topic Re: Computer behind IP phone does not work in Network Access Control

Computer behind IP phone does not work

dgaikwad — Wed, 04 Jul 2018 06:52:13 GMT

Hi Experts.

There is this small set of users that we are moving to closed mode, but keeping the posture checks in audit mode.

The setup we are using is as follows:

ISE:

Version: 2.3.0.298

Patch: 2,3

AnyConnect with NAM: 4.5.04029

Now what is happening is that, when I connect just the computer to the port, everything works fine as it should.

Authentication happens and posture runs no issues.

Now, I bring in the IP phone and connect the computer behind the IP phone:

The phone registers, but the computer stays in limited connectivity.

Now here I have to manually select the Wired profile from the drop down.

After that only, it authenticates and run the posture check.

I have tested this multiple times, but the issue stays as it is.

This is the switch configuration:

interface GigabitEthernet2/0/8

description ** DSI| Prise C0-099 | Salle 0.134 **

switchport access vlan 242

switchport mode access

switchport voice vlan 260

authentication event server dead action authorize vlan 230

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

Has anyone observed this behavior before?

Re: Computer behind IP phone does not work

dgaikwad — Wed, 04 Jul 2018 10:05:52 GMT

Here is another update to this issue:

This was a laptop that we were testing with.. So it has two profiles on NAM, one for the Wired and another for the Wifi access.

Now, when we disabled the Wifi, and then connected to the port behind the IP phone, it just worked without any issues.

We verified this multiple times and it worked right.

So the question here is, is NAM unable to select from profile when user is already connected to Wifi?

Re: Computer behind IP phone does not work

ognyan.totev — Wed, 04 Jul 2018 11:25:06 GMT

You have to configure NAM properly and will be work ,and why you need NAM ,in mine deployment all profiles for PC,notebooks coming from Active directory ,wired PC take GPO for wired and Wireless take GPO for wireless.

One more thing ,are LAN WAN switching work on this PC correctly ,if yes i think NAM will auto switch profiles.

Re: Computer behind IP phone does not work

dgaikwad — Wed, 04 Jul 2018 12:19:08 GMT

We are using NAM to allow for EAP-Chaining, we have a requirement for user and computer authentication, thus NAM was the only option to go with.

Prior to deploying ISE and NAM, it was working fine.

Then when we were running WiFi and Wired connections in open mode, there were no issues reported.

And when we now moved to closed mode, we have started to see these issues when a wifi user connects to the wired port.

Re: Computer behind IP phone does not work

ognyan.totev — Wed, 04 Jul 2018 17:35:07 GMT

YOu can use computer and user authentication without NAM ,and i am sure of that.In mine deployment is without NAM and working machine and user authentication via Eap-chaining

Re: Computer behind IP phone does not work

Damien Miller — Wed, 04 Jul 2018 17:44:10 GMT

This is new to me, I wasn't aware that there were native supplicants capable of eap-chaining. Do you have a reference link for this functionality? I know windows gave the option for computer and user auth but that only ever chose one or the other, not both at once.

Re: Computer behind IP phone does not work

hslai — Thu, 05 Jul 2018 02:32:04 GMT

I think there is a mix-up.

You are correct that only AnyConnect NAM can perform EAP Chaining but not Windows native 802.1X supplicants. Windows native supplicants can have computer or user authentication one or the other and ISE admin may choose to use Machine Access Restriction (MAR) in AD and condition on WasMachineAuthenticated to enforce the user auth with a valid prior computer auth.

Re: Computer behind IP phone does not work

ognyan.totev — Thu, 05 Jul 2018 02:59:11 GMT

YEs Hslai is right ,but in autorization rules you can make 1rule for machine authorization and second rule user auth.

MAchine will match always first but the trick here is the user ,alway his rule must above the machine and include

was machine authenticated =true

And as you told it will match always 1 but it will match machine first at boot and secon when user log in .

Re: Computer behind IP phone does not work

dgaikwad — Thu, 05 Jul 2018 08:22:12 GMT

It turned out that the switch in question was running an unsupported version of iOS, 15.0(2) EX4.

So, I think it might be hitting the bug here, https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo92394/?rfs=iqvred, although this version if iOS is not mentioned in the bug...

Nevertheless, I have requested to upgrade the version of iOS to supported version of, IOS 15.2(2) E6.

Post that we would run the tests again and capture the results.

Thank you,

Re: Computer behind IP phone does not work

hslai — Thu, 05 Jul 2018 15:52:26 GMT

Thanks a lot for the update.

I am guessing the NAD is of 2960X and the CCO showing 15.0.2-EX4(ED) as a deferred release.

Yes, it's good to use one of the validated OS in Table 2 of ISE 2.4 Supported Cisco Access Switches

If you encounter further issues, best to consult with the particular switch platform team.