back was to move their port to authentication open mode. I need to run in closed mode because I change VLANs via MAB. 
  I have been working with TAC, and they suggested I add the command 'authentication control-direction in' to my switchport config (below). With the couple tests Ive done, this seems to help. But I would like to understand why. Doesn't the control-direction command somewhat nullify the premise of running in closed mode? I.E. It allows some communication before the device is authorized. Thanks.
  interface GigabitEthernet2/18
   switchport access vlan 34
   switchport mode access
   switchport voice vlan 66
   logging event link-status
   authentication event fail action next-method
   authentication event server dead action authorize vlan 34
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize 
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   service-policy input QoS-Input-Policy
   service-policy output QoS-Host-Port-Output-Policy
  end

  I also needed to use this command to keep devices authenticated. It was happening with a CCTV system that was an embedded Linux OS. It was on MAB and because it wasn't transmitting any traffic (unlike a noisy windows box) then the switch wouldn't be able to reauth it as it had no mac address to be able to auth, so would show up with an 'unknown' in the MAC field.
  Basically it allows traffic to flow out of the port. This enabled the device to be able to receive HTTP traffic and made it respond and then the switch could auth it again once the device sent a frame.
  when you do a show authentication sessions you will notice a Oper control dir: both will change to Oper control dir: in

• Role of do1x authentication in AP's

  Hi guys
  I have a basic question,
  What is the role and use of dot1x authentication in cisco access points?
  I have noticed some configurations use this where they have dot1x credentials defined and then have them used in their SSID config.
  If one was using a radius serer for example, where would they have these credentials stored as I assume they would need to be defined in the AP and both on the server it is communicating with?
  Much appreciated.
  Kind Regards
  Mohamed            

  Most of the time, 802.1x will use a radius server that is tied to AD. You can look on CCO regarding configuring 802.1x on autonomous AP or on a Unified network. There are other option in autonomous in which you can have the AP store the credentials, but now a days when users or computers are users/computers of a domain, it is much easier to use a radius server that looks up the credentials entails in AD.
  Sent from Cisco Technical Support iPad App