topic Cisco Secure ACS authentication problems after 3750 switch stack reboot. in Network Access Control

Cisco Secure ACS authentication problems after 3750 switch stack reboot.

billy_vaughn — Tue, 26 Mar 2019 00:32:26 GMT

We are running version 5.2.0.26.4 of Cisco Secure ACS. We are using it to control access to our wired network and only allow our Cisco phones and our domain computers on the network. We use MAB for the phones and dot1x for the PC's. The system works pretty well except whenever we reboot our closet switches quite a few of our phones will not come up and work. They just say configuring and registering. You have to unplug the network cable and reboot the phone then it will authenticate just fine. We are using Cisco 3750 switches that are stacked. We only have around 100 employees so it's not 1000's of devices trying to auth. I'm thinking we are having issues due to all the devices coming online and trying to authenticate at once. Looking for some help in figuring out if this is something we can fix. Thanks in advance.

Billy Vaughn

Can you share your radius

nspasov — Fri, 09 Jan 2015 15:53:34 GMT

Can you share your radius switch configs and port configs?

Also, can you post the output of the following commands while the phones are stuck in "registering state"

show authentication session interface interface_name_number

show aaa servers

Thank you for rating helpful posts!

Unfortunatley I don't have a

billy_vaughn — Fri, 09 Jan 2015 20:45:47 GMT

Unfortunatley I don't have a phone stuck in the registering/configuration state anymore. I can only re-produce the issue by rebooting a switch stack. I'll have to capture those ouputs once I can get some downtime to re-create the issue.

Switch Commands

aaa authentication login default group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

tacacs-server host 10.1.254.50 key **********
tacacs-server host 10.1.254.51 key **********
tacacs-server directed-request

radius-server host 10.1.254.50 auth-port 1645 acct-port 1646 key ***********
radius-server host 10.1.254.51 auth-port 1645 acct-port 1646 key ***********

Interface Commands

switchport access vlan XX
switchport mode access
switchport nonegotiate
switchport voice vlan XX
authentication event server dead action authorize
authentication host-mode multi-domain
authentication order mab dot1x webauth
authentication port-control auto
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable

Billy

Hi Billy-

nspasov — Sun, 11 Jan 2015 08:39:22 GMT

Hi Billy-

It would be hard to troubleshoot this since you are unable to replicate the issue...perhaps you can get a test switch and a test phone and try it again 🙂

In the meantime, I would suggest that you add/remove the following commands to your switchports:

no authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server dead action authorize vlan your_data_vlan
authentication event server alive action reinitialize

The first command would authorize phones to the voice VLAN if/when the Radius server is unavailable. The second command will do the same as first one but for your computers/laptops, etc. The last command would force all of the sessions that were authorized during a Radius server outage to be re-authorized.

I have the feeling that the phones boot up before the Radius server is reachable and marked as "alive." Thus, the phones are authorized but not on the voice VLAN.

Outside the issue that you have, I would recommend that you also add the following commands:

authentication priority dot1x mab
dot1x timeout tx-period 10

The first command will allow hosts that are dot1x capable to perform dot1x before mab (even though mab is set to take priority over dot1x). The second command just trims down the timeout timer which can help prevent hosts from giving up on acquiring DHCP address and assigning themselves a 169.x.x.x address.

Well I hope all of this helps!

Thank you for rating helpful posts!

Sorry for the late reply.

billy_vaughn — Tue, 13 Jan 2015 13:50:04 GMT

Sorry for the late reply. Thanks for the information. I had my peer setup a switch and we are going to do some testing to see if we can re-create the phone state. If we can I'll capture some output from the show commands. I'll reveiw your reccomended changes.

Thanks

Billy

No worries. Please let us

nspasov — Tue, 13 Jan 2015 18:30:27 GMT

No worries. Please let us know of the outcome!

Thank you for rating helpful posts!