https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229138#M112297 <HTML><HEAD></HEAD><BODY><P> Hi Jan,</P><P></P><P>usually a voice vlan needs to be configured on the switchport. The phone starts in the access vlan and if authentication is ok the switch puts the Phone into a voice domain. On ACS&nbsp; you must configure device-traffic-class = voice.</P><P></P><P>Are you using a CISCO-Phone. Only Cisco-Phone send via CDP that a PC is disconncet. With a NON Cisco Phone the session remains forever. That is the reason that PC can go in working without a connection to ACS</P><P></P><P>sh authentication session</P><P></P><P>a good documentation:</P><P></P><P><A href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html">http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html</A></P><P></P></BODY></HTML> Thu, 04 Jul 2013 13:52:18 GMT hdussa 2013-07-04T13:52:18Z https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229137#M112276 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hello,</P><P></P><P>I'm trying to setup an open dot1x environment on C3750, with ACS 5.3 as RADIUS and Avaya as IP-phones.</P><P></P><P>When configuring on the interface</P><P></P><P>authentication port-control auto </P><P>authentication open </P><P>authentication&nbsp; host-mode multi-auth </P><P></P><P>the phone and PC can connect to their respective VLANs, obtain DHCP address and operate as expected.&nbsp; (Please note the switchport shows up as authenticated/authorized if the device has a dot1x supplicant on board, with valid credentials, but shows up as&nbsp; unauthorized if wrong credentials, or if no dot1x supplicant at all;&nbsp; however, I think this is normal behavior of the switchport).</P><P></P><P>Now, if the ACS is unreachable, the PC can still connnect to its VLAN and proceed, but the phone stays stuck in dot1x authentication.&nbsp; </P><P>My question : is this a misbehavior of the phone? I expect the phone to start with an EAPOL START, maybe switch and phone will subsequently exchange an 'identity request/response' but as the switch has no ACS in its backend, the process stops there, in other words, the phone will never be challenged for its credentials.&nbsp; I would expect the phone from then on&nbsp; to consider itself as authenticated and proceed 'just like it would proceed if authenticated, i.e. DHCP etc.</P><P></P><P>Nevertheless the phone seems to 'stay stuck' in its dot1x authentication procedure.</P><P></P><P>I don't expect that coding an authentication event server-dead action authorize ;... will unblock the phone's supplicant in this case of an already open dot1x port configuration.</P><P></P><P>Thanks for any clarification.</P><P></P><P></P><P>##### important update #####</P><P></P><P>From dot1x debug on the switch, it appears the phone sends each minute an EAPOL-start, triggering a EAPOL_Request_Identity (sw to phone) and EAPOL_Resp_Identity (phone to sw) and finally an EAPOL_FAIL code 4&nbsp; (sw to phone).&nbsp; This last message does cause the phone to quick its dot1x process, it simply iterates on this sequence by reissuing EAPOL-start.&nbsp; Unlike the PC behind, which proceeds after the FAIL, considering itself as being authorized to the port (and the switch accepting, as we are in Open dot1x).</P><P></P><P>When now adding to the switchport</P><P></P><P>auth event server dead action authorize voice </P><P>auth ............................................................&nbsp; vlan &lt;native vlan&gt;</P><P>the switch replies with an EAPOL code 4 - (auth) FAIL immediately.&nbsp; Again, the PC quits dot1x procedure and&nbsp; proceeds considering itself as authorized.&nbsp; And the phone continues sticking to dot1x EAPOL-start.</P><P></P><P>May we suspect here a 'bug' in the Phone, and should it stop further dot1x attempts (EAPOL-start) as soon as an EAPOL-Fail is received?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 03:33:11 GMT https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229137#M112276 JAN DEVOS 2019-03-11T03:33:11Z https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229138#M112297 <HTML><HEAD></HEAD><BODY><P> Hi Jan,</P><P></P><P>usually a voice vlan needs to be configured on the switchport. The phone starts in the access vlan and if authentication is ok the switch puts the Phone into a voice domain. On ACS&nbsp; you must configure device-traffic-class = voice.</P><P></P><P>Are you using a CISCO-Phone. Only Cisco-Phone send via CDP that a PC is disconncet. With a NON Cisco Phone the session remains forever. That is the reason that PC can go in working without a connection to ACS</P><P></P><P>sh authentication session</P><P></P><P>a good documentation:</P><P></P><P><A href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html">http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html</A></P><P></P></BODY></HTML> Thu, 04 Jul 2013 13:52:18 GMT https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229138#M112297 hdussa 2013-07-04T13:52:18Z https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229139#M112313 <HTML><HEAD></HEAD><BODY><P>Hi can you send your port configuration?<BR /><BR /><BR />Sent from Cisco Technical Support Android App</P></BODY></HTML> Thu, 04 Jul 2013 14:41:54 GMT https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229139#M112313 Tarik Admani 2013-07-04T14:41:54Z https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229140#M112339 <HTML><HEAD></HEAD><BODY><P>Have you configured <STRONG>dot1x critical eapol</STRONG>? </P></BODY></HTML> Thu, 04 Jul 2013 16:38:37 GMT https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229140#M112339 Octavian Szolga 2013-07-04T16:38:37Z https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229141#M112368 <HTML><HEAD></HEAD><BODY><P>aaa new-model<BR />aaa authentication dot1x default group radius<BR />aaa authorization network default group radius </P><P>dot1x system-auth-control<BR />!<BR />interface FastEthernet0/1<BR /> description Telefonport mit PC<BR /> switchport mode access<BR /> switchport voice vlan 24<BR /> speed 100<BR /> duplex full<BR /> authentication event fail action next-method<BR /> authentication host-mode multi-domain<BR /> authentication order dot1x mab<BR /> authentication port-control auto<BR /> authentication timer inactivity server<BR /> authentication violation replace<BR /> mab<BR /> dot1x pae authenticator<BR /> dot1x timeout tx-period 1<BR /> dot1x max-req 3<BR /> dot1x max-reauth-req 1<BR /> spanning-tree portfast<BR />!<BR />ip radius source-interface Vlan311 <BR />!<BR />radius server ACS_Pri<BR /> address ipv4 1.1.1.1 auth-port 1645 acct-port 1646<BR /> timeout 3<BR /> key 123</P><P></P><P></P><P>------------------------------------------</P><P></P><P>On ACS </P><P></P><P>Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles<SPAN id="mce_marker"> </SPAN><BR />Create a Profile VOICE and select under Comon Task "Voice VLAN from unused to static. Then you can see</P><P>Yes (device-traffic-class=voice). </P><P></P><P>Thats it </P></BODY></HTML> Fri, 05 Jul 2013 05:17:29 GMT https://community.cisco.com/t5/network-access-control/dot1x-open-implementation-and-unreachable-radius/m-p/2229141#M112368 hdussa 2013-07-05T05:17:29Z