Solved: Re: 802.1x assignment issue and domain issue - Page 2

vanness629 · ‎07-07-2023

Dear Expert

I'm using windows server nps and using c2960 in a lab,

I have a laptop connected to the port and auth success.

but the port keeps jumping to the voice domain, even I use the 802.1x to assign the VLAN for the port, it still remains on the default VLAN, it means vlan1.

I get stuck and have no idea what the reason is or what the mistake is.

Kindly help me to review the config and the information

Interface: GigabitEthernet1/0/43
MAC Address: 00e0.4d68.111b
IPv6 Address: Unknown
IPv4 Address: 192.168.111.202
User-Name: ownlab\cheong
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 1850s
Common Session ID: C0A8850B000000340FC0E5E8
Acct Session ID: 0x00000026
Handle: 0xD900000E
Current Policy: POLICY_Gi1/0/43

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: 310

Method status list:
Method State

dot1x Authc Success

B11_1960_Working_Table#sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.111B STATIC Gi1/0/43
310 00e0.4d68.111B STATIC Gi1/0/43
Total Mac Addresses for this criterion: 2
B11_1960_Working_Table#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34
Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/43, Gi1/0/44, Gi1/0/45, Gi1/0/46, Gi1/0/47, Gi1/0/49, Gi1/0/50
Gi1/0/51, Gi1/0/52
61 CCCCC active
67 Wwwww active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
100 voice active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31
Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/44, Gi1/0/46, Gi1/0/47, Gi1/0/49
Gi1/0/50, Gi1/0/51, Gi1/0/52
310 Workstations-ETH active Gi1/0/43
320 Workstations-WIFI active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
61 enet 100061 1500 - - - - - 0 0
67 enet 100067 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
310 enet 100310 1500 - - - - - 0 0
320 enet 100320 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

MHM Cisco World · ‎07-10-2023

summary there are two issue
port assign to two VLAN (check show mac address )
this as WORKAROUND be solve by assign VLAN 310 to port
switchport access vlan 310

for domain, I think the issue is not config in SW it issue in AAA, you push voice VLAN attribute from Server to SW for DATA domain dynamic assignment VLAN.

vanness629 · ‎07-10-2023

Hi Mhm,

I want to manage the vlan by the radius server instead of config the port one by one, this is the reason why I try the configuration.

about the domain issue, I will do some testing.

MHM Cisco World · ‎07-10-2023

I want to manage the vlan by the radius server instead of config the port one by one, this is the reason why I try the configuration.

that why I mention it workaround not solution.
NOW

authc is success and authz is success,

B11_1960_Working_Table#sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.111B STATIC Gi1/0/43
310 00e0.4d68.111B STATIC Gi1/0/43

clear mac table for interface and see if VLAN1 (default) will add ir not after Authz success ?
NOTE:- share the show mac add int gig 1/0/43 after clear mac

vanness629 · ‎07-10-2023

B11_1960_Working_Table#clear mac address-table dy
B11_1960_Working_Table#clear mac address-table dynamic ?
address address keyword
interface interface keyword
vlan vlan keyword
<cr>

B11_1960_Working_Table#clear mac address-table dynamic int gig 1/0/43
B11_1960_Working_Table#clear mac address-table dynamic int gig 1/0/43
B11_1960_Working_Table#sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.000c STATIC Gi1/0/43
310 00e0.4d68.000c STATIC Gi1/0/43
Total Mac Addresses for this criterion: 2
B11_1960_Working_Table#clear mac address-table dynamic int gig 1/0/43
B11_1960_Working_Table#clear mac address-table dynamic int gig 1/0/43
B11_1960_Working_Table#sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.000c STATIC Gi1/0/43
310 00e0.4d68.000c STATIC Gi1/0/43
Total Mac Addresses for this criterion: 2
B11_1960_Working_Table#

I have tried, I bet it was because the Mac address type is static so I cannot clear the Mac address table.

about the domain value, I have checked my radius that is currently in production, and the new radius and the configuration are the same, that's I really confused about which side has an issue(switch or radius), since if this value is not correct, as I understand it will affect the VLAN assignment by the radius.

below is my aaa configuration

aaa new-model
!
!
aaa group server radius switch-auth
server name switch-auth1
server name switch-auth2
!
aaa authentication login default group switch-auth local
aaa authentication dot1x default group switch-auth
aaa authorization console
aaa authorization exec default group switch-auth local if-authenticated
aaa authorization network default group switch-auth
aaa accounting dot1x default start-stop group switch-auth

radius server switch-auth2
address ipv4 192.168.111.139 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key 7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
radius server switch-auth1
address ipv4 192.168.111.196 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key 7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

MHM Cisco World · ‎07-11-2023

debug mab all <<- can you share output of this
thanks
MHM

vanness629 · ‎07-11-2023

I have change the authentication host mode to multi-auth

if running, if I put the PC connected to the phone, the authentication method for the phone will auto-swag from mab to dot1x... and drop the PC... I also remove the

authentication order and authentication priority on the port.

