Cisco Phone is trying to atuhenticate on data vlan

Eugen Bitca — Sat, 18 Jul 2020 10:07:28 GMT

Hello,

Cisco Phone is trying to atuhenticate on data vlan even port is configured with voice vlan.

Only Radius and Device Sensor are used.

PC and Phone are authenticated using MAB.

Access Device: WS-C2960S-F24PS-L()(15.2(2)E9)

Port-Config:

interface FastEthernet1/0/12
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 400
ip device tracking maximum 2
ip arp inspection limit rate 40
small-frame violation-rate 2000
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 3
auto qos voip cisco-phone
storm-control broadcast level 5.00
storm-control multicast level 5.00
storm-control unicast level pps 10k 9k
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip verify source tracking
ip dhcp snooping limit rate 10

device-sensor filter-list lldp list lldp-list
device-sensor filter-list cdp list cdp-list
device-sensor filter-list dhcp list dhcp-list
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor accounting
device-sensor notify all-changes

Switch-S1#sh mac address-table interface fastEthernet 1/0/12
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
100 c8cb.b821.1db5 STATIC Fa1/0/12
400 c414.3c8a.82f5 DYNAMIC Drop

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet1/0/12, new MAC address (c414.3c8a.82f5) is seen.AuditSessionID 0A706FF2000002FE0215E2EB

If I do change to authentication host-mode multi-auth, then both PC and Phone do authenticate properly

Switch-S1(config)#interface fastEthernet 1/0/12
Switch-S1(config-if)#authentication host-mode multi-auth
Switch-S1(config-if)#shu
Switch-S1(config-if)#no shu
007601: Jul 18 12:46:17.656 EEST: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Fa1/0/12, operational port trust state is now untrusted.
007602: Jul 18 12:46:18.222 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/12, changed state to down
007606: Jul 18 12:46:28.457 EEST: %ILPOWER-7-DETECT: Interface Fa1/0/12: Power Device detected: IEEE PD
007607: Jul 18 12:46:29.180 EEST: %ILPOWER-5-POWER_GRANTED: Interface Fa1/0/12: Power granted
007609: Jul 18 12:46:34.591 EEST: %LINK-3-UPDOWN: Interface FastEthernet1/0/12, changed state to up
007611: Jul 18 12:46:35.593 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/12, changed state to up
007620: Jul 18 12:46:52.633 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/12, changed state to up
007621: Jul 18 12:46:53.860 EEST: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/12, port's configured trust state is now operational.
007634: Jul 18 12:47:13.165 EEST: %DOT1X-5-FAIL: Authentication failed for client (c8cb.b821.1db5) on Interface Fa1/0/12 AuditSessionID 0A706FF2000003020217B991
007635: Jul 18 12:47:13.197 EEST: %EPM-6-POLICY_REQ: IP 10.112.111.27| MAC c8cb.b821.1db5| AuditSessionID 0A706FF2000003020217B991| EVENT APPLY
007636: Jul 18 12:47:13.202 EEST: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT ATTACH-SUCCESS
007637: Jul 18 12:47:13.202 EEST: %EPM-6-POLICY_APP_SUCCESS: Policy Application succeded for Client [10.112.111.27] MAC [c8cb.b821.1db5] AuditSession ID [0A706FF2000003020217B991] for POLICY_TYPE [Named Acl] POLICY_NAME [xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3]
007638: Jul 18 12:47:13.212 EEST: %EPM-6-POLICY_REQ: IP 10.112.111.27| MAC c8cb.b821.1db5| AuditSessionID 0A706FF2000003020217B991| EVENT APPLY
007639: Jul 18 12:47:15.220 EEST: %DOT1X-5-FAIL: Authentication failed for client (c414.3c8a.82f5) on Interface Fa1/0/12 AuditSessionID 0A706FF2000003030217C28F
007640: Jul 18 12:47:15.252 EEST: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC c414.3c8a.82f5| AuditSessionID 0A706FF2000003030217C28F| EVENT APPLY
007641: Jul 18 12:47:15.252 EEST: %EPM-6-AAA: POLICY xACSACLx-IP-LIMITED_DOMAIN-5e4fed2f| EVENT DOWNLOAD_REQUEST
007642: Jul 18 12:47:15.257 EEST: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC c414.3c8a.82f5| AuditSessionID 0A706FF2000003030217C28F| EVENT APPLY
007643: Jul 18 12:47:15.262 EEST: %EPM-6-AAA: POLICY xACSACLx-IP-LIMITED_DOMAIN-5e4fed2f| EVENT DOWNLOAD-SUCCESS
007644: Jul 18 12:47:15.346 EEST: %EPM-6-IPEVENT: IP 0.0.0.0| MAC c414.3c8a.82f5| AuditSessionID 0A706FF2000003030217C28F| EVENT IP-WAIT
007646: Jul 18 12:47:19.111 EEST: %EPM-6-IPEVENT: IP 10.112.111.141| MAC c414.3c8a.82f5| AuditSessionID 0A706FF2000003030217C28F| EVENT IP-ASSIGN
007647: Jul 18 12:47:19.116 EEST: %EPM-6-POLICY_APP_SUCCESS: Policy Application succeded for Client [10.112.111.141] MAC [c414.3c8a.82f5] AuditSession ID [0A706FF2000003030217C28F] for POLICY_TYPE [Named Acl] POLICY_NAME [xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3]
007648: Jul 18 12:47:19.116 EEST: %EPM-6-IPEVENT: IP 10.112.111.141| MAC c414.3c8a.82f5| AuditSessionID 0A706FF2000003030217C28F| EVENT IP-ASSIGN
!

Switch-S1#sh mac address-table interface fastEthernet 1/0/12
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
100 c8cb.b821.1db5 STATIC Fa1/0/12
400 c414.3c8a.82f5 STATIC Fa1/0/12
Total Mac Addresses for this criterion: 2
Switch-S1#

Switch-S1#sh authentication sessions interface fastEthernet 1/0/12 details
Interface: FastEthernet1/0/12
MAC Address: c8cb.b821.1db5
IPv6 Address: Unknown
IPv4 Address: 10.112.111.27
User-Name: C8-CB-B8-21-1D-B5
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172768s
Session Uptime: 55s
Common Session ID: 0A706FF2000003020217B991
Acct Session ID: 0x0000058B
Handle: 0xC00002F6
Current Policy: POLICY_Fa1/0/12

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Method status list:
Method State

dot1x Stopped
mab Authc Success

----------------------------------------
Interface: FastEthernet1/0/12
MAC Address: c414.3c8a.82f5
IPv6 Address: Unknown
IPv4 Address: 10.112.111.141
User-Name: C4-14-3C-8A-82-F5
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172770s
Session Uptime: 31s
Common Session ID: 0A706FF2000003030217C28F

Acct Session ID: 0x0000058C
Handle: 0x550002F7
Current Policy: POLICY_Fa1/0/12

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Method status list:
Method State

dot1x Stopped
mab Authc Success

Switch-S1#

Cisco ISE 2.7 Patch 1

Any help would be appreciated.

Thank you

topic Cisco Phone is trying to atuhenticate on data vlan in IP Telephony and Phones

Cisco Phone is trying to atuhenticate on data vlan