topic MAB with Cisco Phone - Authorization failed in Network Access Control

MAB with Cisco Phone - Authorization failed

Rene Jorissen — Mon, 11 Mar 2019 03:24:13 GMT

Hello everybody,

I am using MAB to authenticate clients and Cisco IP Phones against a Microsoft NPS Radius server. Everything is working perfectly, except for 1 Cisco phone. The phone is successfully authentication, but authorization fails. The switch port has the following configuration.

switchport access vlan 500

switchport mode access

switchport nonegotiate

switchport voice vlan 92

no logging event link-status

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication control-direction in

authentication event server dead action authorize voice

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

authentication timer reauthenticate 10800

authentication timer inactivity 1800

mab

no snmp trap link-status

mls qos trust device cisco-phone

mls qos trust cos

macro description mab

auto qos voip cisco-phone

storm-control broadcast level 5.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

I receive the following RADIUS logging from the client authentication process.

May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]

May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34

May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128

May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

SER-02-SW01#clear authentication

May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

I checked online and blog posts and forums suggest to check the usage of downloadable access-list, but they aren't used in the switch. As mentioned, all Cisco IP Phones work perfectly, except this one. I already removed the object from Active Directory and created a new object from scratch, but the same result. I also tried another port on the switch, still an authorization failed.

Currently I have no idea where to look further, so maybe some of you can help me!!!

MAB with Cisco Phone - Authorization failed

Jatin Katyal — Tue, 07 May 2013 14:29:08 GMT

Please provide the below mentioned info:

debug mab all

debug radius

show authentication session interface

error message from the NPS > event viewer

show mac address-table interface

I beleive the mac address of the phone is 442b.03a2.f9e8

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Tue, 07 May 2013 16:34:18 GMT

Dear Jatin,

I attached the output of the debug and show commands. The NPS logging only shows a succesfull login, so nothing special there.

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Tue, 07 May 2013 17:53:14 GMT

Rene, the debugs shows that radius successfully authenticated the access-request and did send the required attribute to put the phone in voice vlan but it seems like some restriction is preventing the authorization part.

May 7 18:30:26.724: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

May 7 18:30:26.724: RADIUS(00002766): Received from id 1645/81

May 7 18:30:26.732: mab-ev(Gi1/0/39): MAB received an Access-Accept for 0x1A00005F (442b.03a2.f9e8)

May 7 18:30:26.732: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39

You wrote that you have tried other ports as well and same issue. Do we have any phone connected to a different interface/port working fine.

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Tue, 07 May 2013 17:57:23 GMT

Hey Jatin,

The problems only occurs with this specific Cisco IP Phone and only on this specific Cisco Catalyst 3750X switch / stack. All other Cisco IP Phones are working fine.

We patched the specific phone to another 3750X switch (with the same IOS firmware) and authentication and authorization is working fine on that switch. So it seems like a bug, but a bug for only one Cisco IP Phone?!?!?!

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Tue, 07 May 2013 18:03:11 GMT

could you please share the interface configuration of another 3750X where you patch the IP phone and it worked.

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Tue, 07 May 2013 18:06:30 GMT

The configuration of all MAB-enabled switch ports are exactly the same as in the first post. We use a macro configuration to configure the switch ports.

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Tue, 07 May 2013 18:14:49 GMT

let's try this

unplug the phone

clear the mac address table for that interface.

clear mac address-table interface

Plug the phone back to the interface

Go to the interface execute

shut and no shut

share the results plz.

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Tue, 07 May 2013 18:19:35 GMT

I still get the same result.

00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 66 CA [ M7G*pf]

May 7 20:18:27.722: RADIUS: Vendor, Cisco [26] 34

May 7 20:18:27.722: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

May 7 20:18:27.739: RADIUS(00002769): Received from id 1645/205

May 7 20:18:27.739: mab-ev(Gi1/0/39): MAB received an Access-Accept for 0xE601003B (442b.03a2.f9e8)

May 7 20:18:27.739: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8

May 7 20:18:27.739: mab-sm(Gi1/0/39): Received event 'MAB_RESULT' on handle 0xE601003B

May 7 20:18:27.739: mab : during state mab_authorizing, got event 5(mabResult)

May 7 20:18:27.739: @@@ mab : mab_authorizing -> mab_terminate

May 7 20:18:27.739: mab-ev(Gi1/0/39): Deleted credentials profile for 0xE601003B (dot1x_mac_auth_442b.03a2.f9e8)

May 7 20:18:27.739: mab-ev(Gi1/0/39): Sending event (2) to AuthMGR for 442b.03a2.f9e8

May 7 20:18:27.739: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8

SER-02-SW01#

May 7 20:18:27.747: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8

May 7 20:18:28.728: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/39, port's configured trust state is now operational.

