01-28-2011
12:20 PM
- last edited on
02-21-2020
11:38 PM
by
cc_security_adm
I am trying to lab as many scenarios as I can for 802.1x. I seem to have hit a problem with IP Phones running EAP-MD5 authentication. The phone sare always being authenticated in the Data Domain. This is regardless of whether or no the port configuration is in: host-mode multi-auth ,or, host-mode multi-domain. After a while of both ports appearing to authenticate in the data VLAN, neither the PC or Phone will work
I have checked that my ACS5.1 server is sending the appropriate AV pair of "device-traffic-class=voice" as I can see it in a wireshark trace.
What other aspects might i need to check to get the phone to authenticate itself properly?
The problem shows itself as:
C3750G#sh authentication sessions int gi 1/0/16
Interface: GigabitEthernet1/0/16
MAC Address: 001d.452d.53e0
IP Address: Unknown
User-Name: CP-7942G-SEP001D452D53E0
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE2500000014000F6B8F
Acct Session ID: 0x00000036
Handle: 0xC8000014
Runnable methods list:
Method State
dot1x Authc Success
----------------------------------------
Interface: GigabitEthernet1/0/16
MAC Address: 0014.c209.896f
IP Address: 192.168.10.2
User-Name: TEST\TestAdmin
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE2500000013000F5A42
Acct Session ID: 0x00000034
Handle: 0x27000013
Runnable methods list:
Method State
dot1x Running
My port config is:
interface GigabitEthernet1/0/16
description * 802.1x Multi Domain (1Phone + 1PC) *
switchport access vlan 10
switchport mode access
switchport voice vlan 11
priority-queue out
authentication host-mode multi-domain
authentication port-control auto
udld port aggressive
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast
end
01-28-2011 06:58 PM
Well if you see in the packet captures that that attribute is actually being returned and seen by the switch then this is what we needed and you're on the right track.
Please verify the step 4 in the below listed document and make sure you've defined voice vlan under the group attributes.
In case its already configured then please provide me the following info;
debug radius
debug aaa authentication
debug aaa authorization
and output of the following command
show run | in aaa
NOTE:ALL these attributes should be defined on the ACS group set for phone authentication.
cisco-avpair="device-traffic-class=voice"
Tunnel-Type=1:VLAN
Tunnel-Medium-Type=1:802
Tunnel-Private-Group-ID=1:VOICE-LAN
Regards,
Jatin
Do rate helpful posts~
01-29-2011 02:55 AM
Firstly thank you for responding
With regards to your statement about following Step 4 in the hyperlink, assuming it is described as "Define the Internet Engineering Task Force (IETF) attributes 64, 65 and 81 and then click Submit + Restart.", then I have a concern. The very first line above it in the doc says: "Note: For IP Phones group configuration alone, skip the next step, step 4, and go to step 5." Step 5 is where the, cisco-avpair="device-traffic-class=voice" , is defined which I have already done.
My belief is the dynamic VLAN assignment is incorrect for Voice devices, the RADIUS server just informs the switch that the device is a voice type, and the switch places it in the voice vlan which the switch already knows about. Do you have a different understanding?