#do sh auth sessions int gig 1/0/43

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/43 24d9.2140.1b84 mab VOICE Auth C0A8850B00000076240096B8

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
19 10 mab
17 15 webauth

B11_1960_Working_Tab(config-if)#do sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 24d9.2140.1b84 STATIC Gi1/0/43
100 24d9.2140.1b84 STATIC Gi1/0/43
Total Mac Addresses for this criterion: 2
B11_1960_Working_Tab(config-if)#do sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 24d9.2140.1b84 STATIC Gi1/0/43
100 24d9.2140.1b84 STATIC Gi1/0/43
Total Mac Addresses for this criterion: 2
B11_1960_Working_Tab(config-if)#
B11_1960_Working_Tab(config-if)#
B11_1960_Working_Tab(config-if)#do sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
100 24d9.2140.1b84 STATIC Gi1/0/43
Total Mac Addresses for this criterion: 1
B11_1960_Working_Tab(config-if)#do sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.000c STATIC Gi1/0/43
310 00e0.4d68.000c STATIC Gi1/0/43
310 24d9.2140.1b84 DYNAMIC Drop
Total Mac Addresses for this criterion: 3
B11_1960_Working_Tab(config-if)#do sh mac add int gig 1/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00e0.4d68.000c STATIC Gi1/0/43
310 00e0.4d68.000c STATIC Gi1/0/43
310 24d9.2140.1b84 DYNAMIC Drop
Total Mac Addresses for this criterion: 3
B11_1960_Working_Tab(config-if)#
B11_1960_Working_Tab(config-if)#
B11_1960_Working_Tab(config-if)#do sh auth sessions int gig 1/0/43

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/43 00e0.4d68.000c dot1x VOICE Auth C0A8850B000000782403420E
Gi1/0/43 24d9.2140.1b84 N/A UNKNOWN Unauth C0A8850B0000007924037BF8

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
19 10 mab
17 15 webauth

Aref Alsouqi · ‎07-11-2023

Weird. Try please to remove the voice VLAN command from under the switch port config, disconnect the phone and reconnect and see if that makes any difference. Also, what switch are you using? and which IOS is running?

vanness629 · ‎07-11-2023

the switch that I using was the c2960 48p, and the firmware version

1 54 WS-C2960X-48TS-L 15.2(7)E1 C2960X-UNIVERSALK9-M

Aref Alsouqi · ‎07-11-2023

Please try what I mentioned in my previous reply, and if that doesn't work I would try to upgrade the switch code to the latest recommended which I believe it is e7.

vanness629 · ‎07-20-2023

Dear All,

I have resolved the issue

About the domain (Voice/ Data) I adjust the vendor-specific on the Windows NPS server. it sends the correct domain to the switch after authentication

After upgrading the firmware, I have successful with the below setting on the port, at the end, I give up to assign vlan to the phone by radius since I can put the tag to the phone about the VLAN, but I'm working perfectly with assign the VLAN profile to the endpoint (Windows PC) by 802.1x (even connect the PC to the phone)

switchport mode access
switchport voice vlan 100
authentication event no-response action authorize vlan 99
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
mab
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast edge

Just one other topic, Although I finish this testing, I'm wondering if I put this into production. any potential risk?

Since I'm the only one to manage the network & infra & helpdesk to support around 200 users and almost 400 PC for the company.

it will help me a lot if this is a good design

MHM Cisco World · ‎07-20-2023

Two issue was there

Domain' which as I mention it server issue not sw issue and you check and solved it.

Other is mac add to vlan1 and data vlan ? This solved ?

vanness629 · ‎07-20-2023

yes, both of them are solved.

The other changes from my mine, voice vlan remains to be hard code on the Phone.(I don't want to rely on the LLDP/CDP between the phone and the switch at this moment) and all the other device vlan will be handled by the windows server. for now, it working fine with all the devices connected to the phone will obtain the correct vlan.