Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4029
Views
60
Helpful
11
Replies

802.1X trying to authenticate phone, not client

Go to solution
MH311x
Level 1
Level 1

‎09-28-2021 12:18 AM

Hi there,

 

I am facing some problems when implementing 802.1X in my environment (Catalyst 2960x).

 

802.1X is working fine so far and the config should be right. But sometimes, the switch is trying to authenticate the Cisco Phone and not the windows client. I then get the following message:

 

Sep 28 08:32:13.775 MESZ: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi1/0/16 AuditSessionID XYZ.

 

But the xxxx.xxxx.xxxx mac-adress is the mac of the phone ... this causes the client to get unauthenticated.

 

What causes the switch to authenticate the phone and not the client? 

 

 

 

Port Config:

switchport access vlan 11
switchport mode access
switchport voice vlan 152
authentication port-control auto
dot1x pae authenticator
storm-control broadcast level pps 100
storm-control multicast level bps 500k
storm-control action shutdown
spanning-tree portfast edge
spanning-tree bpduguard enable

 

AAA-Konfig:

aaa new-model
aaa authentication login default local
aaa authentication login CON local-case
aaa authentication login VTY group radius local
aaa authentication dot1x default group radius
aaa authorization exec VTY group radius if-authenticated
aaa authorization exec CON local
aaa authorization commands 15 VTY if-authenticated
aaa authorization commands 15 CON local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

 

Thanks in advance!
aaa session-id common

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to MH311x

‎09-29-2021 03:56 PM

I would suggest reviewing your design and configuration against the IP Telephony for 802.1X Design Guide. This is an old document, but nothing much has changed around how the phones and PC get authenticated separately and the important mechanisms to understand and configure. These concepts would apply when using any RADIUS server.

Some key points based on what has been discussed in this thread:

  1. If you're using MDA, you need to ensure that the phone is being authorised correctly using the 'device-traffic-class=voice' VSA. If you're not using ISE (with Profiling), you would likely have to apply this result by matching on some sort of static MAC address table with all of your phones in it. If you are not sending this VSA, the phones would be put into the DATA domain and the port would go into err-disable as MDA does not allow more than one session in the DATA domain.
  2. If the phone is authenticated via MAB but periodically tries to authenticate via dot1x, there are a few possible reasons.
    • The phone itself is configured for 802.1x. If this is the case, it will periodically retry via 802.1x so this setting should be disabled on the phone.
    • The FlexAuth configuration on the switchport is causing it to try dot1x after a periodic reauth.
    • A disconnect/reconnect or session timeout it happening, forcing the switchport to restart the auth process. Since 'priority dot1x mab' will assume 'order dot1x mab', the session has to wait for dot1x to timeout first before trying MAB.

For the latter two possibilities, see TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication.

 

View solution in original post

11 Replies 11

Go to solution
Rob Ingram
VIP
VIP

‎09-28-2021 01:28 AM - edited ‎09-28-2021 01:35 AM

@MH311x 

Is that the full interface configuration? Potentially the host mode could be single-host mode (it's not defined and I don't know what the default is on your switch model/version), so only the phone would authenticate, not the PC.

 

Try configuring multi-domain "authentication host-mode multi-domain" under the interface, this will authenticate one device in the voice domain and one device in the data domain.

 

You are obviously also failing to authenticate the phone, so check the ISE logs to determine why that is failing.

 

Refer to the ISE Wired Guide for more information.

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

 

Go to solution
MH311x
Level 1
Level 1

‎09-28-2021 02:50 AM

@Rob Ingram 

 

Yes, this is the full interface configuration. 

 

In the first step we just want to authenticate the PC and not the phones ... so the phones should not take part in the authentication process. We have a RADIUS-server (no ISE) running which is authenticating the clients ... in 95% this works well. But sometimes the authentication is initalized by the phones mac adress. Is there a way to "ignore" the phone in the authentication process?

 

I think the single-host mode would be right, but the "single host" should then be the PC and not the phone. Is there a way to force this?

Go to solution
Rob Ingram
VIP
VIP
In response to MH311x

‎09-28-2021 03:03 AM

@MH311x 

No unfortunately that's not possible, according to this post, there used to be a feature to bypass phone authentication, but this was depreciated years ago.

https://community.cisco.com/t5/network-access-control/802-1x-single-host-mode/td-p/2734265

 

You'll need to use multi-domain and authenticate both the PC and Phone.

 

Go to solution
MH311x
Level 1
Level 1
In response to Rob Ingram

‎09-28-2021 03:56 AM - edited ‎09-28-2021 04:00 AM

@Rob Ingram 

Okay, thanks for the information.

 

Since we have no ISE, is there a way to configure the host mode to multi-domain but authenticating the phone via MAB and the PC via EAP/802.1X?

Go to solution
Rob Ingram
VIP
VIP
In response to MH311x

‎09-28-2021 04:07 AM

@MH311x 

If using MAB the endpoint will send it's MAC address as the username and password, so whatever RADIUS server/backend authentication identity store you are using will need a username/password defined for each phone.

Go to solution
MH311x
Level 1
Level 1
In response to Rob Ingram

‎09-28-2021 04:10 AM - edited ‎09-28-2021 04:10 AM

@Rob Ingram 

Yes, thats no problem. The mac adresses of the phones are all stored in our NAC (which is also the radius-server), so this should be fine. 

I am just wondering about the port configuration to achieve this, because I have to use two different authentication types on one port.

Go to solution
Rob Ingram
VIP
VIP
In response to MH311x

‎09-28-2021 04:13 AM - edited ‎09-28-2021 04:13 AM

@MH311x 

You configure "authentication host-mode multi-domain" under the interface.

interface gigabitethernet 1/0/1
 authentication host-mode multi-domain

Go to solution
ComputerRick
Cisco Employee
Cisco Employee
In response to MH311x

‎09-30-2021 08:31 AM

You should also add the line "mab" to the port config.
When using mab, the switch captures it and sends it to the radius server, the device isn't aware of any auth taking place.

Configure auth host-mode multi-domain also.

Go to solution
MH311x
Level 1
Level 1

‎09-29-2021 03:01 AM

@Rob Ingram 

That doesn't solve the problem, because I want to authenticate the phone via MAB and the PC via 802.1X.

When configuing authentication host-mode multi-domain, the phone is also authenticated via 802.1X.

 

I tried to configure the following now:

 

authentication event fail action next-method
authentication priority dot1x mab

authentication host-mode multi-domain
authentication port-control auto
mab

dot1x pae authenticator
dot1x max-reauth-req 3

 

... but the phone does no fallback to MAB (or the port get in err-disabled state before it would fallback to mab).

Go to solution
martin.fischer
Level 1
Level 1
In response to MH311x

‎09-29-2021 04:06 AM

you also need to configure

authentication order dot1x mab

 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to MH311x

‎09-29-2021 03:56 PM

I would suggest reviewing your design and configuration against the IP Telephony for 802.1X Design Guide. This is an old document, but nothing much has changed around how the phones and PC get authenticated separately and the important mechanisms to understand and configure. These concepts would apply when using any RADIUS server.

Some key points based on what has been discussed in this thread:

  1. If you're using MDA, you need to ensure that the phone is being authorised correctly using the 'device-traffic-class=voice' VSA. If you're not using ISE (with Profiling), you would likely have to apply this result by matching on some sort of static MAC address table with all of your phones in it. If you are not sending this VSA, the phones would be put into the DATA domain and the port would go into err-disable as MDA does not allow more than one session in the DATA domain.
  2. If the phone is authenticated via MAB but periodically tries to authenticate via dot1x, there are a few possible reasons.
    • The phone itself is configured for 802.1x. If this is the case, it will periodically retry via 802.1x so this setting should be disabled on the phone.
    • The FlexAuth configuration on the switchport is causing it to try dot1x after a periodic reauth.
    • A disconnect/reconnect or session timeout it happening, forcing the switchport to restart the auth process. Since 'priority dot1x mab' will assume 'order dot1x mab', the session has to wait for dot1x to timeout first before trying MAB.

For the latter two possibilities, see TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication.

 

Customers Also Viewed These Support Documents