802.1x issue

lamarnale — Mon, 11 Mar 2019 05:19:25 GMT

Currently I'm implementing 802.1x on a Catalyst 4500 L3 Switch and using ACS Version 5.5.0.46.5

I'm having random problems with using MAB. I say random because when ever I do a show authentication sessions maybe 6 will fail out of 214. The phones that I'm using are Cisco 7965 IP Phones. I've read that those phones are capable of using certificates for 802.1x but it was decided to use MAB on all the phones including VIPR phones. The problem that I'm having is that after an hour some phones become un authorized which bring down that port. I've noticed that some of these phones are stand alone phones with out a computer wired to them. The computers are successfully using 802.1x and the phones that are connected to them are working with MAB.

Here are my commands for an interface that's failing after an hour

switchport access vlan 100
switchport mode access
switchport voice vlan 101
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end

When ever I do show authentication sessions this is the out put.

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/1 1111.1111.1111 mab VOICE Auth 0A11111111111111111111

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
    17       5      dot1x
    18       10     mab
    21       15     webauth

But after an hour or so it becomes unauthorized. Also should I have "authentication periodic , or authentication timer reauthenticate 3600"

if those particular ports just have a phone that's using mab?

Thank You in advance

I have had this issue happen

nspasov — Wed, 07 Jan 2015 03:11:27 GMT

I have had this issue happen to me before but it was with deploying ISE and not ACS. To fix the issue, I had to return the following Radius attribute in my "Authorization Profile"

AVPair attribute termination-action-modifier=1

This attribute basically instructs the NAD to re-retry only the last authentication method which in your case is MAB. Otherwise, based on your config, the switch would first try dot1x and then mab.

Again, I have not done this in ACS but ISE instead, however, they are both Radius servers and both Cisco products so my feeling is that this would fix your problem.

For more info check out this doc:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000052

Thank you for rating helpful posts!

Thank you for the advice. I

lamarnale — Wed, 07 Jan 2015 12:46:18 GMT

Thank you for the advice. I will look into this.

Sounds good. Let me know what

nspasov — Wed, 07 Jan 2015 17:54:06 GMT

Sounds good. Let me know what the results are!

topic 802.1x issue in Network Access Control

802.1x issue

I have had this issue happen

Thank you for the advice. I

Sounds good. Let me know what