Solved: Re: 802.1x assignment issue and domain issue

vanness629 · ‎07-07-2023

Dear Expert

I'm using windows server nps and using c2960 in a lab,

I have a laptop connected to the port and auth success.

but the port keeps jumping to the voice domain, even I use the 802.1x to assign the VLAN for the port, it still remains on the default VLAN, it means vlan1.

I get stuck and have no idea what the reason is or what the mistake is.

Kindly help me to review the config and the information

Interface: GigabitEthernet1/0/43
MAC Address: 00e0.4d68.111b
IPv6 Address: Unknown
IPv4 Address: 192.168.111.202
User-Name: ownlab\cheong
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 1850s
Common Session ID: C0A8850B000000340FC0E5E8
Acct Session ID: 0x00000026
Handle: 0xD900000E
Current Policy: POLICY_Gi1/0/43

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: 310

Method status list:
Method State

dot1x Authc Success

B11_1960_Working_Table#sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.111B STATIC Gi1/0/43
310 00e0.4d68.111B STATIC Gi1/0/43
Total Mac Addresses for this criterion: 2
B11_1960_Working_Table#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34
Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/43, Gi1/0/44, Gi1/0/45, Gi1/0/46, Gi1/0/47, Gi1/0/49, Gi1/0/50
Gi1/0/51, Gi1/0/52
61 CCCCC active
67 Wwwww active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
100 voice active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/44, Gi1/0/46, Gi1/0/47, Gi1/0/49
Gi1/0/50, Gi1/0/51, Gi1/0/52
310 Workstations-ETH active Gi1/0/43
320 Workstations-WIFI active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
61 enet 100061 1500 - - - - - 0 0
67 enet 100067 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
310 enet 100310 1500 - - - - - 0 0
320 enet 100320 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

vanness629 · ‎07-20-2023

Dear All,

I have resolved the issue

About the domain (Voice/ Data) I adjust the vendor-specific on the Windows NPS server. it sends the correct domain to the switch after authentication

After upgrading the firmware, I have successful with the below setting on the port, at the end, I give up to assign vlan to the phone by radius since I can put the tag to the phone about the VLAN, but I'm working perfectly with assign the VLAN profile to the endpoint (Windows PC) by 802.1x (even connect the PC to the phone)

switchport mode access
switchport voice vlan 100
authentication event no-response action authorize vlan 99
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
mab
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast edge

Just one other topic, Although I finish this testing, I'm wondering if I put this into production. any potential risk?

Since I'm the only one to manage the network & infra & helpdesk to support around 200 users and almost 400 PC for the company.

it will help me a lot if this is a good design

View solution in original post

vanness629 · ‎07-20-2023

yes, both of them are solved.

The other changes from my mine, voice vlan remains to be hard code on the Phone.(I don't want to rely on the LLDP/CDP between the phone and the switch at this moment) and all the other device vlan will be handled by the windows server. for now, it working fine with all the devices connected to the phone will obtain the correct vlan.

View solution in original post

Flavio Miranda · ‎07-07-2023

Hi @vanness629

Can you share the command "show run int GigabitEthernet1/0/43" ?

vanness629 · ‎07-09-2023

Hello Flavio.

!
interface GigabitEthernet1/0/43
switchport mode access
switchport voice vlan 100
authentication event no-response action authorize vlan 99
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast edge
end

here is the configuration of the port.

Many thanks

Aref Alsouqi · ‎07-07-2023

What phone this PC is connected to?

vanness629 · ‎07-09-2023

I just using a normal laptop with windows 10

THANK YOU

Aref Alsouqi · ‎07-10-2023

If you don't have any phone connected to that port, could you please change the host mode on the switch port from multi-domain to multi-auth for testing and let us know if that works.

vanness629 · ‎07-10-2023

Hi Aref,

Sorry, I misunderstood, I will use the Avaya phone and connect the PC to the Phone in most cases.

I am still in my own lab to try the VLAN assignment by 802.1x currently, and the phone connective is not trying yet.

thank you

Aref Alsouqi · ‎07-10-2023

No worries. Does that phone support CDP? if not and if it does support LLDP instead then I think you would need to enable LLDP on that switch port as I think in this case the phone would need to rely on one of those protocols to know which is the voice VLAN ID and put only that in the voice domain.

vanness629 · ‎07-10-2023

as I check, our phone support the CDP, the phone is working fine with the voice vlan auto detect. I create the user base on the phone's Mac address in order to authenticate with the radius server, it work fine.

Aref Alsouqi · ‎07-11-2023

Just wondering, maybe the NPS policy is returning a wrong attribute for the traffic matching the user session, how your NPS policy look like?

vanness629 · ‎07-11-2023

To everyone,

I just make a trial

I change the authentication host-mode mutli domain -> authentication host-mode multi-host.

if work perfectly.

Workstation vlan can be assigned based on my radius attributes

Phone can be assigned the correct VLAN base on the radius

Domain assign correctly to "Data"

but still had some strange information

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/43 00e0.4d68.000c dot1x DATA Auth C0A8850B0000006723D6A962

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
19 10 mab
17 15 webauth

B11_1960_Working_Tab(config-if)#do sh mac add int
% Ambiguous command: "do sh mac add int"
B11_1960_Working_Tab(config-if)#do sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
310 00e0.4d68.000c STATIC Gi1/0/43
Total Mac Addresses for this criterion: 1
B11_1960_Working_Tab(config-if)#

the phone mac address didn't show up inf the mac address table..

Aref Alsouqi · ‎07-11-2023

You shouldn't use multi-host if you want both the phone and the PC to be authenticated because in multi-host only the first connected device would need to authenticate, all the subsequent devices will just be granted access to the network without any authentication. Not sure why the phone MAC doesn't show up on the switch port, but I would recommend trying to change the mode from multi-host to multi-auth and see if that works.

vanness629 · ‎07-11-2023

I just figured out the issue, if I put the phone only, it will not have any authentication process...but the port will remain something connected already.. (even mac address table)

I also try to enable LLDP globally to see if the phone will have response.

MHM Cisco World · ‎07-10-2023

You use VLAN group in 802.1x ?
show auth session interface x/x <<- share this

vanness629 · ‎07-10-2023

Hello,

here is the result about "sh auth sessions int gig 1/0/43 detail"

Interface: GigabitEthernet1/0/43
MAC Address: 00e0.4d68.111b
IPv6 Address: Unknown
IPv4 Address: 192.168.111.202
User-Name: ownlab\cheong
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 1850s
Common Session ID: C0A8850B000000340FC0E5E8
Acct Session ID: 0x00000026
Handle: 0xD900000E
Current Policy: POLICY_Gi1/0/43

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: 310

Method status list:
Method State

dot1x Authc Success