05-07-2015 02:15 AM - edited 03-10-2019 10:43 PM
Hi everybody
I am working on deploying dot1.x through our company. I am stuck on configuring Cisco Phones to go on a correct VLAN when host-mode multi-domain option is used. I tried it on two C2960 switches with two different images. No matter what I do, the phone goes to Domain: DATA and cannot connect to the network as most likely it is in a wrong VLAN. ISE is showing port as authenticated and MAB works fine. When I configure host-mode multi-host, the phone gets a correct VLAN and can tall to the network.
Here is what I use:
Here is the current port configuration:
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 703
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
Here is the output of show authentication session inter Gig1/0/1
MAC Address: 0013.1a58.xxxx
IP Address: Unknown
User-Name: 00-13-1A-xx-xx-xx
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: 5400s (local), Remaining: 5384s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AF301450000000C001F3391
Acct Session ID: 0x00000010
Handle: 0x0400000D
Thanks for your help.
Solved! Go to Solution.
05-11-2015 02:16 AM
Looks like youre missing the device-class=voice attribute in your authz profile.
05-09-2015 02:18 PM
What is the content of your authorization result that is used for the phone ?
05-11-2015 02:13 AM
Hi Jan
Thank you for your response.
This test was run with only the phone connected to the switch.
This is what I see on the ISE server:
Steps
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Radius.Service-Type | |
15048 | Queried PIP - Radius.NAS-Port-Type | |
15004 | Matched rule - MAB | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
15013 | Selected Identity Source - Internal Endpoints | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - 3C:CE:73:58:xx:xx | |
24211 | Found Endpoint in Internal Endpoints IDStore | |
22037 | Authentication Passed | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP - Radius.NAS-Port-Type | |
15004 | Matched rule - ARR-MAB | |
15016 | Selected Authorization Profile - PermitAccess | |
11002 | Returned RADIUS Access-Accept |
And this is what I see on the switch:
May 11 09:06:39.844: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
May 11 09:06:40.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
May 11 09:06:50.414: %AUTHMGR-5-START: Starting 'mab' for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A
May 11 09:06:50.440: %MAB-5-SUCCESS: Authentication successful for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A
May 11 09:06:50.440: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A
May 11 09:06:50.613: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (3cce.7358.xxxx) on Interface Gi1/0/1 AuditSessionID 0AF30145000000030016E90A
05-11-2015 02:16 AM
Looks like youre missing the device-class=voice attribute in your authz profile.
05-11-2015 02:47 AM
Jan, you are the man! :)
This worked as a champ. Rookie mistake I guess.
My mistake was that I assumed this would work on a switch level by CDP, without any ISE config required. And to be fair no documentation I found mentioned anything about this.
Once again thank you for your help.
Lukasz
05-11-2015 03:43 AM
One thing solved but it is still not working as it should.
When only the phone is connected, everything looks OK. I can ping the phone without a problem. This is an improvement as I could not do this before.
The moment I connect a PC to the phone, pings to the phone drop and it loses config.
The PC network is also unidentified. VLAN on the switch is OK, it gets an IP address but it cannot ping anything. When the PC connects to the port directly, it works OK.
PORT SETTINGS
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 703
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
Switch Console logging output:
May 11 10:13:51.786: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/1: Power granted
May 11 10:13:52.321: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
May 11 10:13:56.888: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
May 11 10:13:59.813: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
May 11 10:14:02.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
May 11 10:14:03.169: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
May 11 10:14:10.567: %AUTHMGR-5-START: Starting 'mab' for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0
May 11 10:14:10.578: %MAB-5-SUCCESS: Authentication successful for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0
May 11 10:14:10.583: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0
May 11 10:14:11.495: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (3cce.7358.4796) on Interface Gi1/0/1 AuditSessionID 0AF3014500000010005496D0
Switch(config-if)#
May 11 10:15:11.068: %AUTHMGR-5-START: Starting 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:11.094: %MAB-5-SUCCESS: Authentication successful for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:11.094: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:11.199: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:14.649: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:14.649: %AUTHMGR-5-START: Starting 'dot1x' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:14.980: %DOT1X-5-SUCCESS: Authentication successful for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:14.980: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
May 11 10:15:15.310: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (68f7.284a.0cf9) on Interface Gi1/0/1 AuditSessionID 0AF30145000000110055ABAF
Switch authentication session:
Switch#sh authentication sess int gi1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: 3cce.7358.4796
IP Address: Unknown
User-Name: 3C-CE-73-58-47-96
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: 3600s (local), Remaining: 3449s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AF3014500000010005496D0
Acct Session ID: 0x00000018
Handle: 0xDC000011
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
----------------------------------------
Interface: GigabitEthernet1/0/1
MAC Address: 68f7.284a.0cf9
IP Address: Unknown
User-Name: LAPTOP
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: 3600s (local), Remaining: 3513s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AF30145000000110055ABAF
Acct Session ID: 0x0000001A
Handle: 0xBE000012
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
ISE output:
Phone:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Service-Type
15048 Queried PIP - Radius.NAS-Port-Type
15004 Matched rule - MAB
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Source - Internal Endpoints
24209 Looking up Endpoint in Internal Endpoints IDStore - 3C:CE:73:58:47:96
24211 Found Endpoint in Internal Endpoints IDStore
22037 Authentication Passed
15036 Evaluating Authorization Policy
15048 Queried PIP - Radius.NAS-Port-Type
15004 Matched rule - TEST-MAB
15016 Selected Authorization Profile - TEST-VoiceDomain
11002 Returned RADIUS Access-Accept
PC:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Radius.Service-Type
15004 Matched rule - TEST_Dot1X
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12523 Extracted EAP-Response/NAK for inner method requesting to use EAP-TLS instead
12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for LAPTOP
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for TestDomainDomain-TEST-CA-1-CA
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for TEST-CA-ROOT-CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12526 Extracted EAP-Response for inner method containing TLS challenge-response
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - TEST_CERT_AD_LOCAL
22070 Identity name is taken from certificate attribute
15013 Selected Identity Source - TestDomainDomain.co.uk
24433 Looking up machine in Active Directory - TestDomainDomain.co.uk
24325 Resolving identity - LAPTOP
24313 Search for matching accounts at join point - TestDomainDomain.co.uk
24319 Single matching account found in forest - TestDomainDomain.co.uk
24323 Identity resolution detected single matching account
24700 Identity resolution by certificate succeeded - TestDomainDomain.co.uk
22037 Authentication Passed
12528 Inner EAP-TLS authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
15036 Evaluating Authorization Policy
11055 User name change detected for the session. Attributes for the session will be removed from the cache
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - Radius.Service-Type
24433 Looking up machine in Active Directory - TestDomainDomain.co.uk
24355 LDAP fetch succeeded - TestDomainDomain.co.uk
24435 Machine Groups retrieval from Active Directory succeeded - TestDomainDomain.co.uk
15048 Queried PIP - TestDomainDomain.co.uk.ExternalGroups
15048 Queried PIP - Network Access.EapAuthentication
15004 Matched rule - TEST-WIRED-MACHINE
15016 Selected Authorization Profile - PermitAccess
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11002 Returned RADIUS Access-Accept
05-11-2015 04:16 AM
Hi again
I thinks there may be a problem in MAB processing. I noticed that the policy authorized the PC on the MAB profile (still need to figure out why).
I changed the authorization order to dot1x mab and after that both devices are connected.
Once again thank you for your help.
05-11-2015 04:19 AM
Looks fine to me, what i am wondering is why your switch does not know the ip addresses of your devices? Did you not enable ip device tracking or dhcp snooping ?
Are you using any access-lists on your ports, that you haven't shown us in your "sh run"?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide