topic Re: Multiple Session-IDs with Cisco Phone in Network Access Control

Multiple Session-IDs with Cisco Phone

jcisne001 — Thu, 26 Sep 2024 19:55:10 GMT

I have a 9300 switch running Version 17.09.03, I have a Cisco IP Phone 7821 connected to a switch and a computer connected to the phone. I'm running IBNS 2.0 with dot1x and mab running at the same time.

I'm encountering a weird issue because when I perform a shut/no shut on the port which connects the phone I'll see the following.

Sep 26 19:44:16.106: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:16.394: %ILPOWER-5-DETECT: Interface Gi3/0/13: Power Device detected: IEEE PD
Sep 26 19:44:17.416: %ILPOWER-5-POWER_GRANTED: Interface Gi3/0/13: Power granted
Sep 26 19:44:23.810: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:24.810: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:26.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:27.204: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:41.726: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:42.727: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:51.078: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:52.079: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:54.607: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:55.606: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up

and each time the LINEPROTO-5-UPDOWN comes up it creates a new session id for the computer causing multiple radius request sent to my RADIUS server, is there a command to add a delay to wait until the ports comes fully up and stable or a way to prevent multiple session ID's?

Re: Multiple Session-IDs with Cisco Phone

ahollifield — Thu, 26 Sep 2024 20:28:29 GMT

Whenever the interface goes down this should end the session on the RADIUS server. Do you have RADIUS Accounting enabled and configured? What is the RADIUS server?

I would also try upgrading to 17.9.5 or 17.12.4.

Re: Multiple Session-IDs with Cisco Phone

Arne Bier — Thu, 26 Sep 2024 20:31:55 GMT

I can't say I have seen that behaviour before. Does this happen on more than one connected phone? I'd look into why the phone is dropping the link again after the initial PoE and LinkUp event. It seems like the phone is not happy with something and then re-initialises its networking stack again.

There is no switch interface de-bounce mechanism that I am aware of - the switch dutifully sends a RADIUS Access-Request with every new session creation. You can also try to debug the IOS-XE SMD (Session Manager Daemon) perhaps. But I suspect the phones are the culprit here.

I know there has been a lot of debate of doing concurrent MAB and 802.1X with IBNS 2.0 - at first, Cisco said it was the best thing since sliced bread ... and then changed their mind and said it was bad news. It is bad news for the RADIUS server, because 50% of the auths will work (e.g. if the device has a supplicant) and then the MAB will either fail or not be interesting, or vice-versa. The gold standard is to rather do it sequentially - 802.1X first, with some delay and then default to MAB. That's in the ideal world where all end devices (that don't speak 802.1X) can hold off with their DHCP requests until MAB has had a chance.

I'd say you might have better luck reducing your auths to the RADIUS server by making your IBNS 2.0 sequential, instead of concurrent.

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Thu, 26 Sep 2024 20:34:26 GMT

Yes RADIUS accounting is enabled and configured, RADIUS server is a ClearPass, I have tried it with an updated switch but the interaction its still the same, I also noticed with a normal access switchport with no dot1x or mab configured the port flaps until the phone is fully turned on

Re: Multiple Session-IDs with Cisco Phone

MHM Cisco World — Thu, 26 Sep 2024 20:36:41 GMT

In IBNS 2.0 Make dot1x first then mab

It seem to me when link is up the SW learn mac and send it to ISE

Where in dot1x the SW need to know identity before send access request to ISE

MHM

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Thu, 26 Sep 2024 20:37:51 GMT

Hey Arne, I also attempted sequential, the problem is whenever the switchport line goes down and up it creates a new session id for the workstation causing 4 dot1x authentications, all with success.

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Thu, 26 Sep 2024 20:38:44 GMT

I did make dot1x first, but the switch keeps creating new session ID's when the link flaps between off and on while the phone boots.

Re: Multiple Session-IDs with Cisco Phone

MHM Cisco World — Thu, 26 Sep 2024 20:51:04 GMT

Try use

Common session id

MHM

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Thu, 26 Sep 2024 20:56:22 GMT

I attempted this and no change.

Re: Multiple Session-IDs with Cisco Phone

MHM Cisco World — Thu, 26 Sep 2024 21:29:04 GMT

Show dot1x all <<- share this

MHM

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Thu, 26 Sep 2024 21:31:37 GMT

Dot1x Info for GigabitEthernet1/0/1

PAE = Authenticator

QuitePeriod = 60

Server Timeout = 0

SuppTimeout = 30

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

Re: Multiple Session-IDs with Cisco Phone

Arne Bier — Thu, 26 Sep 2024 21:31:38 GMT

You can't change the behaviour of a (what I would call) a malfunctioning device. I would raise a TAC case with the Cisco Telephony Team to ask why the phone is behaving this way - it's not normal, and it's far from optimal. I have seen too many weird things with phones (not only Cisco). I also assume that CDP (or LLDP) is enabled on the switch interface AND the phone?

Re: Multiple Session-IDs with Cisco Phone

MHM Cisco World — Fri, 27 Sep 2024 07:37:32 GMT

Timer is defualt no problem

So I retrun to first point'

Dot1x need multi packet exchange between SW abd endpoint' if the link is flapping then this process not complete

So I think the SW use mab not dot1x that make SW fast send access request to radius.

Can you check debug radius

Check method is it mab or dot1x

MHM

Re: Multiple Session-IDs with Cisco Phone

Aref Alsouqi — Fri, 27 Sep 2024 10:00:54 GMT

I don't believe this is a normal behaviour and I don't remember ever seeing it in any deployment I'd done and moving from MAB do dot1x or vice versa shouldn't trigger the device to reload.

Where do you see these four authentication sessions? on the switch "show authentication" command output? did you try to check if there is any firmware update for the phones?

Re: Multiple Session-IDs with Cisco Phone

andrewswanson — Fri, 27 Sep 2024 13:38:56 GMT

I've got a 3k environment running 16.12.11 - there a few old cisco phones still connected even though we have migrated to Teams.

Done a few tests with a couple of them and found that the 7821 does indeed "flap" when booting up compared to a 7911

Andy

mab only ibns 2 interface for Cisco IP Phone 7821

Sep 27 14:21:42.613: %ILPOWER-5-DETECT: Interface Gi5/0/21: Power Device detected: IEEE PD
Sep 27 14:21:43.630: %ILPOWER-5-POWER_GRANTED: Interface Gi5/0/21: Power granted
Sep 27 14:21:43.751: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/21, changed state to down
Sep 27 14:21:48.531: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/21, changed state to up
Sep 27 14:21:49.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/0/21, changed state to up
Sep 27 14:21:52.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/0/21, changed state to down
Sep 27 14:21:53.416: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/21, changed state to down
Sep 27 14:22:05.907: %LINK-3-UPDOWN: Interface GigabitEthernet5/0/21, changed state to up
Sep 27 14:22:06.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/0/21, changed state to up

mab only ibns 2 interface for Cisco IP Phone 7911

Sep 27 14:10:28.434: %ILPOWER-5-DETECT: Interface Gi1/0/28: Power Device detected: IEEE PD
Sep 27 14:10:29.538: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/28, changed state to down
Sep 27 14:10:30.094: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/28: Power granted
Sep 27 14:10:32.587: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/28, changed state to up
Sep 27 14:10:33.588: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/28, changed state to up

Re: Multiple Session-IDs with Cisco Phone

MHM Cisco World — Fri, 27 Sep 2024 14:06:08 GMT

Friend any device connect especially with PoE will have same link up/down until be stable.

Can you check debug radius

Let us see what happened when link first be up and later when it down and up again

MHM

Re: Multiple Session-IDs with Cisco Phone

andrewswanson — Fri, 27 Sep 2024 14:54:30 GMT

Can't do a radius debug on switch as its a 9 stack switch and is in production. RADIUS server used on my deployment is ISE 3.1. When I check the ISE reports for the 7821 authentication I just see one entry and for accounting I see one "start" followed by an "interim" ( despite the fact that the interface flaps a few times when the phone boots)

I beleive that the original poster is using Clearpass rather than ISE

Andy

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Fri, 27 Sep 2024 16:08:37 GMT

That flapping causes multiple Session IDs on my dot1x deployment, every time the phone flaps a mab and dot1x session is created, the MAB fails as designed but dot1x does get accepted, the issue is I get 3 - 4 requests for dot1x and mab due to the flapping

Sep 27 11:56:31.719 EDT: %ILPOWER-5-PD_ENTRY_REMOVAL: Interface GigabitEthernet1/0/1: power device entry removed, admin_state=AUTO oper_state=OFF Sep 27 11:56:32.716 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:33.405 EDT: %ILPOWER-5-DETECT: Interface Gil/0/13: Power Device detected: IEEE PD
Sep 27 11:56:33.717 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:34.402 EDT: %ILPOWER-5-POWER_GRANTED: Interface Gil/0/13: Power granted
Sep 27 11:56:39.293 EDT: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (a029.193e.61ea) with reason (Cred Fail) on Interface Gil/0/1 3 AuditSessionID OAF53F0A000003293432D371
Sep 27 11:56:40.974 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Sep 27 11:56:41.974 EDT: LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Sep 27 11:56:43.710 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:44.710 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:46.058 EDT: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (a029.193e.61ea) with reason (Cred Fail) on Interface Gil/0/1 3 AuditSessionID OAF53F0A0000032A3432EE59
Sep 27 11:56:59.054 EDT: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (a029.193e.61ea) with reason (Cred Fail) on Interface Gil/0/1 3 AuditSessionID 0AF53F0A0000032B34332119
Sep 27 11:57:00.871 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Sep 27 11:57:01.871 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

Re: Multiple Session-IDs with Cisco Phone

MHM Cisco World — Fri, 27 Sep 2024 16:14:26 GMT

As I and Mr @Arne Bier mentioned before seq is matter' MAB is check first then dot1x.

Since mac of endpoint unknown the server failed authc.

So issue with IBN2.0 not for SW nor ip phone

Share IBN2.0 config here let make check

MHM

Re: Multiple Session-IDs with Cisco Phone

jcisne001 — Fri, 27 Sep 2024 16:21:27 GMT

This is the current

event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
20 authenticate using dotlx priority 10
event authentication-failure match-first
5 class DOT1X_FAIL do-until-failure
10 terminate dotlx
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure 10 terminate dotlx
20 authenticate using mab priority 20
20 class DOT1X_TIMEOUT do-until-failure 10 terminate dotlx
20 authenticate using mab priority 20
event authentication-success match-first 10
class MAB SUCCESS do-until-failure
10 terminate dotlx both

I've also tried with only doing dot1x on event session started and the 3 - 4 sessions keep happening with dot1x with the only difference being the mab does not occur.