Hi,
In addition to what Yash said earlier, I just validated using this configuration:
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
reauth
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
enable
Don't set auth precendence, otherwise, MAC Authentication will fire off first and then if successful, dot1x will never be attempted.
With the above configuration, dot1x will attempt first then, after 60s, MAC Authentication will fire off.
I tested failing dot1x first (invalid credentials) letting MAC Authentication succeed after 60s - see below
***************************************
Iteration : 4 Command : show port-acc cli
***************************************
Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
2/1/3 d4:c9:ef:f8:1b:0d Fail
2/1/3 00:04:f2:80:23:57 In-Progress
***************************************
Iteration : 32 Command : show port-acc cli
***************************************
Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
2/1/3 d4:c9:ef:f8:1b:0d Fail
2/1/3 00:04:f2:80:23:57 mac-auth Success phone_role
I then retried 802.1x using appropriate credentials on the Win 10 laptop which immediately succeeded with 802.1x.
***************************************
Iteration : 43 Command : show port-acc cli
***************************************
Port Access Clients
--------------------------------------------------------------------------------
Port MAC Address Onboarded Status Role
Method
--------------------------------------------------------------------------------
2/1/3 d4:c9:ef:f8:1b:0d dot1x Success EMPLOYEE_CX-3074-7
2/1/3 00:04:f2:80:23:57 mac-auth Success phone_role
i wonder if it has to do with the windows logon prompt, I've had issues with that in the past, in fact, my laptop that i test with doesn't even prompt anymore. Have you tried going into the authentication settings and manually entering in the credentials in the network adapter settings?
I also just created a video showing this process and attached it. Let me know if this helps.
Justin
JUSTIN NOONAN TECHNICAL MARKETING ENGINEER – ARUBA CAMPUS SWITCHING O: +1 916 540 1748 | M: +1 530 434 0239 justin.noonan@hpe.com
8000 FOOTHILLS BLVD | ROSEVILLE, CA 95747 USA
|