01-29-2011 03:04 AM
For information, the debugs you request are:
Jan 29 10:58:46.317: %ILPOWER-7-DETECT: Interface Gi1/0/16: Power Device detected: IEEE PD
Jan 29 10:58:46.770: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/16: Power granted
Jan 29 10:58:50.377: AAA/BIND(0000001D): Bind i/f
Jan 29 10:58:52.373: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:53.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:54.789: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A 8FE2500000018002FB1D0
Jan 29 10:58:56.920: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:56.920: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:56.920: RADIUS(0000001D): sending
Jan 29 10:58:56.920: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/52, len 237
Jan 29 10:58:56.920: RADIUS: authenticator 89 81 92 2C AA 6B E6 E6 - CA 2C 3A 0D E1 C5 28 ED
Jan 29 10:58:56.928: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:56.928: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:56.928: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:56.928: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:56.928: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:56.928: RADIUS: EAP-Message [79] 31
Jan 29 10:58:56.928: RADIUS: 02 01 00 1D 01 43 50 2D 37 39 34 32 47 2D 53 45 50 30 30 31 44 [CP-7942G-SEP001D]
Jan 29 10:58:56.928: RADIUS: 34 35 32 44 35 33 45 30 [ 452D53E0]
Jan 29 10:58:56.928: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.928: RADIUS: 83 AF F8 DB 44 0D 0A 46 70 2F 1E 8D 67 CE BC DD [ DFp/g]
Jan 29 10:58:56.928: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:56.928: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:56.928: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:56.928: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:56.928: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:56.928: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:56.928: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:56.928: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:56.928: RADIUS: Received from id 1645/52 192.168.254.51:1645, Access-Challenge, len 76
Jan 29 10:58:56.928: RADIUS: authenticator DA 45 B9 F8 80 48 A0 4B - F7 99 9B 1F DE 4F B2 9E
Jan 29 10:58:56.928: RADIUS: State [24] 30
Jan 29 10:58:56.937: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:56.937: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:56.937: RADIUS: EAP-Message [79] 8
Jan 29 10:58:56.937: RADIUS: 01 51 00 06 0D 20 [ Q ]
Jan 29 10:58:56.937: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.937: RADIUS: 3C F4 D9 93 82 EA FB 25 A7 9D C4 8F 14 3F 33 4F [ Jan 29 10:58:56.937: RADIUS(0000001D): Received from id 1645/52
Jan 29 10:58:56.937: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 10:58:57.046: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.046: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.046: RADIUS(0000001D): sending
Jan 29 10:58:57.046: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/53, len 244
Jan 29 10:58:57.046: RADIUS: authenticator BE 9B 32 59 45 BF 15 45 - E4 43 02 B5 B5 D7 ED 83
Jan 29 10:58:57.046: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.046: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:57.046: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:57.054: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.054: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.054: RADIUS: EAP-Message [79] 8
Jan 29 10:58:57.054: RADIUS: 02 51 00 06 03 04 [ Q]
Jan 29 10:58:57.054: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.054: RADIUS: E0 B5 99 82 7E 9E 35 0F 78 D9 BD 4B 96 97 34 47 [ ~5xK4G]
Jan 29 10:58:57.054: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:57.054: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:57.054: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.054: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:57.054: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:57.054: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.054: RADIUS: State [24] 30
Jan 29 10:58:57.054: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.054: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.054: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:57.054: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.054: RADIUS: Received from id 1645/53 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 10:58:57.054: RADIUS: authenticator D9 62 B7 27 8F 55 E9 88 - 41 01 D0 83 52 DF 36 29
Jan 29 10:58:57.054: RADIUS: State [24] 30
Jan 29 10:58:57.054: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.063: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.063: RADIUS: EAP-Message [79] 27
Jan 29 10:58:57.063: RADIUS: 01 52 00 19 04 10 AA 6A A2 BC 63 1A C0 93 B8 58 67 F7 1A A5 FD 45 41 43 53 [ RjcXgEAC S]
Jan 29 10:58:57.063: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.063: RADIUS: 29 D2 66 87 4A 2F B3 9E B5 EC F9 4E 9F 62 82 5E [ )fJ/Nb^]
Jan 29 10:58:57.063: RADIUS(0000001D): Received from id 1645/53
Jan 29 10:58:57.063: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 10:58:57.079: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.079: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.079: RADIUS(0000001D): sending
Jan 29 10:58:57.079: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/54, len 284
Jan 29 10:58:57.079: RADIUS: authenticator 91 F4 7C C1 4E 79 27 AB - 2F 36 20 A8 9C 3F A9 76
Jan 29 10:58:57.079: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.088: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:57.088: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:57.088: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.088: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.088: RADIUS: EAP-Message [79] 48
Jan 29 10:58:57.088: RADIUS: 02 52 00 2E 04 10 45 2F B1 FC 60 CF 09 08 7B C4 F9 56 74 AF 44 E9 43 50 2D 37 39 34 32 [R.E/ `{VtDCP-7942]
Jan 29 10:58:57.088: RADIUS: 47 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45 [G-SEP001D452D53E]
Jan 29 10:58:57.088: RADIUS: 30 [ 0]
Jan 29 10:58:57.088: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.088: RADIUS: 45 42 58 9F 75 14 09 A1 FC DD CD 26 B4 88 42 CF [ EBXu&B]
Jan 29 10:58:57.088: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:57.088: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:57.088: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.088: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:57.088: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:57.088: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.088: RADIUS: State [24] 30
Jan 29 10:58:57.088: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.088: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.088: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:57.088: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.222: RADIUS: Received from id 1645/54 192.168.254.51:1645, Access-Accept, len 126
Jan 29 10:58:57.222: RADIUS: authenticator 7B A5 E0 B2 D6 15 90 26 - 8F 8F 64 B0 E6 94 D8 C7
Jan 29 10:58:57.222: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.222: RADIUS: Class [25] 22
Jan 29 10:58:57.222: RADIUS: 43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31 [CACS:ACS/8567051]
Jan 29 10:58:57.222: RADIUS: 38 2F 33 33 [ 8/33]
Jan 29 10:58:57.222: RADIUS: EAP-Message [79] 6
Jan 29 10:58:57.222: RADIUS: 03 52 00 04 [ R]
Jan 29 10:58:57.222: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.222: RADIUS: E8 2E 9B FD C2 A8 D7 5E 86 DD 3C 67 FF 37 75 02 [ .^
Jan 29 10:58:57.222: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
Jan 29 10:58:57.222: RADIUS(0000001D): Received from id 1645/54
Jan 29 10:58:57.222: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 10:58:57.222: AAA/AUTHOR (0000001D): Method list id=0 not configured. Skip author
Jan 29 10:58:57.222: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess ionID
Jan 29 10:58:57.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interfac e Gi1/0/16 AuditSessionID C0A8FE2500000018002FB1D0
Jan 29 10:58:57.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 10:58:58.262: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess ionID C0A8FE2500000018002FB1D0
01-29-2011 03:16 AM
After adding the 3 additional RADIUS-IETF parameters...
the phone still doesnt work in the voice domain:
Jan 29 11:11:53.742: RADIUS(0000001E): Received from id 1645/55
Jan 29 11:11:53.742: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 11:11:53.842: AAA/AUTHEN/8021X (0000001E): Pick method list 'default'
Jan 29 11:11:53.842: RADIUS/ENCODE(0000001E):Orig. component type = DOT1X
Jan 29 11:11:53.842: RADIUS(0000001E): Config NAS IP: 192.168.254.37
Jan 29 11:11:53.842: RADIUS/ENCODE(0000001E): acct_session_id: 55
Jan 29 11:11:53.842: RADIUS(0000001E): sending
