Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5796
Views
10
Helpful
7
Replies

802.1x - Computer in phone port not working.

Go to solution
Jimboom
Level 1
Level 1

‎03-27-2021 07:53 AM

I am working on a small project to implement 802.1x authentication on the wired network.

 

In the environment there are:

  • IP phone
  • Corporate computer
  • Subcontractor computer

 

The whole network is built with Cisco Catalsyt 9300, 2960X, 2960S, 3850 switches. Each office has an IP phone and a computer that is plugged into the phone.

 

Each port is configured with a Voice VLAN and an Access VLAN Data for corporate computers.

 

The goal is to authenticate phones in MAB or 802.1x and to authenticate corporate computers in 802.1x.

 

If a non-company computer plugs in network port or behind the phone, it is sent into a guest VLAN.

 

A corporate computer will be sent to his dynamic VLAN returned by the radius server.

 

I have configured MAB authentication for phones and other equipment such as printers. I have configured CA and  autoenroll for corporate computers.

 

 

Here's what works:

 

If I plug a phone into a port it is authenticated MAB with radius and takes its voice VLAN

 

If I plug in a corporate computer it is 802.1x authenticated and is sent in the VLAN according to the radius policy.

 

If I plug in an unauthorized device or computer, it is sent in a guest VLAN.

 

 

Here is what it does not work and this is the most important of the whole project:

 

 

I plug a corporate computer into a phone, I automatically get an authentication error and the port is disabled. Same thing with non corporate Computer.

 

In the radius I realize that the corporate computer is authenticated in MAB and not in 802.1x The authentication event fail action next-method command does not seem to work.

 

 

My question: can anyone help me with this or can I shed some light on the subject? Next step is to open a TAC.

 

Thank you

 

 

Here is the configuration of a Catalyst 9300.

 

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa session-id common

 

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius server NPS SERVER XXXX

 address ipv4 172.20.8.36 auth-port 1645 acct-port 1646

 key 7 xxxxxxxxxxxxxxxxxxxxxxx

 

interface GigabitEthernet1/0/21

 switchport access vlan 172

 switchport mode access

 switchport voice vlan 88

 switchport port-security

 power inline port 2x-mode

 authentication event fail action authorize vlan 172

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication open

 authentication order mab dot1x

 authentication port-control auto

 mab

 dot1x pae authenticator

 spanning-tree portfast

end

 

*Mar 27 2021 10:33:26.392 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state

*Mar 27 2021 10:33:26.394 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c85b.766a.02f4 on port GigabitEthernet1/0/21.

*Mar 27 2021 10:33:27.392 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/21, changed state to down

*Mar 27 2021 10:33:28.393 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/21, changed state to down

 

Log on radius :

 

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

                Security ID:                                           NULL SID

                Account Name:                                    c85b766a02f4

                Account Domain:                                 jimboom

                Fully Qualified Account Name:          jimboom\c85b766a02f4

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-27-2021 08:12 AM

Hi @Jimboom 

Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.

 

interface GigabitEthernet1/0/21
 no switchport port-security 

 HTH

View solution in original post

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Jimboom

‎03-27-2021 09:55 AM

port-security is incompatible with 802.1X so good that you removed that.

Change the host-mode to multi-auth and see if that works.

authentication host-mode multi-auth

Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.

You can check the ISE LiveLogs to see if there is any error but it's switch issue.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎03-27-2021 08:12 AM

Hi @Jimboom 

Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.

 

interface GigabitEthernet1/0/21
 no switchport port-security 

 HTH

0 Helpful

Go to solution
Jimboom
Level 1
Level 1
In response to Rob Ingram

‎03-27-2021 09:00 AM

Thanks @Rob Ingram.

 

It's a step in the right direction. I removed that on the port .

 

 no switchport port-security 

 

Now, when i connect à corporate computer, it's fail on MAB and successuly authenticate on 802.1x. But the port is deactivated anyway.

 

*Mar 27 2021 11:51:51.364 EDT: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state
*Mar 27 2021 11:51:51.365 EDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/21, new MAC address (c85b.766a.02f4) is seen.AuditSessionID

Here is the port configuration

 

interface GigabitEthernet1/0/21
 switchport access vlan 172
 switchport mode access
 switchport voice vlan 88
 power inline port 2x-mode
 authentication event fail retry 3 action next-method
 authentication host-mode multi-domain
 authentication open
 authentication order mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
end

Radius log:

First try dinied with MAB

Second try granted in 802.1x

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Jimboom

‎03-27-2021 09:55 AM

port-security is incompatible with 802.1X so good that you removed that.

Change the host-mode to multi-auth and see if that works.

authentication host-mode multi-auth

Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.

You can check the ISE LiveLogs to see if there is any error but it's switch issue.

0 Helpful

Go to solution
Jimboom
Level 1
Level 1
In response to thomas

‎03-27-2021 02:15 PM

It's working! Thanks for your help.

 

Regards,

Go to solution
Luke A
Level 1
Level 1
In response to thomas

‎03-30-2023 01:01 PM

Good afternoon,

I am having virtually the same issue, however I have tried multi-domain, multi-auth, and multi-host respectively.
In each scenario, the phone will authenticate if it is the only device connected to the port.  Once a pc is connected, the pc will authenticate, but the phone will not.  Have you seen this issue before?  Thank you for your time.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Luke A

‎03-30-2023 01:08 PM

What is your EAP type?  Is EAP pass through enabled on the phone?  What is the phone?  Some phones have issues passing the larger EAP-TLS or TEAP packets through them and require firmware updates.

0 Helpful

Go to solution
Jimboom
Level 1
Level 1
In response to Rob Ingram

‎03-27-2021 02:16 PM

Thanks for your help.

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents