01-06-2015 11:54 AM - edited 03-10-2019 10:19 PM
Currently I'm implementing 802.1x on a Catalyst 4500 L3 Switch and using ACS Version 5.5.0.46.5
I'm having random problems with using MAB. I say random because when ever I do a show authentication sessions maybe 6 will fail out of 214. The phones that I'm using are Cisco 7965 IP Phones. I've read that those phones are capable of using certificates for 802.1x but it was decided to use MAB on all the phones including VIPR phones. The problem that I'm having is that after an hour some phones become un authorized which bring down that port. I've noticed that some of these phones are stand alone phones with out a computer wired to them. The computers are successfully using 802.1x and the phones that are connected to them are working with MAB.
Here are my commands for an interface that's failing after an hour
switchport access vlan 100
switchport mode access
switchport voice vlan 101
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end
When ever I do show authentication sessions this is the out put.
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/1 1111.1111.1111 mab VOICE Auth 0A11111111111111111111
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
17 5 dot1x
18 10 mab
21 15 webauth
But after an hour or so it becomes unauthorized. Also should I have "authentication periodic , or authentication timer reauthenticate 3600"
if those particular ports just have a phone that's using mab?
Thank You in advance
01-06-2015 07:11 PM
I have had this issue happen to me before but it was with deploying ISE and not ACS. To fix the issue, I had to return the following Radius attribute in my "Authorization Profile"
AVPair attribute termination-action-modifier=1
This attribute basically instructs the NAD to re-retry only the last authentication method which in your case is MAB. Otherwise, based on your config, the switch would first try dot1x and then mab.
Again, I have not done this in ACS but ISE instead, however, they are both Radius servers and both Cisco products so my feeling is that this would fix your problem.
For more info check out this doc:
Thank you for rating helpful posts!
01-07-2015 04:46 AM
Thank you for the advice. I will look into this.
01-07-2015 09:54 AM
Sounds good. Let me know what the results are!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide