03-06-2013 03:02 AM - edited 03-10-2019 08:09 PM
Hello, I'm having a problem and I've been struggling with it for quite awhile. I've seen that others had similar issues and while I took a lot from the other postings regarding this subject, I still find myself in a bad spot with it all. Any and all assistance is greatly appreciated.
I am implementing a NAC solution at the company where I work using 802.1x authentication. The current setup I'm running in my "lab" is a cisco 3750 (12.2.55 SE6). Into the fastethernet interface, I have an Avaya 96XX series phone and a workstation daisy chained off the back of the phone. I am using HP iMC User Access Management as the RADIUS server to authenticate against.
I have to use multi-domain authentication because we need to use guest-vlan and other failover vlan options.
The problem that I am having is that while I do believe I have everything configured correctly, my phones are not being placed into the voice vlan. The phones remain in the data vlan (224) and drops packets for the voice vlan (42) as seen here...
Vlan Mac Address Type Ports
---- ----------- -------- -----
42 001b.4f73.d214 STATIC Drop
224 001b.4f73.d214 STATIC Fa1/0/1
I have LLDP enabled on the switch and can see the phones appearing in the "show lldp neighbors", but I see them only appearing as a bridge instead of a bridge and a phone.
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
AVB73D214 Fa1/0/1 120 B 001b.4f73.d214
Total entries displayed: 1
When I debug RADIUS, I see the device-type-class=voice show up in the output, though I don't see it where I would expect to see it, that being next to Cisco AVpair. Here's the output....
Mar 6 10:52:53.878: RADIUS: authenticator 25 3A 1A F2 B4 A3 41 AE - BA A2 53 EF B9 01 25 7B
Mar 6 10:52:53.878: RADIUS: User-Name [1] 14 "001b4f73d214"
Mar 6 10:52:53.878: RADIUS: User-Password [2] 18 *
Mar 6 10:52:53.878: RADIUS: Service-Type [6] 6 Call Check [10]
Mar 6 10:52:53.878: RADIUS: Framed-MTU [12] 6 1500
Mar 6 10:52:53.878: RADIUS: Called-Station-Id [30] 19 "00-22-91-D2-A9-03"
Mar 6 10:52:53.878: RADIUS: Calling-Station-Id [31] 19 "00-1B-4F-73-D2-14"
Mar 6 10:52:53.878: RADIUS: Message-Authenticato[80] 18
Mar 6 10:52:53.878: RADIUS: 0F 65 F6 B3 BD 73 20 93 C2 EE 39 B8 07 6E 59 ED [ es 9nY]
Mar 6 10:52:53.878: RADIUS: EAP-Key-Name [102] 2 *
Mar 6 10:52:53.878: RADIUS: Vendor, Cisco [26] 49
Mar 6 10:52:53.887: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1C00FA00000034047796C8"
Mar 6 10:52:53.887: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 6 10:52:53.887: RADIUS: NAS-Port [5] 6 50101
Mar 6 10:52:53.887: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/1"
Mar 6 10:52:53.887: RADIUS: NAS-IP-Address [4] 6 172.28.0.250
Mar 6 10:52:53.887: RADIUS(0000003B): Started 5 sec timeout
Mar 6 10:52:53.904: RADIUS: Received from id 1645/111 172.28.5.161:1812, Access-Accept, len 99
Mar 6 10:52:53.904: RADIUS: authenticator 9E 4B 90 E1 F8 79 C4 F3 - F9 B0 8A 45 1B 0F 34 39
Mar 6 10:52:53.904: RADIUS: User-Name [1] 14 "001b4f73d214"
Mar 6 10:52:53.904: RADIUS: Service-Type [6] 6 Call Check [10]
Mar 6 10:52:53.904: RADIUS: State [24] 10
Mar 6 10:52:53.904: RADIUS: FB C4 EA 4A 64 C6 4D C0 [ JdM]
Mar 6 10:52:53.904: RADIUS: Termination-Action [29] 6 1
Mar 6 10:52:53.904: RADIUS: Session-Timeout [27] 6 86401
Mar 6 10:52:53.904: RADIUS: Acct-Interim-Interva[85] 6 600
Mar 6 10:52:53.904: RADIUS: Vendor, Unknown [26] 31
Mar 6 10:52:53.904: RADIUS: Unsupported [1] 25
Mar 6 10:52:53.912: RADIUS: 64 65 76 69 63 65 2D 74 79 70 65 2D 63 6C 61 73 [device-type-clas]
Mar 6 10:52:53.912: RADIUS: 73 3D 76 6F 69 63 65 [ s=voice]
Mar 6 10:52:53.912: RADIUS(0000003B): Received from id 1645/111
Lastly, here's a snapshot of the running config.
aaa new-model
!
!
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius local
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
!
!
!
aaa session-id common
power inline consumption default 5500
auto qos srnd4
dot1x system-auth-control
dot1x guest-vlan supplicant
vlan 42
name voice
vlan 224
name XF:1.1
interface FastEthernet1/0/1
switchport access vlan 224
switchport mode access
switchport voice vlan 42
switchport port-security maximum 5 vlan access
power inline consumption 5500
authentication event fail action authorize vlan 501
authentication event server dead action authorize vlan 500
authentication event no-response action authorize vlan 501
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
radius-server host 172.28.x.xxx auth-port 1812 acct-port 1813 key xxxxx
radius-server vsa send accounting
radius-server vsa send authentication
That's all I can think of. Sorry for the long post. Again, I appreciate any assistance anyone can give me. Thanks!!!!!!!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide