Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
5
Helpful
3
Replies

802.1x issue

lamarnale
Level 1
Level 1

‎01-06-2015 11:54 AM - edited ‎03-10-2019 10:19 PM

Currently I'm implementing 802.1x on a Catalyst 4500 L3 Switch and using ACS Version 5.5.0.46.5

I'm having random problems with using MAB. I say random because when ever I do a show authentication sessions maybe 6 will fail out of 214. The phones that I'm using are Cisco 7965 IP Phones. I've read that those phones are capable of using certificates for 802.1x but it was decided to use MAB on all the phones including VIPR phones. The problem that I'm having is that after an hour some phones become un authorized which bring down that port. I've noticed that some of these phones are stand alone phones with out a computer wired to them. The computers are successfully using 802.1x and the phones that are connected to them are working with MAB.

Here are my commands for an interface that's failing after an hour

 switchport access vlan 100
 switchport mode access
 switchport voice vlan 101
 no logging event link-status
 authentication control-direction in
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto

 authentication periodic
 mab
 no snmp trap link-status
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

When ever I do show authentication sessions this is the out put.

 

Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi1/1      1111.1111.1111 mab     VOICE   Auth      0A11111111111111111111


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle  Priority  Name
    17       5      dot1x
    18       10     mab
    21       15     webauth

 

 

But after an hour or so it becomes unauthorized. Also should I have "authentication periodic , or authentication timer reauthenticate 3600"

if those particular ports just have a phone that's using mab?

 

Thank You in advance

 

 

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎01-06-2015 07:11 PM

I have had this issue happen to me before but it was with deploying ISE and not ACS. To fix the issue, I had to return the following Radius attribute in my "Authorization Profile"

AVPair attribute termination-action-modifier=1

This attribute basically instructs the NAD to re-retry only the last authentication method which in your case is MAB. Otherwise, based on your config, the switch would first try dot1x and then mab

Again, I have not done this in ACS but ISE instead, however, they are both Radius servers and both Cisco products so my feeling is that this would fix your problem. 

For more info check out this doc:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000052

 

Thank you for rating helpful posts!

lamarnale
Level 1
Level 1
In response to nspasov

‎01-07-2015 04:46 AM

Thank you for the advice. I will look into this.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to lamarnale

‎01-07-2015 09:54 AM

Sounds good. Let me know what the results are!

0 Helpful
Customers Also Viewed These Support Documents