SER-02-SW01#

May 7 20:18:29.668: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/39, port's configured trust state is now operational.

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Tue, 07 May 2013 23:58:18 GMT

This is strange.

I'd like to see more debugs to narrow it down.

debug dot1x all

debug mab all

debug radius

debug aaa authentication

shut/ no shut the interface

Switch# show mab int details

switch# show dot1x int details

Also send me a scree shot of the error message and policy we are hitting on the radius server

go to NPS > administrative tools > event viewer > Custom views > server roles > network policy and access-services.

go to NPS > administrative tools > NPS > policies > network policies > edit policy > radius attributes > standard and vendor specific.

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Wed, 08 May 2013 07:08:54 GMT

Tell me something. Strange is an understatement 😉

I attached the requested information. The NPS event logging only shows "access granted" messages for the client, which relate to the Authentication succeed messages from MAB.

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Wed, 08 May 2013 13:08:42 GMT

Again analysed the debug you sent over. Unfortunately, nothing new in that too. The Mab session JUST shows authentication status success and not authorized.

MAB SM state = TERMINATE

Authen Status = SUCCESS

Do we have a different phone working fine with the same switch on a different port/interface?

If no, than please share the following info from the working and non-working switch:

show run | in aaa

show ver

In case it doesn't help us, two things I'd be interested in here:

- Sniffer traces of the Radius packet exchange between this switch and the server (having the shared secret would be ideal but isn't strictly needed) and

- It may be worthwhile to run the same debugs on one of the working switches so I can double-check to make sure there isn't a slight difference in the authorization response we received.

debug dot1x all

debug mab all

debug radius

debug aaa authentication

The last restore would be to reload the switch (in case it's possible )

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Wed, 08 May 2013 13:13:24 GMT

Hey Jatin,

Other phones work on the same switch on the same port, on the same switch on different port and on different switches. I am thinking about a bug, so we will schedule a reload of the switch to see if this solves the problem.

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Wed, 08 May 2013 13:35:51 GMT

Alrighty...I did see the similar issue for someother customer couple of years ago and we finally reloaded the switch to get that resolved. I wish this may do magic in your case as well.

Good luck

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

msonnie — Wed, 08 May 2013 20:09:18 GMT

Hello Rene,

As you must have observed that it's just an issue with this particular model of Cisco IP phone, hence I would recommend checking the various conditions that have been specified on the radius server for the Cisco IP phone, as usually the dACL's/conditions ( rules) are a reason for the authorization failure.

May I know if there's any other Authenticator in the Network such as Cisco ISE ?

HTH.

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Wed, 08 May 2013 20:23:50 GMT

Before we reload try

try disabling dot1x globally and re-apply it.

no dot1x system auth control

dot1x system auth control

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Thu, 09 May 2013 14:56:28 GMT

Jatin,

Didn't help either. A reboot of the switch solved the problem. So I guess some kind of bug or something.

Thanx for all the support

Re: MAB with Cisco Phone - Authorization failed

Rene Jorissen — Thu, 09 May 2013 14:57:54 GMT

Mohit,

A reboot of the switch did the trick!!!

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Thu, 09 May 2013 15:02:00 GMT

Thanks for updating Rene. I suggested for disabling and re-enabling the dot1x globally to see in case it got stuck somewhere. However, it looks the thought didn't go well. Would appreciate if you mark it resolved so that someone else can take benefits out of it.

Your welcome

Have a nice day!!!

Jatin Katyal

- Do rate helpful posts -

Re: MAB with Cisco Phone - Authorization failed

Jatin Katyal — Thu, 09 May 2013 15:04:50 GMT

Mohit,

thanks for Joining the discussion. Actually, I thought the same thing initially that we might need to apply port-based ACL. We did clarify this piece in this post https://supportforums.cisco.com/message/3931416#3931416

Screen shots are attached from NPS.

Jatin Katyal

- Do rate helpful posts -