Jan 29 11:11:53.842: RADIUS(0000001E): Send Access-Request to 192.168.254.51:1645 id 1645/56, len 244
Jan 29 11:11:53.842: RADIUS: authenticator 1C 63 91 D5 AD A3 D2 BC - 7D C5 5F 8C FC 10 22 1B
Jan 29 11:11:53.842: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 11:11:53.842: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 11:11:53.842: RADIUS: Framed-MTU [12] 6 1500
Jan 29 11:11:53.842: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 11:11:53.842: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 11:11:53.842: RADIUS: EAP-Message [79] 8
Jan 29 11:11:53.842: RADIUS: 02 9F 00 06 03 04
Jan 29 11:11:53.842: RADIUS: Message-Authenticato[80] 18
Jan 29 11:11:53.842: RADIUS: 24 BE F1 70 15 16 AE 2C E3 AC 56 5A E2 BE FC 92 [ $p,VZ]
Jan 29 11:11:53.842: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 11:11:53.842: RADIUS: Vendor, Cisco [26] 49
Jan 29 11:11:53.842: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000019003B8C5C"
Jan 29 11:11:53.842: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 11:11:53.851: RADIUS: NAS-Port [5] 6 50116
Jan 29 11:11:53.851: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 11:11:53.851: RADIUS: State [24] 30
Jan 29 11:11:53.851: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 11:11:53.851: RADIUS: 38 35 36 37 30 35 31 38 2F 33 34 3B [ 85670518/34;]
Jan 29 11:11:53.851: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 11:11:53.851: RADIUS(0000001E): Started 4 sec timeout
Jan 29 11:11:53.868: RADIUS: Received from id 1645/56 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 11:11:53.868: RADIUS: authenticator C7 B8 85 BD 56 89 AD 04 - FF 8D B0 FF 96 BF C2 7F
Jan 29 11:11:53.868: RADIUS: State [24] 30
Jan 29 11:11:53.868: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 11:11:53.868: RADIUS: 38 35 36 37 30 35 31 38 2F 33 34 3B [ 85670518/34;]
Jan 29 11:11:53.868: RADIUS: EAP-Message [79] 27
Jan 29 11:11:53.868: RADIUS: 01 A0 00 19 04 10 D6 98 65 25 2C 02 06 89 20 25 9A E7 2B 24 6D 95 41 43 53 [ e?, ?+$mACS]
Jan 29 11:11:53.868: RADIUS: Message-Authenticato[80] 18
Jan 29 11:11:53.868: RADIUS: 44 D0 63 BA DA E9 1F E5 7D 40 97 1F 1E 7E B8 B2 [ Dc}@~]
Jan 29 11:11:53.868: RADIUS(0000001E): Received from id 1645/56
Jan 29 11:11:53.868: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 11:11:53.884: AAA/AUTHEN/8021X (0000001E): Pick method list 'default'
Jan 29 11:11:53.884: RADIUS/ENCODE(0000001E):Orig. component type = DOT1X
Jan 29 11:11:53.884: RADIUS(0000001E): Config NAS IP: 192.168.254.37
Jan 29 11:11:53.884: RADIUS/ENCODE(0000001E): acct_session_id: 55
Jan 29 11:11:53.884: RADIUS(0000001E): sending
Jan 29 11:11:53.884: RADIUS(0000001E): Send Access-Request to 192.168.254.51:1645 id 1645/57, len 284
Jan 29 11:11:53.884: RADIUS: authenticator 3A 52 7C D1 89 1F AF AE - 85 8F E6 2D 7E AE 90 D7
Jan 29 11:11:53.884: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 11:11:53.884: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 11:11:53.884: RADIUS: Framed-MTU [12] 6 1500
Jan 29 11:11:53.884: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 11:11:53.884: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 11:11:53.884: RADIUS: EAP-Message [79] 48
Jan 29 11:11:53.884: RADIUS: 02 A0 00 2E 04 10 AE 65 BA 3A 6F 09 06 69 45 65 19 A2 76 95 12 AF 43 50 2D 37 39 34 32 47 [.e:oiEevCP-7942G]
Jan 29 11:11:53.884: RADIUS: 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45 30 [ -SEP001D452D53E0]
Jan 29 11:11:53.884: RADIUS: Message-Authenticato[80] 18
Jan 29 11:11:53.893: RADIUS: 99 CA 36 60 3E 1A 13 7F 7E 0F 39 7D B7 AD 75 FF [ 6`>~9}u]
Jan 29 11:11:53.893: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 11:11:53.893: RADIUS: Vendor, Cisco [26] 49
Jan 29 11:11:53.893: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000019003B8C5C"
Jan 29 11:11:53.893: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 11:11:53.893: RADIUS: NAS-Port [5] 6 50116
Jan 29 11:11:53.893: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 11:11:53.893: RADIUS: State [24] 30
Jan 29 11:11:53.893: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 11:11:53.893: RADIUS: 38 35 36 37 30 35 31 38 2F 33 34 3B [ 85670518/34;]
Jan 29 11:11:53.893: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 11:11:53.893: RADIUS(0000001E): Started 4 sec timeout
Jan 29 11:11:54.019: RADIUS: Received from id 1645/57 192.168.254.51:1645, Access-Accept, len 150
Jan 29 11:11:54.019: RADIUS: authenticator D5 AD 4C 67 3C FB 88 75 - 0C D3 AF 11 16 CD 29 B9
Jan 29 11:11:54.019: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 11:11:54.019: RADIUS: Class [25] 22
Jan 29 11:11:54.019: RADIUS: 43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31 [CACS:ACS/8567051]
Jan 29 11:11:54.019: RADIUS: 38 2F 33 34 [ 8/34]
Jan 29 11:11:54.019: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
Jan 29 11:11:54.019: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
Jan 29 11:11:54.019: RADIUS: EAP-Message [79] 6
Jan 29 11:11:54.019: RADIUS: 03 A0 00 04
Jan 29 11:11:54.019: RADIUS: Message-Authenticato[80] 18
Jan 29 11:11:54.019: RADIUS: A7 1D B5 E3 44 DE 70 3C 5B 46 57 C0 A6 DB 56 EC [ Dp<[FWV]
Jan 29 11:11:54.019: RADIUS: Tunnel-Private-Group[81] 12 01:"VOICE-LAN"
Jan 29 11:11:54.019: RADIUS: Vendor, Cisco [26] 34
Jan 29 11:11:54.019: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
Jan 29 11:11:54.019: RADIUS(0000001E): Received from id 1645/57
Jan 29 11:11:54.019: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 11:11:54.027: AAA/AUTHOR (0000001E): Method list id=0 not configured. Skip author
Jan 29 11:11:54.027: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID
Jan 29 11:11:54.027: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A8FE2500000019003B8C5C
Jan 29 11:11:54.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 11:11:55.050: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A8FE2500000019003B8C5C
C3750G#
C3750G#sh auth sess int gi 1/0/16
Interface: GigabitEthernet1/0/16
MAC Address: 001d.452d.53e0
IP Address: Unknown
User-Name: CP-7942G-SEP001D452D53E0
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE2500000019003B8C5C
Acct Session ID: 0x00000037
Handle: 0xDC000019
Runnable methods list:
Method State
dot1x Authc Success
C3750G#
Are you able to provide any more things to check? Thanks again.
01-29-2011 06:01 AM
One specific point that I am worried about is the Cisco AV pair string itself. In ACS 5.1 when you select Voice VLAN, Permission to Join: [Static] it automatically adds a common RADIUS attribute of
Attribute: cisco-av-pair
Type: String
Value: device-traffic-class=voice
None of these are editable fields. As I have been doing a lot of searches on this subject I have seen the attribute spelt as listed above, "cisco-av-pair" but also as "cisco-avpair" (such as in docs: http://www.cisco.com/en/US/products/sw/netmgtsw/ps411/products_tech_note09186a0080094e9a.shtml and http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/802_1x_ciscomda.pdf). Does this actually matter, or is the Cat switch looking out for only one of these attribute string? Or is the switch looking for any combination of that text in an attribute to define it as a valid Cisco AV pair?
01-29-2011 07:28 AM
C3750G#show run | in aaa
aaa new-model
aaa authentication login My-AAA group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec My-AAA group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
01-29-2011 07:51 AM
Finally fixed it after i spotted this in a config guide:
Cat−3560(config)#aaa authorization network default group radius
!−−− You need authorization for dynamic VLAN assignment to work with RADIUS
I didnt have this command, but i do now it works fine. Although admittedly i wasnt aware i was doing VLAN assignment, as in dynamic VLAN assignment which required the extra RADIUS-IETF attributes.
01-30-2011 11:45 AM
Glad to know its working. Couldn't reply back due to weekend.
Yes, that was the reason, I asked you the output of show run | in aaa.
Little more detail on it;
The VLAN assignment feature is automatically enabled when we configure 802.1x authentication on an access port. For VLAN assignment to work, we must ensure that network authorization is configured on switch to allow interface configuration from the RADIUS server,
Cisco IOS:
Switch(config)# aaa authorization network default method1 [method2…]
Catalyst OS: No equivalent command exists, and none is required to turn this feature on.
I'd appreciate if you mark this query resolved so that other can take benefit out of it.
Regards,
Jatin
Do rate helpful posts~
11-04-2014 08:46 AM
Hello Dear,
We have a same problem. after I issued device-traffic-class=voice on radius server(microsoft radius 2008) My phone was in voice domain ( I can show with "show authorization session) but no trafik no ip access to phone why could be ?
Config;
Current configuration : 13526 bytes
!
! Last configuration change at 18:45:37 GMT Tue Nov 4 2014 by swadmin
! NVRAM config last updated at 18:45:41 GMT Tue Nov 4 2014 by swadmin
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname lbtistsw2960-k2-3
!
boot-start-marker
boot-end-marker
!
logging buffered 256000
enable secret 5 $1$oSAC$h/RwvVLa4T70DQ91dJFro0
!
username swadmin privilege 15 secret 5 $1$H3M5$sx0LYbTsuvRprU3WBdua61
aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 2 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 0:00
switch 1 provision ws-c2960s-48fps-l
no ip source-route
!
!
no ip domain-lookup
ip domain-name capitalturkey.com
ip name-server 172.22.35.61
ip name-server 172.22.35.62
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-623397632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-623397632
revocation-check none
rsakeypair TP-self-signed-623397632
!
!
crypto pki certificate chain TP-self-signed-623397632
dot1x system-auth-control
!
spanning-tree mode mst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
spanning-tree mst configuration
name mstp-vrrp
revision 1
instance 2 vlan 20
instance 3 vlan 30
instance 4 vlan 40
instance 5 vlan 50
!
!
!
!
!
!
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
lldp run
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description Uplink Backbone Switches Network Load Balancing and Failure
switchport trunk native vlan 40
switchport mode trunk
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
!
interface Port-channel2
description Uplink Backbone Switches Network Load Balancing and Failure
switchport trunk native vlan 40
switchport mode trunk
shutdown
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
i
!
interface GigabitEthernet1/0/36
switchport access vlan 20
switchport mode access
switchport nonegotiate
switchport voice vlan 30
authentication control-direction in
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer restart 900
authentication timer reauthenticate 5400
mab
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/37
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/38
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/39
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/40
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/41
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/42
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/43
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/44
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/45
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/46
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/47
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/48
switchport access vlan 20
switchport mode access
switchport voice vlan 30
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
!
interface GigabitEthernet1/0/49
description Uplink Backbone Switch-1 Interface 1
switchport trunk native vlan 40
switchport mode trunk
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
channel-group 1 mode on
!
interface GigabitEthernet1/0/50
description Uplink Backbone Switch-1 Interface 2
switchport trunk native vlan 40
switchport mode trunk
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
channel-group 1 mode on
!
interface GigabitEthernet1/0/51
description Uplink Backbone Switch-2 Interface 1
switchport trunk native vlan 40
switchport mode trunk
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
channel-group 1 mode on
!
interface GigabitEthernet1/0/52
description Uplink Backbone Switch-2 Interface 2
switchport trunk native vlan 40
switchport mode trunk
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
channel-group 1 mode on
!
interface Vlan1
no ip address
!
interface Vlan20
description Vlan Interface for Desktop
ip address 172.22.32.11 255.255.255.0 secondary
ip address 172.22.28.11 255.255.252.0
ip helper-address 172.22.35.10
ip route-cache same-interface
!
interface Vlan30
description Vlan Interface for Voice
ip address 172.22.33.11 255.255.255.0
ip helper-address 172.22.35.10
ip route-cache same-interface
!
interface Vlan40
description Vlan Interface for Management
ip address 172.22.34.11 255.255.255.0
!
interface Vlan50
description Vlan Interface for Servers
ip address 172.22.35.111 255.255.255.0
!
ip default-gateway 172.22.34.1
ip http server
ip http authentication local
no ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap debugging
logging source-interface Vlan40
logging host 172.22.35.85
logging host 172.22.30.140
!
snmp-server community public RO
!
radius-server host 172.22.35.61 key 7 075E731F1A5C4F524F
!
!
!
line con 0
session-timeout 10
line vty 0 4
session-timeout 60
transport input ssh
line vty 5 15
session-timeout 60
transport input ssh
!
ntp source Vlan40
ntp server 172.22.35.10
end
05-16-2019 12:12 AM
Hello. Big thanks to @Nicholas Poole for this command:
aaa authorization network default group radius
In our environment there's freeradius as radius server, cisco 2960 as authenticator.
We tested 802.1x with non-domain PCs. The criteria was local accounts which exists in freeradius.
Problem was in the Voice Domain. After writing the command it worked. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide