cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

346
Views
0
Helpful
4
Replies
Highlighted
Beginner

802.1x with NPS and PC connected by phone

I have a 9200L switch with 16.9.5 software version and want to run 802.1x on a port where phone and PC are connected.

The phone and PC are successful authorize on separate ports but when they are connected together, switch authorize only phone. Wireshark shows request sending from PC but they are not appear in NPS server.
Switch only autohrize PC by MAB method not EAP-TLS.

do you have any suggestions about it. Why PC can't be properly authenticated or why switch try authenticate PC by MAB method.

The phone is a third-party IP Phone Panasonic KX-NT551

 

below example of port configuration

interface GigabitEthernet1/0/15
 switchport access vlan 50
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 47
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 180
 authentication timer restart 30
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout server-timeout 2
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 dot1x max-req 10
 dot1x max-reauth-req 10
 dot1x timeout start-period 1
 dot1x timeout auth-period 1
 auto qos trust 
 spanning-tree portfast
end

configuration aaa section

aaa group server radius nps-radius
 server-private 10.0.20.31 auth-port 1812 acct-port 1813

aaa authentication login console local-case none
aaa authentication login terminal local-case none
aaa authentication enable default enable
aaa authentication dot1x default group nps-radius
aaa authorization exec default local 
aaa authorization network default group nps-radius 
aaa authorization auth-proxy default group nps-radius 
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group nps-radius
aaa accounting dot1x default start-stop group nps-radius
aaa accounting system default start-stop group nps-radius
aaa session-id common
SW-1-9200L#sh auth sess
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/15                 4c36.4e1a.1c6c mab     VOICE   Auth        1466000A00000542316486DE
Gi1/0/15                 60eb.69d9.38fa N/A     UNKNOWN Unauth      1466000A0000054131647D4A

Session count = 2

 

4 REPLIES 4
Highlighted
VIP Collaborator

Re: 802.1x with NPS and PC connected by phone

When you separate the two (phone & PC) to individual ports does the PC auth via mab only? I am asking because you mentioned this: Switch only autohrize PC by MAB method not EAP-TLS. Is it possible that your supplicant on the PC is not setup to support eap-tls so dot1x fails over to mab? Or maybe something is off on the ISE side to support eap-tls. I suggest checking both. As for authenticating both on same interface you have the right host-mode multi-domain config to support this. Try running some debugs to see if that helps you identify the root cause:
debug dot1x all
debug authentication all
debug radius
debug aaa authentication
debug aaa authorization
Good luck & HTH!
Highlighted
Beginner

Re: 802.1x with NPS and PC connected by phone

Hi,

Could you please provide the following command output?
show authentication session int gi1/0/15 details

And also can you perform a packet capture for this port and between switch and NPS at the same time?
Highlighted
Beginner

Re: 802.1x with NPS and PC connected by phone

 

About packet-capture i will return with this

 

SW-1-9200L#show authentication session int gi1/0/15 details
            Interface:  GigabitEthernet1/0/15
               IIF-ID:  0x132F75AF
          MAC Address:  4c36.4e1a.1c6c
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  4c364e1a1c6c
          Device-type:  Un-Classified Device
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  180s (local), Remaining: 71s
       Timeout action:  Reauthenticate
    Common Session ID:  1466000A000006053200C342
      Acct Session ID:  0x00000120
               Handle:  0xba000064
       Current Policy:  POLICY_Gi1/0/15


Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure

Server Policies:


Method status list:
       Method           State
          mab           Authc Success

----------------------------------------

            Interface:  GigabitEthernet1/0/15
               IIF-ID:  0x167F1C38
          MAC Address:  60eb.69d9.38fa
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  60eb69d938fa
          Device-type:  Un-Classified Device
               Status:  Unauthorized
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  1466000A0000061B32103512
      Acct Session ID:  Unknown
               Handle:  0x29000066
       Current Policy:  POLICY_Gi1/0/15


Server Policies:
          
Method status list:
       Method           State
        dot1x           Running
          mab           Stopped

SW-1-9200L# 
Highlighted
Beginner

Re: 802.1x with NPS and PC connected by phone

some debug logs

MAC 60eb.69d9.38fa it's a PC

2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] EAPOL packet sent to client 0xFDC00001B
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:unknown] Pkt body: 01 02 00 05 01 
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] EAP Packet - REQUEST, ID : 0x2 
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 5, EAP-Type = Identity
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Sending out EAPOL packet
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Setting EAPOL eth-type to 0x888e, destination mac to 60eb.69d9.38fa
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering request state
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:request request action
2020/05/20 21:03:58.126 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting EAP_REQ for 0xFDC00001B
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] EAPOL packet sent to client 0xFDC00001B
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:unknown] Pkt body: 01 02 00 05 01 
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] EAP Packet - REQUEST, ID : 0x2 
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 5, EAP-Type = Identity
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Sending out EAPOL packet
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Setting EAPOL eth-type to 0x888e, destination mac to 60eb.69d9.38fa
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering request state
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:request request action
2020/05/20 21:03:53.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting EAP_REQ for 0xFDC00001B
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] EAPOL packet sent to client 0xFDC00001B
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:unknown] Pkt body: 01 02 00 05 01 
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] EAP Packet - REQUEST, ID : 0x2 
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 5, EAP-Type = Identity
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Sending out EAPOL packet
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Setting EAPOL eth-type to 0x888e, destination mac to 60eb.69d9.38fa
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering request state
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:request request action
2020/05/20 21:03:48.125 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting EAP_REQ for 0xFDC00001B
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] EAPOL packet sent to client 0xFDC00001B
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:unknown] Pkt body: 01 02 00 05 01 
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] EAP Packet - REQUEST, ID : 0x2 
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 5, EAP-Type = Identity
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Sending out EAPOL packet
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Setting EAPOL eth-type to 0x888e, destination mac to 60eb.69d9.38fa
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering request state
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:request request action
2020/05/20 21:03:43.121 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting EAP_REQ for 0xFDC00001B
2020/05/20 21:03:38.119 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] EAPOL packet sent to client 0xFDC00001B
2020/05/20 21:03:38.119 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:unknown] Pkt body: 01 02 00 05 01 
2020/05/20 21:03:38.119 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] EAP Packet - REQUEST, ID : 0x2 
2020/05/20 21:03:38.119 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 5, EAP-Type = Identity
2020/05/20 21:03:38.119 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Sending out EAPOL packet
2020/05/20 21:03:38.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Setting EAPOL eth-type to 0x888e, destination mac to 60eb.69d9.38fa
2020/05/20 21:03:38.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering request state
2020/05/20 21:03:38.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:request request action
2020/05/20 21:03:38.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting EAP_REQ for 0xFDC00001B
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:idle request action
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] EAPOL packet sent to client 0xFDC00001B
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:unknown] Pkt body: 01 02 00 05 01 
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] EAP Packet - REQUEST, ID : 0x2 
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 5, EAP-Type = Identity
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Sending out EAPOL packet
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [0000.0000.0000:Gi1/0/15] Setting EAPOL eth-type to 0x888e, destination mac to 60eb.69d9.38fa
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering request state
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting AUTH_START for 0xFDC00001B
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:connecting authenticating action
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B: authenticating state entered
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting RX_REQ on Client 0xFDC00001B
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B: restart connecting
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:enter connecting state
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Posting !EAP_RESTART on Client 0xFDC00001B
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (info): [60eb.69d9.38fa:Gi1/0/15] Dot1x authentication started for 0xFDC00001B (60eb.69d9.38fa)
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Created a client entry (0xFDC00001B)
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B:entering idle state
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B: entering init state
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] Sending create new context event to EAP for 0xFDC00001B (60eb.69d9.38fa)
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B: entering restart
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B: disconnected
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x] [20491]: UUID: 0, ra: 0, TID: 0 (debug): [60eb.69d9.38fa:Gi1/0/15] 0xFDC00001B: initialising
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [dot1x-redun] [20491]: UUID: 0, ra: 0, TID: 0 (debug): Record not found
2020/05/20 21:03:33.118 {smd_R0-0}{1}: [smd] [20491]: UUID: 0, ra: 0, TID: 0 (debug):