MAB and 802.1x issues with IP-phone

FrodeFlaten — Mon, 11 Mar 2019 03:17:53 GMT

I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:

Connect the phone and let it boot up(takes a while) and authenticate with MAB.
Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan)

However, the following scenario doesn't work:

The computer is already connected to the phone
The phone is then connected to the switch

What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.

Can anyone explain why the first scenario works, and not the second?

The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config:

network-policy profile 1
voice vlan 90
!
interface GigabitEthernet0/12
switchport mode access
network-policy 1
authentication control-direction in
authentication event fail retry 1 action authorize vlan 60
authentication event server dead action authorize vlan 60
authentication event no-response action authorize vlan 60
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
!

Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).

Re: MAB and 802.1x issues with IP-phone

Amjad Abdullah — Fri, 12 Apr 2013 10:17:46 GMT

I remember there is a RADIUS attribute you configure so that RADIUS assigns the authenticated phone to the voice VLAN, not to the data vlan when they connect using MAB. are you configuring that attribute?
Btw, what is the vendor for the phones? Cisco?

Sent from Cisco Technical Support iPad App

Re: MAB and 802.1x issues with IP-phone

FrodeFlaten — Fri, 12 Apr 2013 10:21:44 GMT

Hey. Yes, as specified in the last sentence in my post, the phone is placed in the Voice Domain, and both RADIUS and LLDP-MED (network policy profile 1) specifies voice vlan as 90.

The weird thing is that everything works fine if both use 802.1x, and that there is only a problem when phone(using MAB) already has the computer connected to it, when the phone is turned on(connected to PoE-switch). It must be because the computer boots up and authenticates first I think.

The phones are Snom 821.

topic Re: MAB and 802.1x issues with IP-phone in Network Access Control

MAB and 802.1x issues with IP-phone

Re: MAB and 802.1x issues with IP-phone

Re: MAB and 802.1x issues with IP-phone