01-29-2013 12:21 AM - edited 03-10-2019 08:01 PM
Hi I have a simple MDA config
interface FastEthernet0/4
switchport access vlan 84
switchport mode access
switchport voice vlan 70
ip access-group default_acl in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
When I try to conect to this port - ONLY PHONE it Authentificates successfuly via mab, When I try to connect only PC it authentificates successfuly via dot1x, but when I try to connect PC through PHONE - Phone authentificate successfuly, but PC -not, on my ISE server log I see only MAB trying for PC, no dot1x attempts.
ARHIV-ROOM36(config-if)#
Jan 29 12:08:04.380: %LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down
Jan 29 12:08:05.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
ARHIV-ROOM36(config-if)#exi
ARHIV-ROOM36(config)#exi
Jan 29 12:08:06.536: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
Jan 29 12:08:07.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
ARHIV-ROOM36(config)#exi
ARHIV-ROOM36#
Jan 29 12:08:08.021: %SYS-5-CONFIG_I: Configured from console by ask on vty0 (10.110.11.253)
ARHIV-ROOM36#
Jan 29 12:08:09.170: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
Jan 29 12:08:10.076: %AUTHMGR-5-START: Starting 'dot1x' for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSessionID
0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:08:18.591: %DOT1X-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSession
ID
Jan 29 12:08:18.591: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0023.8b84.fa32)
on Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.591: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 Au
ditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.591: %AUTHMGR-5-START: Starting 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID 0
A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %MAB-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 Audi
tSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:08:18.608: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0023.8b84.fa32) on In
terface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:08:18.608: %AUTHMGR-5-FAIL: Authorization failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessio
nID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:08:21.678: %DOT1X-5-FAIL: Authentication failed for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSession
ID
Jan 29 12:08:21.678: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (ccef.485c.f4b9)
on Interface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A
Jan 29 12:08:21.678: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (ccef.485c.f4b9) on Interface Fa0/4 Au
ditSessionID 0A6E0A0400000078A11BF97A
Jan 29 12:08:21.678: %AUTHMGR-5-START: Starting 'mab' for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSessionID 0
A6E0A0400000078A11BF97A
Jan 29 12:08:21.728: %MAB-5-SUCCESS: Authentication successful for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSe
ssionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:08:21.728: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccef.485c.f4b9) on Int
erface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:08:22.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccef.485c.f4b9) on Interface Fa0/4 Audit
SessionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36#
Jan 29 12:09:19.334: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:09:31.850: %DOT1X-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSession
ID
Jan 29 12:09:31.850: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0023.8b84.fa32)
on Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.850: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0023.8b84.fa32) on Interface Fa0/4 Au
ditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.850: %AUTHMGR-5-START: Starting 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID 0
A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %MAB-5-FAIL: Authentication failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0023.8b84.fa32) on Interface Fa0/4 Audi
tSessionID 0A6E0A0400000077A11BEA81
Jan 29 12:09:31.866: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0023.8b84.fa32) on In
terface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#
Jan 29 12:09:31.866: %AUTHMGR-5-FAIL: Authorization failed for client (0023.8b84.fa32) on Interface Fa0/4 AuditSessio
nID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36#sh run | i aaa
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
ARHIV-ROOM36#sh run | i radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host 10.5.45.128 auth-port 1812 acct-port 1813 key 7 xxxx
radius-server vsa send accounting
radius-server vsa send authentication
Solved! Go to Solution.
01-30-2013 08:51 PM
It sure looks like the phone was not passing the 802.1x traffic as the switch was getting no response from its request. That is very interesting and good to know. Good job on finding a solution and sharing it back!
You should probably mark the thread as answered
01-29-2013 09:46 PM
Hello again-
I have seen a similar issue before. A few questions:
1. What version of code are you running on your switch
2. What happens when:
Uplug both phone and computer > Connect Phone > Allow the phone to fully boot and authenticate > Connect PC > Disable and re-enable NIC on PC
3. What make and model phones are you using
4. Are you running any type of desktop securty applications (Mcaffee, Norton, CSA, etc)
Thnak you for rating!
01-30-2013 02:55 AM
Hi,
1) Yesterday I change IOS on this switch from
c2960c405-universalk9-mz.122-55.EX3
to
c2960c405-universalk9-mz.150-2.SE1.bin
2) Same thing, on my ISE server I see only attempt to authentificate my PC via MAB
This I see at the end of log
when phone bootup and authenticate
Jan 30 14:22:24.087: %MAB-5-SUCCESS: Authentication successful for client (ccef.485c.f4b9) on Interface Fa0/4 AuditSe
ssionID 0A6E0A0400000030000EB3C3
Jan 30 14:22:24.087: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccef.485c.f4b9) on Int
erface Fa0/4 AuditSessionID 0A6E0A0400000030000EB3C3
ARHIV-ROOM36#
Jan 30 14:22:24.473: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccef.485c.f4b9) on Interface Fa0/4 Audit
SessionID 0A6E0A0400000030000EB3C3
This I see when plug my PC to the phone
2222.txt
3) Cisco/Linksys SPA502G
Yesterday, I change firmware from 7.4.6, to 7.5.4(on other phone same series SPA502G) and no I see when phone bootup and authenticate
Jan 30 14:41:28.750: %MAB-5-SUCCESS: Authentication successful for client (649e.f377.39f8) on Interface Fa0/4 AuditSe
ssionID 0A6E0A040000003E0020225F
ARHIV-ROOM36#
Jan 30 14:41:28.750: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (649e.f377.39f8) on Int
erface Fa0/4 AuditSessionID 0A6E0A040000003E0020225F
ARHIV-ROOM36#
Jan 30 14:41:29.505: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (649e.f377.39f8) on Interface Fa0/4 Audit
SessionID 0A6E0A040000003E0020225F
This I see when plug my PC to the new firmware phone
3333.txt
So my PC authentificate successfuly.
So I thiks it's a bug in phone firmware, bu I check every release notes for this phone firmware, and nothing about this BUG, so I'm confused.
4) NO I dont have any Norton, Mcafee and so on
Is that possible tha phone block Eaopl messages of dot1x?
01-30-2013 08:51 PM
It sure looks like the phone was not passing the 802.1x traffic as the switch was getting no response from its request. That is very interesting and good to know. Good job on finding a solution and sharing it back!
You should probably mark the thread as answered
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: