802.1x phone with two MAC address

ngtransge · ‎09-09-2012

Hello,

I have following scenario: Computers are connected behind phones, and phones are authenticating with MAB. The problem is with phones, because they have two mac addresses one is in voice vlan and another is in data vlan. Both phone and computer are authenticated successfully but when switch sees additional MAC address of phone in data vlan it shuts down port. Here is sample configuration:

interface FastEthernet0/1

switchport mode access

switchport access vlan 10

switchport voice vlan 15

authentication host-mode multi-domain

authentication port-control auto

dot1x pae authenticator

authentication violation shutdown

mab

spanning-tree portfast

Tarik Admani · ‎09-09-2012

Are you using 3rd party phones (not Cisco)? Please use multi-auth, the reason is that the phone doesn't tag it's traffic until it receives the dhcp options from the data dhcp scope the turns around and tags it's traffic on the voice vlan.

However the port will always error disable if the phone tags it's traffic on the voice vlan and then turns around and hits the data vlan.

Sent from Cisco Technical Support iPad App

ngtransge · ‎09-09-2012

Hello Tarik,

It is Cisco ip phone. Is there any way to do it with cisco phone ?

Tarik Admani · ‎09-09-2012

Can you verify if the phone's mac address is being learned on the data vlan and the voice vlan? Because cisco phones use cdp to discover if a voice vlan is configured on the switchport before forwarding traffic.

Please issue a show mac address table interface x/y after bouncing the port to see what is causing the port to error disable.

Also what version of code is running on the switch and phone?

Thanks

ngtransge · ‎09-10-2012

Hello Tarik,

I can confirm that switch learns two same mac addresses of phone, one in voice vlan and one in data vlan. When switch generates error disable syslog message it includes phone mac address.

I think it shut downs port because two mac addresses are in data vlan, one for pc and another for phone.

Tarik Admani · ‎09-10-2012

What are you using for your radius server? Can you verify that the radius server is not assigning the phone's mac address to the data vlan, either by dynamic vlan assignment, or not sending back the "device-traffic-class=voice", this is needed so that the phone isnt authorized on the "access-vlan"

Thanks,

Tarik Admani
*Please rate helpful posts*

ngtransge · ‎09-11-2012

Hello Tarik,

I am using ACS 5.3, and sending "device-traffic-class=voice" back. I can confirm that after phone authentication it is sitting in voice vlan, until switch not shut downs the port.

Tarik Admani · ‎09-11-2012

Thanks for the feedback, can you confirm that CDP is running on the Cisco phone or not? You might have to refer to the phone documentation for this. Also what model phone is this?

Thanks,

Tarik Admani
*Please rate helpful posts*

ngtransge · ‎09-11-2012

Hello Tarik,

CDP is running on both switch and phone. Phones mainly are 7945G, 7911G, 6911.

Switch is 2960.

Tarik Admani · ‎09-11-2012

Hi,

What version of switch code are you running, and if you issue a "show cdp neighbors fa 0/1 deta" what version of code is the phone running? Just to confirum you are authenticating the phone via MAB correct?

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani · ‎09-11-2012

Hi,

I found a bug that matches what I think is the culprit:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd83498&Submit=Search

Thanks,

Tarik Admani
*Please rate helpful posts*