topic One thing solved but it is in Network Access Control

C2960 host-mode multi-domain Cisco phone does not go to Voice Domain

Lukasz Slowinski — Mon, 11 Mar 2019 05:43:01 GMT

Hi everybody

I am working on deploying dot1.x through our company. I am stuck on configuring Cisco Phones to go on a correct VLAN when host-mode multi-domain option is used. I tried it on two C2960 switches with two different images. No matter what I do, the phone goes to Domain: DATA and cannot connect to the network as most likely it is in a wrong VLAN. ISE is showing port as authenticated and MAB works fine. When I configure host-mode multi-host, the phone gets a correct VLAN and can tall to the network.

Here is what I use:

C2960S-48FPS-L with C2960S-UNIVERSALK9-M or C2960 SI with c2960-lanlitek9-tar.150-2.SE7
Cisco Phone 7960 and 7962
ISE 1.3.0.876

Here is the current port configuration:

interface GigabitEthernet1/0/1

switchport access vlan 2

switchport mode access

switchport voice vlan 703

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

Here is the output of show authentication session inter Gig1/0/1

MAC Address: 0013.1a58.xxxx

IP Address: Unknown

User-Name: 00-13-1A-xx-xx-xx

Status: Authz Success

Domain: DATA

Oper host mode: multi-domain

Oper control dir: in

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: 5400s (local), Remaining: 5384s

Timeout action: Reauthenticate

Idle timeout: N/A

Common Session ID: 0AF301450000000C001F3391

Acct Session ID: 0x00000010

Handle: 0x0400000D

Thanks for your help.

What is the content of your

jan.nielsen — Sat, 09 May 2015 21:18:50 GMT

What is the content of your authorization result that is used for the phone ?

Hi JanThank you for your

Lukasz Slowinski — Mon, 11 May 2015 09:13:58 GMT

Hi Jan

Thank you for your response.

This test was run with only the phone connected to the switch.

This is what I see on the ISE server:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Radius.Service-Type
	15048	Queried PIP - Radius.NAS-Port-Type
	15004	Matched rule - MAB
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - 3C:CE:73:58:xx:xx
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	15048	Queried PIP - Radius.NAS-Port-Type
	15004	Matched rule - ARR-MAB
	15016	Selected Authorization Profile - PermitAccess
	11002	Returned RADIUS Access-Accept

And this is what I see on the switch:

May 11 09:06:39.844: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

May 11 09:06:40.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

May 11 09:06:50.414: %AUTHMGR-5-START: Starting 'mab' for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

May 11 09:06:50.440: %MAB-5-SUCCESS: Authentication successful for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

May 11 09:06:50.440: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

May 11 09:06:50.613: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

Looks like youre missing the

jan.nielsen — Mon, 11 May 2015 09:16:27 GMT

Looks like youre missing the device-class=voice attribute in your authz profile.

Jan, you are the man! :)This

Lukasz Slowinski — Mon, 11 May 2015 09:47:33 GMT

Jan, you are the man! 🙂

This worked as a champ. Rookie mistake I guess.

My mistake was that I assumed this would work on a switch level by CDP, without any ISE config required. And to be fair no documentation I found mentioned anything about this.

Once again thank you for your help.

Lukasz

One thing solved but it is

Lukasz Slowinski — Mon, 11 May 2015 10:43:17 GMT

One thing solved but it is still not working as it should.

When only the phone is connected, everything looks OK. I can ping the phone without a problem. This is an improvement as I could not do this before.

The moment I connect a PC to the phone, pings to the phone drop and it loses config.

The PC network is also unidentified. VLAN on the switch is OK, it gets an IP address but it cannot ping anything. When the PC connects to the port directly, it works OK.

PORT SETTINGS

interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 703
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

Switch Console logging output:

May 11 10:13:51.786: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/1: Power granted

May 11 10:13:52.321: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

May 11 10:13:56.888: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

May 11 10:13:59.813: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

May 11 10:14:02.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

May 11 10:14:03.169: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

May 11 10:14:10.567: %AUTHMGR-5-START: Starting 'mab' for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

May 11 10:14:10.578: %MAB-5-SUCCESS: Authentication successful for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

May 11 10:14:10.583: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

May 11 10:14:11.495: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

Switch(config-if)#

May 11 10:15:11.068: %AUTHMGR-5-START: Starting 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:11.094: %MAB-5-SUCCESS: Authentication successful for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:11.094: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:11.199: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.649: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.649: %AUTHMGR-5-START: Starting 'dot1x' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.980: %DOT1X-5-SUCCESS: Authentication successful for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.980: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:15.310: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

Switch authentication session:

Switch#sh authentication sess int gi1/0/1

Interface: GigabitEthernet1/0/1

MAC Address: 3cce.7358.4796

IP Address: Unknown

User-Name: 3C-CE-73-58-47-96

Status: Authz Success

Domain: VOICE

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Session timeout: 3600s (local), Remaining: 3449s

Timeout action: Reauthenticate

Idle timeout: N/A

Common Session ID: 0AF3014500000010005496D0

Acct Session ID: 0x00000018

Handle: 0xDC000011

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

----------------------------------------

Interface: GigabitEthernet1/0/1

MAC Address: 68f7.284a.0cf9

IP Address: Unknown

User-Name: LAPTOP

Status: Authz Success

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: 3600s (local), Remaining: 3513s

