cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5828
Views
10
Helpful
7
Replies

802.1x - Computer in phone port not working.

Jimboom
Level 1
Level 1

I am working on a small project to implement 802.1x authentication on the wired network.

 

In the environment there are:

  • IP phone
  • Corporate computer
  • Subcontractor computer

 

The whole network is built with Cisco Catalsyt 9300, 2960X, 2960S, 3850 switches. Each office has an IP phone and a computer that is plugged into the phone.

 

Each port is configured with a Voice VLAN and an Access VLAN Data for corporate computers.

 

The goal is to authenticate phones in MAB or 802.1x and to authenticate corporate computers in 802.1x.

 

If a non-company computer plugs in network port or behind the phone, it is sent into a guest VLAN.

 

A corporate computer will be sent to his dynamic VLAN returned by the radius server.

 

I have configured MAB authentication for phones and other equipment such as printers. I have configured CA and  autoenroll for corporate computers.

 

 

Here's what works:

 

If I plug a phone into a port it is authenticated MAB with radius and takes its voice VLAN

 

If I plug in a corporate computer it is 802.1x authenticated and is sent in the VLAN according to the radius policy.

 

If I plug in an unauthorized device or computer, it is sent in a guest VLAN.

 

 

Here is what it does not work and this is the most important of the whole project:

 

 

I plug a corporate computer into a phone, I automatically get an authentication error and the port is disabled. Same thing with non corporate Computer.

 

In the radius I realize that the corporate computer is authenticated in MAB and not in 802.1x The authentication event fail action next-method command does not seem to work.

 

 

My question: can anyone help me with this or can I shed some light on the subject? Next step is to open a TAC.

 

Thank you

 

 

Here is the configuration of a Catalyst 9300.

 

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa session-id common

 

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius server NPS SERVER XXXX

 address ipv4 172.20.8.36 auth-port 1645 acct-port 1646

 key 7 xxxxxxxxxxxxxxxxxxxxxxx

 

interface GigabitEthernet1/0/21

 switchport access vlan 172

 switchport mode access

 switchport voice vlan 88

 switchport port-security

 power inline port 2x-mode

 authentication event fail action authorize vlan 172

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order mab dot1x

 authentication port-control auto

 mab

 dot1x pae authenticator

 spanning-tree portfast

end

 

*Mar 27 2021 10:33:26.392 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state

*Mar 27 2021 10:33:26.394 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c85b.766a.02f4 on port GigabitEthernet1/0/21.

*Mar 27 2021 10:33:27.392 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/21, changed state to down

*Mar 27 2021 10:33:28.393 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/21, changed state to down

 

Log on radius :

 

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

                Security ID:                                           NULL SID

                Account Name:                                    c85b766a02f4

                Account Domain:                                 jimboom

                Fully Qualified Account Name:          jimboom\c85b766a02f4

 

2 Accepted Solutions

Accepted Solutions

Hi @Jimboom 

Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.

 

interface GigabitEthernet1/0/21
no switchport port-security 

 HTH

View solution in original post

port-security is incompatible with 802.1X so good that you removed that.

Change the host-mode to multi-auth and see if that works.

authentication host-mode multi-auth

Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.

You can check the ISE LiveLogs to see if there is any error but it's switch issue.

View solution in original post

7 Replies 7

Hi @Jimboom 

Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.

 

interface GigabitEthernet1/0/21
no switchport port-security 

 HTH

Thanks @Rob Ingram.

 

It's a step in the right direction. I removed that on the port .

 

 no switchport port-security 

 

Now, when i connect à corporate computer, it's fail on MAB and successuly authenticate on 802.1x. But the port is deactivated anyway.

 

*Mar 27 2021 11:51:51.364 EDT: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state
*Mar 27 2021 11:51:51.365 EDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/21, new MAC address (c85b.766a.02f4) is seen.AuditSessionID   

Here is the port configuration

 

interface GigabitEthernet1/0/21
 switchport access vlan 172
 switchport mode access
 switchport voice vlan 88
 power inline port 2x-mode
 authentication event fail retry 3 action next-method
 authentication host-mode multi-domain
 authentication open
 authentication order mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
end

Radius log:

First try dinied with MAB

Second try granted in 802.1x

port-security is incompatible with 802.1X so good that you removed that.

Change the host-mode to multi-auth and see if that works.

authentication host-mode multi-auth

Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.

You can check the ISE LiveLogs to see if there is any error but it's switch issue.

It's working! Thanks for your help.

 

Regards,

Good afternoon,

I am having virtually the same issue, however I have tried multi-domain, multi-auth, and multi-host respectively.
In each scenario, the phone will authenticate if it is the only device connected to the port.  Once a pc is connected, the pc will authenticate, but the phone will not.  Have you seen this issue before?  Thank you for your time.

What is your EAP type?  Is EAP pass through enabled on the phone?  What is the phone?  Some phones have issues passing the larger EAP-TLS or TEAP packets through them and require firmware updates.

Thanks for your help.

 

Regards,