topic Re: 802.1x - Computer in phone port not working. in Network Access Control

802.1x - Computer in phone port not working.

Jimboom — Sat, 27 Mar 2021 14:53:28 GMT

I am working on a small project to implement 802.1x authentication on the wired network.

In the environment there are:

IP phone
Corporate computer
Subcontractor computer

The whole network is built with Cisco Catalsyt 9300, 2960X, 2960S, 3850 switches. Each office has an IP phone and a computer that is plugged into the phone.

Each port is configured with a Voice VLAN and an Access VLAN Data for corporate computers.

The goal is to authenticate phones in MAB or 802.1x and to authenticate corporate computers in 802.1x.

If a non-company computer plugs in network port or behind the phone, it is sent into a guest VLAN.

A corporate computer will be sent to his dynamic VLAN returned by the radius server.

I have configured MAB authentication for phones and other equipment such as printers. I have configured CA and autoenroll for corporate computers.

Here's what works:

If I plug a phone into a port it is authenticated MAB with radius and takes its voice VLAN

If I plug in a corporate computer it is 802.1x authenticated and is sent in the VLAN according to the radius policy.

If I plug in an unauthorized device or computer, it is sent in a guest VLAN.

Here is what it does not work and this is the most important of the whole project:

I plug a corporate computer into a phone, I automatically get an authentication error and the port is disabled. Same thing with non corporate Computer.

In the radius I realize that the corporate computer is authenticated in MAB and not in 802.1x The authentication event fail action next-method command does not seem to work.

My question: can anyone help me with this or can I shed some light on the subject? Next step is to open a TAC.

Thank you

Here is the configuration of a Catalyst 9300.

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa session-id common

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius server NPS SERVER XXXX

address ipv4 172.20.8.36 auth-port 1645 acct-port 1646

key 7 xxxxxxxxxxxxxxxxxxxxxxx

interface GigabitEthernet1/0/21

switchport access vlan 172

switchport mode access

switchport voice vlan 88

switchport port-security

power inline port 2x-mode

authentication event fail action authorize vlan 172

authentication event fail action next-method

authentication host-mode multi-domain

authentication open

authentication order mab dot1x

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

end

*Mar 27 2021 10:33:26.392 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state

*Mar 27 2021 10:33:26.394 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c85b.766a.02f4 on port GigabitEthernet1/0/21.

*Mar 27 2021 10:33:27.392 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/21, changed state to down

*Mar 27 2021 10:33:28.393 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/21, changed state to down

Log on radius :

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: c85b766a02f4

Account Domain: jimboom

Fully Qualified Account Name: jimboom\c85b766a02f4

Re: 802.1x - Computer in phone port not working.

Rob Ingram — Sat, 27 Mar 2021 15:12:26 GMT

Hi @Jimboom

Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.

interface GigabitEthernet1/0/21
 no switchport port-security

HTH

Re: 802.1x - Computer in phone port not working.

Jimboom — Sat, 27 Mar 2021 16:00:34 GMT

Thanks @Rob Ingram.

It's a step in the right direction. I removed that on the port .

 no switchport port-security

Now, when i connect à corporate computer, it's fail on MAB and successuly authenticate on 802.1x. But the port is deactivated anyway.

*Mar 27 2021 11:51:51.364 EDT: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state
*Mar 27 2021 11:51:51.365 EDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/21, new MAC address (c85b.766a.02f4) is seen.AuditSessionID

Here is the port configuration

interface GigabitEthernet1/0/21
 switchport access vlan 172
 switchport mode access
 switchport voice vlan 88
 power inline port 2x-mode
 authentication event fail retry 3 action next-method
 authentication host-mode multi-domain
 authentication open
 authentication order mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
end

Radius log:

First try dinied with MAB

Second try granted in 802.1x

Re: 802.1x - Computer in phone port not working.

thomas — Sat, 27 Mar 2021 16:55:59 GMT

port-security is incompatible with 802.1X so good that you removed that.

Change the host-mode to multi-auth and see if that works.

authentication host-mode multi-auth

Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.

You can check the ISE LiveLogs to see if there is any error but it's switch issue.

Re: 802.1x - Computer in phone port not working.

Jimboom — Sat, 27 Mar 2021 21:15:56 GMT

It's working! Thanks for your help.

Regards,

Re: 802.1x - Computer in phone port not working.

Jimboom — Sat, 27 Mar 2021 21:16:45 GMT

Thanks for your help.

Regards,

Re: 802.1x - Computer in phone port not working.

Luke A — Thu, 30 Mar 2023 20:01:22 GMT

Good afternoon,

I am having virtually the same issue, however I have tried multi-domain, multi-auth, and multi-host respectively.
In each scenario, the phone will authenticate if it is the only device connected to the port. Once a pc is connected, the pc will authenticate, but the phone will not. Have you seen this issue before? Thank you for your time.

Re: 802.1x - Computer in phone port not working.

ahollifield — Thu, 30 Mar 2023 20:08:56 GMT

What is your EAP type? Is EAP pass through enabled on the phone? What is the phone? Some phones have issues passing the larger EAP-TLS or TEAP packets through them and require firmware updates.