Timeout action: Reauthenticate

Idle timeout: N/A

Common Session ID: 0AF30145000000110055ABAF

Acct Session ID: 0x0000001A

Handle: 0xBE000012

Runnable methods list:

Method State

mab Not run

dot1x Authc Success

ISE output:

Phone:

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Radius.Service-Type

15048 Queried PIP - Radius.NAS-Port-Type

15004 Matched rule - MAB

15041 Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Source - Internal Endpoints

24209 Looking up Endpoint in Internal Endpoints IDStore - 3C:CE:73:58:47:96

24211 Found Endpoint in Internal Endpoints IDStore

22037 Authentication Passed

15036 Evaluating Authorization Policy

15048 Queried PIP - Radius.NAS-Port-Type

15004 Matched rule - TEST-MAB

15016 Selected Authorization Profile - TEST-VoiceDomain

11002 Returned RADIUS Access-Accept

PC:

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Radius.NAS-Port-Type

15048 Queried PIP - Radius.Service-Type

15004 Matched rule - TEST_Dot1X

11507 Extracted EAP-Response/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

12625 Valid EAP-Key-Name attribute received

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12301 Extracted EAP-Response/NAK requesting to use PEAP instead

12300 Prepared EAP-Request proposing PEAP with challenge

12625 Valid EAP-Key-Name attribute received

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318 Successfully negotiated PEAP version 0

12800 Extracted first TLS record; TLS handshake started

12805 Extracted TLS ClientHello message

12806 Prepared TLS ServerHello message

12807 Prepared TLS Certificate message

12810 Prepared TLS ServerDone message

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12318 Successfully negotiated PEAP version 0

12812 Extracted TLS ClientKeyExchange message

12804 Extracted TLS Finished message

12801 Prepared TLS ChangeCipherSpec message

12802 Prepared TLS Finished message

12816 TLS handshake succeeded

12310 PEAP full handshake finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12313 PEAP inner method started

11521 Prepared EAP-Request/Identity for inner EAP method

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11522 Extracted EAP-Response/Identity for inner EAP method

11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead

12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge

12625 Valid EAP-Key-Name attribute received

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated

12800 Extracted first TLS record; TLS handshake started

12805 Extracted TLS ClientHello message

12806 Prepared TLS ServerHello message

12807 Prepared TLS Certificate message

12809 Prepared TLS CertificateRequest message

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for LAPTOP

12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for TestDomainDomain-TEST-CA-1-CA

12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for TEST-CA-ROOT-CA

12811 Extracted TLS Certificate message containing client certificate

12812 Extracted TLS ClientKeyExchange message

12813 Extracted TLS CertificateVerify message

12804 Extracted TLS Finished message

12801 Prepared TLS ChangeCipherSpec message

12802 Prepared TLS Finished message

12816 TLS handshake succeeded

12509 EAP-TLS full handshake finished successfully

12527 Prepared EAP-Request for inner method with another EAP-TLS challenge

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12526 Extracted EAP-Response for inner method containing TLS challenge-response

15041 Evaluating Identity Policy

15006 Matched Default Rule

22072 Selected identity source sequence - TEST_CERT_AD_LOCAL

22070 Identity name is taken from certificate attribute

15013 Selected Identity Source - TestDomainDomain.co.uk

24433 Looking up machine in Active Directory - TestDomainDomain.co.uk

24325 Resolving identity - LAPTOP

24313 Search for matching accounts at join point - TestDomainDomain.co.uk

24319 Single matching account found in forest - TestDomainDomain.co.uk

24323 Identity resolution detected single matching account

24700 Identity resolution by certificate succeeded - TestDomainDomain.co.uk

22037 Authentication Passed

12528 Inner EAP-TLS authentication succeeded

11519 Prepared EAP-Success for inner EAP method

12314 PEAP inner method finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

15036 Evaluating Authorization Policy

11055 User name change detected for the session. Attributes for the session will be removed from the cache

15048 Queried PIP - Radius.NAS-Port-Type

15048 Queried PIP - Radius.Service-Type

24433 Looking up machine in Active Directory - TestDomainDomain.co.uk

24355 LDAP fetch succeeded - TestDomainDomain.co.uk

24435 Machine Groups retrieval from Active Directory succeeded - TestDomainDomain.co.uk

15048 Queried PIP - TestDomainDomain.co.uk.ExternalGroups

15048 Queried PIP - Network Access.EapAuthentication

15004 Matched rule - TEST-WIRED-MACHINE

15016 Selected Authorization Profile - PermitAccess

12306 PEAP authentication succeeded

11503 Prepared EAP-Success

11002 Returned RADIUS Access-Accept

Hi again I thinks there may

Lukasz Slowinski — Mon, 11 May 2015 11:16:15 GMT

Hi again

I thinks there may be a problem in MAB processing. I noticed that the policy authorized the PC on the MAB profile (still need to figure out why).

I changed the authorization order to dot1x mab and after that both devices are connected.

Once again thank you for your help.

Looks fine to me, what i am

jan.nielsen — Mon, 11 May 2015 11:19:31 GMT

Looks fine to me, what i am wondering is why your switch does not know the ip addresses of your devices? Did you not enable ip device tracking or dhcp snooping ?

Are you using any access-lists on your ports, that you haven't shown us in your "sh run"?