Security

Hi,

2930 switches WC.15.11.14

cppm 6.11.4

Implementing mac/8021.x auth on a switch port. Cppm configured to use DURs as appropriate for state of authentication. 2 services on cppm one  running in monitor mode, the othe live. Service selection  based upon device groups .

For switches using the cppm monitor mode  service ( when configured to download user roles) a sh port-access clients shows that every port is in  the defined initial-role. which  allows network access via the statically defined   VLAN.  reauth happens every session timeout. period. However I get NO accounting data appearing at the cppm server. looking at the switch it also shows that thre are no in/out accounting packets.

For switches using the live service, cppm sends a DUR to the client and everything works as expected including  accounting information

Should i be able to send accounting packets when  in the initial-role ? Is there a specific entry in the local user role I need to add to enable sending of accounting imnformation?

A

For accounting, the (or an) authentication should succeed. For the devices in the initial role, do you see a successful authentication (802.1X or MAC Auth)?

Hi,

2930 switches WC.15.11.14

cppm 6.11.4

Implementing mac/8021.x auth on a switch port. Cppm configured to use DURs as appropriate for state of authentication. 2 services on cppm one  running in monitor mode, the othe live. Service selection  based upon device groups .

For switches using the cppm monitor mode  service ( when configured to download user roles) a sh port-access clients shows that every port is in  the defined initial-role. which  allows network access via the statically defined   VLAN.  reauth happens every session timeout. period. However I get NO accounting data appearing at the cppm server. looking at the switch it also shows that thre are no in/out accounting packets.

For switches using the live service, cppm sends a DUR to the client and everything works as expected including  accounting information

Should i be able to send accounting packets when  in the initial-role ? Is there a specific entry in the local user role I need to add to enable sending of accounting imnformation?

A

For accounting, the (or an) authentication should succeed. For the devices in the initial role, do you see a successful authentication (802.1X or MAC Auth)?

Hi,

2930 switches WC.15.11.14

cppm 6.11.4

Implementing mac/8021.x auth on a switch port. Cppm configured to use DURs as appropriate for state of authentication. 2 services on cppm one  running in monitor mode, the othe live. Service selection  based upon device groups .

For switches using the cppm monitor mode  service ( when configured to download user roles) a sh port-access clients shows that every port is in  the defined initial-role. which  allows network access via the statically defined   VLAN.  reauth happens every session timeout. period. However I get NO accounting data appearing at the cppm server. looking at the switch it also shows that thre are no in/out accounting packets.

For switches using the live service, cppm sends a DUR to the client and everything works as expected including  accounting information

Should i be able to send accounting packets when  in the initial-role ? Is there a specific entry in the local user role I need to add to enable sending of accounting imnformation?

A

And on the switch 'show port-access clients' or 'show port-access clients <port> detail', does that show a successful authenticated client?

If a client is authenticated, and no role is returned so the client stays in the initial role, I would expect accounting (because the client is authenticated). If you don't see, you may best work with TAC to find out why there is no accounting data sent.

For accounting, the (or an) authentication should succeed. For the devices in the initial role, do you see a successful authentication (802.1X or MAC Auth)?

Hi,

2930 switches WC.15.11.14

cppm 6.11.4

Implementing mac/8021.x auth on a switch port. Cppm configured to use DURs as appropriate for state of authentication. 2 services on cppm one  running in monitor mode, the othe live. Service selection  based upon device groups .

For switches using the cppm monitor mode  service ( when configured to download user roles) a sh port-access clients shows that every port is in  the defined initial-role. which  allows network access via the statically defined   VLAN.  reauth happens every session timeout. period. However I get NO accounting data appearing at the cppm server. looking at the switch it also shows that thre are no in/out accounting packets.

For switches using the live service, cppm sends a DUR to the client and everything works as expected including  accounting information

Should i be able to send accounting packets when  in the initial-role ? Is there a specific entry in the local user role I need to add to enable sending of accounting imnformation?

A

And on the switch 'show port-access clients' or 'show port-access clients <port> detail', does that show a successful authenticated client?

If a client is authenticated, and no role is returned so the client stays in the initial role, I would expect accounting (because the client is authenticated). If you don't see, you may best work with TAC to find out why there is no accounting data sent.

For accounting, the (or an) authentication should succeed. For the devices in the initial role, do you see a successful authentication (802.1X or MAC Auth)?

Hi,

2930 switches WC.15.11.14

cppm 6.11.4

Implementing mac/8021.x auth on a switch port. Cppm configured to use DURs as appropriate for state of authentication. 2 services on cppm one  running in monitor mode, the othe live. Service selection  based upon device groups .

For switches using the cppm monitor mode  service ( when configured to download user roles) a sh port-access clients shows that every port is in  the defined initial-role. which  allows network access via the statically defined   VLAN.  reauth happens every session timeout. period. However I get NO accounting data appearing at the cppm server. looking at the switch it also shows that thre are no in/out accounting packets.

For switches using the live service, cppm sends a DUR to the client and everything works as expected including  accounting information

Should i be able to send accounting packets when  in the initial-role ? Is there a specific entry in the local user role I need to add to enable sending of accounting imnformation?

A