Link to home
Start Free TrialLog in
Avatar of eemoon
eemoon

asked on

802.1x cannot work at swith client PC

Hi User PC and ISE are connected to a switch at the same vlan for 802.1x 

The switch are configured with aaa authentication and authrozation correctly. Please see the below confirmation:


SW1#test aaa group ISE2 user-c9800 Cisco123 legacy
Attempting authentication test to server-group ISE2 using radius
User was successfully authenticated.


SW1#sho authentication interface f0/2

Client list: empty

Available methods list:
  Handle  Priority  Name
    3        0      dot1x
    2        1      mab
Runnable methods list:
  Handle  Priority  Name
    3        0      dot1x
    2        1      mab



and user PC NIC is configured as below. But I do not know why the PC always can ping the switch without inputting user's credential. It looks like the 802.1x does not work on the user PC. Is there any solution? Thank you



User generated image

ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of eemoon
eemoon

ASKER

Thank you very much for your reply!
Providing user credentials where and when, are you saving the user credentials?
Not sure if the below arrow is a place to save user pc credentials:
User generated image
Can you post the switch port config, please?Can you post the switch port config, please?
Please see the attached switch configuration.
sw1.txt

authentication open was configured in the switch, but after removing, I still cannot see any difference
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of eemoon
eemoon

ASKER

It looked like there was no relation between the PC and ISE. After checking, I noticed the pc was plugged in port which has not authentication config.
Thank you very much!
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Just to add, in your switch config you have no dynamic authors configured. This is required for CoA to work. Add the ISE IP to the list using the same shared secret as you used for RADIUS...

aaa server radius dynamic-author
 client 10.0.10.22 server-key Xyzcisco

Open in new window