topic Re: PC authentication with dot1x and IP Phone with MAB in Network Access Control

PC authentication with dot1x and IP Phone with MAB

promero — Mon, 05 Apr 2021 16:54:01 GMT

Team,

I have a problem, I want to connect a PC and a Polycom phone but the PC does not authenticate to ISE.

By having the PC connected to the phone, the ISE recognizes it by MAB and it should be by DOT1X.

When doing tests, I connect the PC directly to the network point (without a telephone) and it authenticates correctly the same happens with the telephone alone.

What could be the problem? The phone is Polycom.

- ISE 2.7

- Patch 2

- SW WS-C3650-48PS

- SW IOS Version 16.3.6

SW:

Current configuration : 546 bytes
!
interface GigabitEthernet1/0/5
description ###PC + IP PHONE###
switchport access vlan 60
switchport mode access
switchport voice vlan 777
duplex full
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
end

Regards,

Re: PC authentication with dot1x and IP Phone with MAB

balaji.bandi — Mon, 05 Apr 2021 17:08:29 GMT

try below order :

authentication order mab dot1x
authentication priority dot1x mab

still not working, look at the Live Event Logs in ISE will give you full information on why this was failed?

Re: PC authentication with dot1x and IP Phone with MAB

promero — Mon, 05 Apr 2021 18:01:23 GMT

Hi BB, I will coordinate the tests and comment on the results.

Re: PC authentication with dot1x and IP Phone with MAB

Greg Gibbs — Mon, 05 Apr 2021 23:24:09 GMT

Be aware that, if you use the FlexAuth configuration of 'order mab dot1x' and 'priority dot1x mab' you will need to ensure your AuthZ Profile for the PC includes the 'termination-action-modifier=1' av-pair as described in the TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication document.

If the PC is working correctly when directly connected to the switchport, it sounds like the phone is not passing the EAPOL message through to the PC. You would have to do a packet capture on the switchport and the PC to confirm what's happening with EAPOL.

The Avaya phones should support an EAP pass-through function, but there may need to be configuration or a minimum firmware version required to enable this. You might need to engage the Avaya support team to help investigate further.

Re: PC authentication with dot1x and IP Phone with MAB

promero — Tue, 06 Apr 2021 20:18:05 GMT

Greg,

Thank you for your comment, I will run the tests and report the results.