Solved: 802.1x multi-domain 3560catalyst nortel ip phone ntdu92

Ivan Levadnyi · ‎07-29-2013

Hello everyone!

I have 3560 catalyst ios 12.2(55)SE5

I need to authorize PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - Unauthorized VLAN with 256 kbit/sec INTERNET without any local resourses. IP phone authorizes by mab.

#sh mac address-table interface fastEthernet 0/2

212 001a.4b7b.0394 STATIC Fa0/2
500 001b.bafb.7c1c STATIC Drop

#sh running-config interface fastEthernet 0/2

interface FastEthernet0/2

switchport access vlan 212
switchport mode access
switchport voice vlan 500

authentication event fail action authorize vlan 111
authentication event no-response action authorize vlan 111
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-reauth-req 3
storm-control broadcast level 7.00 3.00
storm-control multicast level 15.00 10.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree guard root
end

#sh logging

Jul 29 11:11:03: %DOT1X-5-FAIL: Authentication failed for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-START: Starting 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %MAB-5-SUCCESS: Authentication successful for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001b.bafb.7c1c) is seen.AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-MACREPLACE: MAC address (001a.4b7b.0394) on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
Jul 29 11:11:04: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:06: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:06: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001a.4b7b.0394) is seen.AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-MACREPLACE: MAC address (001b.bafb.7c1c) on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:07: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87

What is necessary for collaboration PC+IP phone at the same time.

Thanks for your help.

Nicholas Poole · ‎07-29-2013

Multi domain means that one device is in the DATA domain and the other, the IP Phone is in the VOICE domain. Is your ISE box sending the correct authorization to the IP Phone to be in the VOICE domain?

Without this working you will just have 2 devices contending within the same data domain whcih isnt what you want.

View solution in original post

Nicholas Poole · ‎07-29-2013

Multi domain means that one device is in the DATA domain and the other, the IP Phone is in the VOICE domain. Is your ISE box sending the correct authorization to the IP Phone to be in the VOICE domain?

Without this working you will just have 2 devices contending within the same data domain whcih isnt what you want.

Ivan Levadnyi · ‎08-07-2013

Good afternoon. Thanks for Your advice. The problem was the following: forgot to add the command

aaa authorization network default group radius

Now everything is working.

Fa0/2 001b.bafb.7c1c mab VOICE Authz Success 0A32FF15000000B6500A0895

Fa0/2 001a.4b7b.0394 dot1x DATA Authz Success 0A32FF15000000C353ADA437

Thanks to all.

Chris Fink · ‎03-03-2014

I would like to verify that in my case, I did not authorize the phone for the voice domain in an authorization rule as the root of this same problem I was facing.

To fix this, I created an authorization result that simply had the "voice domain permission" checked and used that in an authorization rule to authorize profiled IP-Phones. I did not use dynamic vlan assignment since we are in the very early stages and have the voice vlan already on the switchports.