cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2193
Views
0
Helpful
7
Replies

C2960 host-mode multi-domain Cisco phone does not go to Voice Domain

Hi everybody

I am working on deploying dot1.x through our company. I am stuck on configuring Cisco Phones to go on a correct VLAN when host-mode multi-domain option is used. I tried it on two C2960 switches with two different images. No matter what I do, the phone goes to Domain:  DATA and cannot connect to the network as most likely it is in a wrong VLAN. ISE is showing port as authenticated and MAB works fine. When I configure host-mode multi-host, the phone gets a correct VLAN and can tall to the network.

 

Here is what I use:

  • C2960S-48FPS-L with C2960S-UNIVERSALK9-M or C2960 SI with c2960-lanlitek9-tar.150-2.SE7
  • Cisco Phone 7960 and 7962
  • ISE  1.3.0.876

Here is the current port configuration:

interface GigabitEthernet1/0/1

switchport access vlan 2

 switchport mode access

 switchport voice vlan 703

 authentication host-mode multi-domain

 authentication order mab dot1x

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 10

 spanning-tree portfast

end

 

Here is the output of show authentication session inter Gig1/0/1

 

MAC Address:  0013.1a58.xxxx

IP Address:  Unknown

User-Name:  00-13-1A-xx-xx-xx

Status:  Authz Success

Domain:  DATA

Oper host mode:  multi-domain

Oper control dir:  in

Authorized By:  Authentication Server

Vlan Policy:  N/A

Session timeout:  5400s (local), Remaining: 5384s

Timeout action:  Reauthenticate

Idle timeout:  N/A

Common Session ID:  0AF301450000000C001F3391

Acct Session ID:  0x00000010

Handle:  0x0400000D

 

Thanks for your help.

 

1 Accepted Solution

Accepted Solutions

Looks like youre missing the device-class=voice attribute in your authz profile.

View solution in original post

7 Replies 7

jan.nielsen
Level 7
Level 7

What is the content of your authorization result that is used for the phone ?

Hi Jan

Thank you for your response.

This test was run with only the phone connected to the switch.

This is what I see on the ISE server:

Steps

 

11001

Received RADIUS Access-Request

 

11017

RADIUS created a new session

 

11027

Detected Host Lookup UseCase (Service-Type = Call Check (10))

 

15049

Evaluating Policy Group

 

15008

Evaluating Service Selection Policy

 

15048

Queried PIP - Radius.Service-Type

 

15048

Queried PIP - Radius.NAS-Port-Type

 

15004

Matched rule - MAB

 

15041

Evaluating Identity Policy

 

15006

Matched Default Rule

 

15013

Selected Identity Source - Internal Endpoints

 

24209

Looking up Endpoint in Internal Endpoints IDStore - 3C:CE:73:58:xx:xx

 

24211

Found Endpoint in Internal Endpoints IDStore

 

22037

Authentication Passed

 

15036

Evaluating Authorization Policy

 

15048

Queried PIP - Radius.NAS-Port-Type

 

15004

Matched rule - ARR-MAB

 

15016

Selected Authorization Profile - PermitAccess

 

11002

Returned RADIUS Access-Accept 

 

And this is what I see on the switch:

May 11 09:06:39.844: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

May 11 09:06:40.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

May 11 09:06:50.414: %AUTHMGR-5-START: Starting 'mab' for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

May 11 09:06:50.440: %MAB-5-SUCCESS: Authentication successful for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

May 11 09:06:50.440: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

May 11 09:06:50.613: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A

 

Looks like youre missing the device-class=voice attribute in your authz profile.

Jan, you are the man! :)

This worked as a champ. Rookie mistake I guess.

 

My mistake was that I assumed this would work on a switch level by CDP, without any ISE config required. And to be fair no documentation I found mentioned anything about this.

 

Once again thank you for your help.

Lukasz

One thing solved but it is still not working as it should.

 

When only the phone is connected, everything looks OK. I can ping the phone without a problem. This is an improvement as I could not do this before.

 

The moment I connect a PC to the phone, pings to the phone drop and it loses config.

 

The PC network is also unidentified. VLAN on the switch is OK, it gets an IP address but it cannot ping anything. When the PC connects to the port directly, it works OK.

PORT SETTINGS

interface GigabitEthernet1/0/1
 switchport access vlan 2
 switchport mode access
 switchport voice vlan 703
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation replace
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

 

 

Switch Console logging output:

 

May 11 10:13:51.786: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/1: Power granted

May 11 10:13:52.321: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

May 11 10:13:56.888: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

May 11 10:13:59.813: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

May 11 10:14:02.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

May 11 10:14:03.169: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

May 11 10:14:10.567: %AUTHMGR-5-START: Starting 'mab' for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

May 11 10:14:10.578: %MAB-5-SUCCESS: Authentication successful for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

May 11 10:14:10.583: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

May 11 10:14:11.495: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0

Switch(config-if)#

May 11 10:15:11.068: %AUTHMGR-5-START: Starting 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:11.094: %MAB-5-SUCCESS: Authentication successful for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:11.094: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:11.199: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.649: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.649: %AUTHMGR-5-START: Starting 'dot1x' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.980: %DOT1X-5-SUCCESS: Authentication successful for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:14.980: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

May 11 10:15:15.310: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF

 

Switch authentication session:

Switch#sh authentication sess int gi1/0/1

            Interface:  GigabitEthernet1/0/1

          MAC Address:  3cce.7358.4796

           IP Address:  Unknown

            User-Name:  3C-CE-73-58-47-96

               Status:  Authz Success

               Domain:  VOICE

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

      Session timeout:  3600s (local), Remaining: 3449s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0AF3014500000010005496D0

      Acct Session ID:  0x00000018

               Handle:  0xDC000011

 

Runnable methods list:

       Method   State

       mab      Authc Success

       dot1x    Not run

 

----------------------------------------

            Interface:  GigabitEthernet1/0/1

          MAC Address:  68f7.284a.0cf9

           IP Address:  Unknown

            User-Name:  LAPTOP

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

      Session timeout:  3600s (local), Remaining: 3513s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0AF30145000000110055ABAF

      Acct Session ID:  0x0000001A

               Handle:  0xBE000012

 

Runnable methods list:

       Method   State

       mab      Not run

       dot1x    Authc Success

 

ISE output:

Phone:

 

 

Steps

  11001  Received RADIUS Access-Request 

  11017  RADIUS created a new session 

  11027  Detected Host Lookup UseCase (Service-Type = Call Check (10)) 

  15049  Evaluating Policy Group 

  15008  Evaluating Service Selection Policy 

  15048  Queried PIP - Radius.Service-Type 

  15048  Queried PIP - Radius.NAS-Port-Type 

  15004  Matched rule - MAB 

  15041  Evaluating Identity Policy 

  15006  Matched Default Rule 

  15013  Selected Identity Source - Internal Endpoints 

  24209  Looking up Endpoint in Internal Endpoints IDStore - 3C:CE:73:58:47:96 

  24211  Found Endpoint in Internal Endpoints IDStore 

  22037  Authentication Passed 

  15036  Evaluating Authorization Policy 

  15048  Queried PIP - Radius.NAS-Port-Type 

  15004  Matched rule - TEST-MAB 

  15016  Selected Authorization Profile - TEST-VoiceDomain 

  11002  Returned RADIUS Access-Accept 

 

 

PC:

 

Steps

  11001  Received RADIUS Access-Request 

  11017  RADIUS created a new session 

  15049  Evaluating Policy Group 

  15008  Evaluating Service Selection Policy 

  15048  Queried PIP - Radius.NAS-Port-Type 

  15048  Queried PIP - Radius.Service-Type 

  15004  Matched rule - TEST_Dot1X 

  11507  Extracted EAP-Response/Identity 

  12500  Prepared EAP-Request proposing EAP-TLS with challenge 

  12625  Valid EAP-Key-Name attribute received 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12301  Extracted EAP-Response/NAK requesting to use PEAP instead 

  12300  Prepared EAP-Request proposing PEAP with challenge 

  12625  Valid EAP-Key-Name attribute received 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated 

  12318  Successfully negotiated PEAP version 0 

  12800  Extracted first TLS record; TLS handshake started 

  12805  Extracted TLS ClientHello message 

  12806  Prepared TLS ServerHello message 

  12807  Prepared TLS Certificate message 

  12810  Prepared TLS ServerDone message 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12318  Successfully negotiated PEAP version 0 

  12812  Extracted TLS ClientKeyExchange message 

  12804  Extracted TLS Finished message 

  12801  Prepared TLS ChangeCipherSpec message 

  12802  Prepared TLS Finished message 

  12816  TLS handshake succeeded 

  12310  PEAP full handshake finished successfully 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12313  PEAP inner method started 

  11521  Prepared EAP-Request/Identity for inner EAP method 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  11522  Extracted EAP-Response/Identity for inner EAP method 

  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12523  Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead 

  12522  Prepared EAP-Request for inner method proposing EAP-TLS with challenge 

  12625  Valid EAP-Key-Name attribute received 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12524  Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 

  12800  Extracted first TLS record; TLS handshake started 

  12805  Extracted TLS ClientHello message 

  12806  Prepared TLS ServerHello message 

  12807  Prepared TLS Certificate message 

  12809  Prepared TLS CertificateRequest message 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  12571  ISE will continue to CRL verification if it is configured for specific CA - certificate for LAPTOP 

  12571  ISE will continue to CRL verification if it is configured for specific CA - certificate for TestDomainDomain-TEST-CA-1-CA 

  12571  ISE will continue to CRL verification if it is configured for specific CA - certificate for TEST-CA-ROOT-CA 

  12811  Extracted TLS Certificate message containing client certificate 

  12812  Extracted TLS ClientKeyExchange message 

  12813  Extracted TLS CertificateVerify message 

  12804  Extracted TLS Finished message 

  12801  Prepared TLS ChangeCipherSpec message 

  12802  Prepared TLS Finished message 

  12816  TLS handshake succeeded 

  12509  EAP-TLS full handshake finished successfully 

  12527  Prepared EAP-Request for inner method with another EAP-TLS challenge 

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  12526  Extracted EAP-Response for inner method containing TLS challenge-response 

  15041  Evaluating Identity Policy 

  15006  Matched Default Rule 

  22072  Selected identity source sequence - TEST_CERT_AD_LOCAL 

  22070  Identity name is taken from certificate attribute 

  15013  Selected Identity Source - TestDomainDomain.co.uk 

  24433  Looking up machine in Active Directory - TestDomainDomain.co.uk 

  24325  Resolving identity - LAPTOP 

  24313  Search for matching accounts at join point - TestDomainDomain.co.uk 

  24319  Single matching account found in forest - TestDomainDomain.co.uk 

  24323  Identity resolution detected single matching account 

  24700  Identity resolution by certificate succeeded - TestDomainDomain.co.uk 

  22037  Authentication Passed 

  12528  Inner EAP-TLS authentication succeeded 

  11519  Prepared EAP-Success for inner EAP method 

  12314  PEAP inner method finished successfully  

  12305  Prepared EAP-Request with another PEAP challenge 

  11006  Returned RADIUS Access-Challenge 

  11001  Received RADIUS Access-Request 

  11018  RADIUS is re-using an existing session 

  12304  Extracted EAP-Response containing PEAP challenge-response 

  15036  Evaluating Authorization Policy 

  11055  User name change detected for the session. Attributes for the session will be removed from the cache 

  15048  Queried PIP - Radius.NAS-Port-Type 

  15048  Queried PIP - Radius.Service-Type 

  24433  Looking up machine in Active Directory - TestDomainDomain.co.uk 

  24355  LDAP fetch succeeded - TestDomainDomain.co.uk 

  24435  Machine Groups retrieval from Active Directory succeeded - TestDomainDomain.co.uk 

  15048  Queried PIP - TestDomainDomain.co.uk.ExternalGroups 

  15048  Queried PIP - Network Access.EapAuthentication 

  15004  Matched rule - TEST-WIRED-MACHINE 

  15016  Selected Authorization Profile - PermitAccess 

  12306  PEAP authentication succeeded 

  11503  Prepared EAP-Success 

  11002  Returned RADIUS Access-Accept 

 

 

Hi again

 

I thinks there may be a problem in MAB processing. I noticed that the policy authorized the PC on the MAB profile (still need to figure out why).

I changed the authorization order to dot1x mab and after that both devices are connected.

Once again thank you for your help.

Looks fine to me, what i am wondering is why your switch does not know the ip addresses of your devices? Did you not enable ip device tracking or dhcp snooping ?

Are you using any access-lists on your ports, that you haven't shown us in your "sh run"?