Hi friend,
I have a question its posible to authenticate an cisco phone and PC with the same vlan(voice and data)
when i do this configuratiĆ³n , the phone and pc dont work. The phone display registering and never finished.
interface FastEthernet0/5
switchport mode access
switchport voice vlan 1
authentication event fail action authorize vlan 11
authentication event no-response action authorize vlan 11
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
end
*Mar 1 01:42:02.584: %DOT1X_SWITCH-5-ERR_VLAN_EQ_MDA_INACTIVE: Multi-Domain Authentication cannot activate because Data and Voice VLANs are the same on port AuditSessionID FastEthernet0/5
*Mar 1 01:42:02.618: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:42:02.735: %DOT1X-5-SUCCESS: Authentication successful for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID
*Mar 1 01:42:02.735: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:42:02.735: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 1 on port FastEthernet0/5 cannot be equivalent to the Voice VLAN AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:42:02.735: %AUTHMGR-5-FAIL: Authorization failed for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:42:02.744: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:42:04.589: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up
*Mar 1 01:42:05.596: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to up
*Mar 1 01:42:08.213: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:42:49.368: %DOT1X-5-FAIL: Authentication failed for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID
*Mar 1 01:42:49.368: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:42:49.368: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:42:49.368: %AUTHMGR-5-START: Starting 'mab' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:42:49.393: %MAB-5-SUCCESS: Authentication successful for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:42:49.393: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:42:49.401: %AUTHMGR-5-FAIL: Authorization failed for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:43:43.910: %DOT1X-5-FAIL: Authentication failed for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID
*Mar 1 01:43:43.910: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:43:49.245: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:44:25.073: %DOT1X-5-FAIL: Authentication failed for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID
*Mar 1 01:44:25.073: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001D005D6C72
*Mar 1 01:44:30.215: %DOT1X-5-FAIL: Authentication failed for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID
*Mar 1 01:44:30.215: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:44:30.215: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:44:30.215: %AUTHMGR-5-START: Starting 'mab' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:44:30.241: %MAB-5-SUCCESS: Authentication successful for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:44:30.241: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
*Mar 1 01:44:30.241: %AUTHMGR-5-FAIL: Authorization failed for client (0817.35d5.c20c) on Interface Fa0/5 AuditSessionID AC1B09230000001E005D8255
SW-802.1x#show authentication interface fastEthernet0/5
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/5 0817.35d5.c20c dot1x VOICE Running AC1B09230000001E005D8255
Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Dot1x Info for FastEthernet0/5
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 10
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
when i do this configuratiĆ³n , only work the phone. The phone display registering and never finished.
interface FastEthernet0/5
switchport mode access
authentication event fail action authorize vlan 11
authentication event no-response action authorize vlan 11
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
end
SW-802.1x#show authentication interface fastEthernet0/5
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/5 001a.a056.60af dot1x DATA Authz Success AC1B09230000001C005724E1
Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
SW-802.1x#show dot1x interface fastEthernet0/5 de
Dot1x Info for FastEthernet0/5
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 10
Dot1x Authenticator Client List
-------------------------------
Supplicant = 001a.a056.60af
Session ID = AC1B09230000001C005724E1
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
logg
*Mar 1 01:35:17.163: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001C005724E1
*Mar 1 01:35:17.733: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.a056.60af) on Interface Fa0/5 AuditSessionID AC1B09230000001C005724E1
*Mar 1 01:35:18.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to up
Finally when configuring with diferent vlan voice and data, both work fine, i want to konw if is posible to autenticate with 802.1.x for phone and data in the same vlan.
interface FastEthernet0/12
switchport mode access
switchport access vlan 2
switchport voice vlan 10
authentication port-control auto
authentication host-mode multi-domain
authentication violation protect
authentication event fail action authorize vlan 11
authentication event fail retry 2 action authorize vlan 11
authentication event no-response action authorize vlan 11
authentication periodic
authentication timer reauthenticate 60
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
end
Best Regard,
Marco
