topic Re: 802.1X trying to authenticate phone, not client in Network Access Control

802.1X trying to authenticate phone, not client

MH311x — Tue, 28 Sep 2021 07:18:09 GMT

Hi there,

I am facing some problems when implementing 802.1X in my environment (Catalyst 2960x).

802.1X is working fine so far and the config should be right. But sometimes, the switch is trying to authenticate the Cisco Phone and not the windows client. I then get the following message:

Sep 28 08:32:13.775 MESZ: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi1/0/16 AuditSessionID XYZ.

But the xxxx.xxxx.xxxx mac-adress is the mac of the phone ... this causes the client to get unauthenticated.

What causes the switch to authenticate the phone and not the client?

Port Config:

switchport access vlan 11
switchport mode access
switchport voice vlan 152
authentication port-control auto
dot1x pae authenticator
storm-control broadcast level pps 100
storm-control multicast level bps 500k
storm-control action shutdown
spanning-tree portfast edge
spanning-tree bpduguard enable

AAA-Konfig:

aaa new-model
aaa authentication login default local
aaa authentication login CON local-case
aaa authentication login VTY group radius local
aaa authentication dot1x default group radius
aaa authorization exec VTY group radius if-authenticated
aaa authorization exec CON local
aaa authorization commands 15 VTY if-authenticated
aaa authorization commands 15 CON local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

Thanks in advance!
aaa session-id common

Re: 802.1X trying to authenticate phone, not client

Rob Ingram — Tue, 28 Sep 2021 08:35:11 GMT

@MH311x

Is that the full interface configuration? Potentially the host mode could be single-host mode (it's not defined and I don't know what the default is on your switch model/version), so only the phone would authenticate, not the PC.

Try configuring multi-domain "authentication host-mode multi-domain" under the interface, this will authenticate one device in the voice domain and one device in the data domain.

You are obviously also failing to authenticate the phone, so check the ISE logs to determine why that is failing.

Refer to the ISE Wired Guide for more information.

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: 802.1X trying to authenticate phone, not client

MH311x — Tue, 28 Sep 2021 09:50:03 GMT

@Rob Ingram

Yes, this is the full interface configuration.

In the first step we just want to authenticate the PC and not the phones ... so the phones should not take part in the authentication process. We have a RADIUS-server (no ISE) running which is authenticating the clients ... in 95% this works well. But sometimes the authentication is initalized by the phones mac adress. Is there a way to "ignore" the phone in the authentication process?

I think the single-host mode would be right, but the "single host" should then be the PC and not the phone. Is there a way to force this?

Re: 802.1X trying to authenticate phone, not client

Rob Ingram — Tue, 28 Sep 2021 10:03:25 GMT

@MH311x

No unfortunately that's not possible, according to this post, there used to be a feature to bypass phone authentication, but this was depreciated years ago.

https://community.cisco.com/t5/network-access-control/802-1x-single-host-mode/td-p/2734265

You'll need to use multi-domain and authenticate both the PC and Phone.

Re: 802.1X trying to authenticate phone, not client

MH311x — Tue, 28 Sep 2021 11:00:24 GMT

@Rob Ingram

Okay, thanks for the information.

Since we have no ISE, is there a way to configure the host mode to multi-domain but authenticating the phone via MAB and the PC via EAP/802.1X?

Re: 802.1X trying to authenticate phone, not client

Rob Ingram — Tue, 28 Sep 2021 11:07:14 GMT

@MH311x

If using MAB the endpoint will send it's MAC address as the username and password, so whatever RADIUS server/backend authentication identity store you are using will need a username/password defined for each phone.

Re: 802.1X trying to authenticate phone, not client

MH311x — Tue, 28 Sep 2021 11:10:41 GMT

@Rob Ingram

Yes, thats no problem. The mac adresses of the phones are all stored in our NAC (which is also the radius-server), so this should be fine.

I am just wondering about the port configuration to achieve this, because I have to use two different authentication types on one port.

Re: 802.1X trying to authenticate phone, not client

Rob Ingram — Tue, 28 Sep 2021 11:13:57 GMT

@MH311x

You configure "authentication host-mode multi-domain" under the interface.

interface gigabitethernet 1/0/1
 authentication host-mode multi-domain

Re: 802.1X trying to authenticate phone, not client

MH311x — Wed, 29 Sep 2021 10:01:50 GMT

@Rob Ingram

That doesn't solve the problem, because I want to authenticate the phone via MAB and the PC via 802.1X.

When configuing authentication host-mode multi-domain, the phone is also authenticated via 802.1X.

I tried to configure the following now:

authentication event fail action next-method
authentication priority dot1x mab

authentication host-mode multi-domain
authentication port-control auto
mab

dot1x pae authenticator
dot1x max-reauth-req 3

... but the phone does no fallback to MAB (or the port get in err-disabled state before it would fallback to mab).

Re: 802.1X trying to authenticate phone, not client

martin.fischer — Wed, 29 Sep 2021 11:06:45 GMT

you also need to configure

authentication order dot1x mab

Re: 802.1X trying to authenticate phone, not client

Greg Gibbs — Wed, 29 Sep 2021 22:56:52 GMT

I would suggest reviewing your design and configuration against the IP Telephony for 802.1X Design Guide. This is an old document, but nothing much has changed around how the phones and PC get authenticated separately and the important mechanisms to understand and configure. These concepts would apply when using any RADIUS server.

Some key points based on what has been discussed in this thread:

If you're using MDA, you need to ensure that the phone is being authorised correctly using the 'device-traffic-class=voice' VSA. If you're not using ISE (with Profiling), you would likely have to apply this result by matching on some sort of static MAC address table with all of your phones in it. If you are not sending this VSA, the phones would be put into the DATA domain and the port would go into err-disable as MDA does not allow more than one session in the DATA domain.
If the phone is authenticated via MAB but periodically tries to authenticate via dot1x, there are a few possible reasons.
- The phone itself is configured for 802.1x. If this is the case, it will periodically retry via 802.1x so this setting should be disabled on the phone.
- The FlexAuth configuration on the switchport is causing it to try dot1x after a periodic reauth.
- A disconnect/reconnect or session timeout it happening, forcing the switchport to restart the auth process. Since 'priority dot1x mab' will assume 'order dot1x mab', the session has to wait for dot1x to timeout first before trying MAB.

For the latter two possibilities, see TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication.

Re: 802.1X trying to authenticate phone, not client

ComputerRick — Thu, 30 Sep 2021 15:31:56 GMT

You should also add the line "mab" to the port config.
When using mab, the switch captures it and sends it to the radius server, the device isn't aware of any auth taking place.

Configure auth host-mode multi-domain also.