cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5766
Views
0
Helpful
13
Replies
Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.

I can get a PC on its own to authenticate via dot1x/tls

I can get a Cisco IP Phone on its own to authenticate via MAB.

When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.

The switchport has the LowImpact port ACL of

ip access-group ACL-DEFAULT in

The IP Phone gets a dACL that allows it ok.

I assume MAB phone and dot1x PC is supported?  Any ideas?

Thanks in advance.

13 REPLIES 13
Highlighted
Enthusiast

Re: Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB mult

What you're doing is fully supported. Can you please post your switchport Config and what software you're using on the switch and ISE?

Sent from Cisco Technical Support iPad App

Highlighted
Beginner

Re: Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB mult

The switch port config is:

interface GigabitEthernet1/0/12

switchport mode access

switchport voice vlan 3

ip access-group ACL-DEFAULT in

load-interval 30

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication event fail action next-method

authentication event server dead action reinitialize vlan 1

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

mls qos trust dscp

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

C3750G-24P#sh ip access

C3750G-24P#sh ip access-lists ACL-DEFAULT

Extended IP access list ACL-DEFAULT

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit icmp any any

    40 permit udp any any eq tftp

    50 deny ip any any log

It was on 12.2.58 last release and i moved it to 15.0(2)SE3 just in case but no difference observed.

ISE is 1.1.3

Thanks Richard

Highlighted
Beginner

Re: Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB mult

The ISE AuthN policy is basically use anything.

The ISE AuthZ policy is:

  • MAB IP Phone = Voice Domain & permit ip any any
  • Domain User = permit ip any any
  • Domain Computer = permit ip any any
  • MAB Computers (including the tested PC) = permit ip any [RFC1918]

If the MAB Computers is disabled the PC does not Authenticate if its attached to an authenticated phone.

If the MAB Computers is enabled the PC will match it after reporting EAP timeouts of 120 seconds.

As a side comment:

I was testing an IP Phone with EAP-MD5 instead of MAB yesterday (I dont have a CUCM system to test full certs for TLS).  I got the phone to authn only after tweaking the Allowed Protocol preference, but this had problems with the Domain PC authn which is why i posted another Q yesterday about multi EAP authn methods with ISE yesterday.

Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

Below is the ISE log showing from bottom up.  Machine Auth fail, IP Phone then succeeding via MAB, the computer matching via MAB failover, and then the Domain User auth failing once I log into the machine.

Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

I cant seem to find a good example of an IP Phone test in TrustSec 2.1 (but its multi document style doesnt make it easier to find things) so I am looking at other references for help, including the TS2.0, IBNS and other docs including another forum post: Deploying 802.1x when workstations are connected behind IP phones

(https://supportforums.cisco.com/docs/DOC-22478)

Which has the following line in it:  "The only caveat that you need to be aware of is that once MAB is  enabled, it applies to both the data VLAN as well as the voice VLAN. If  the workstation does not respond to the EAP packets, its MAC address  will be used to try and authenticate it."

Which almost sounds to me like that once MAB is used by the IP Phone it means MAB has to be used by the data domain device too?

Highlighted
Enthusiast

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

After seeing your ISE logs it says "no response received after 120 seconds". If you click for details, most probably you will find that this is an authentication error. Could you share what are your authentication rules?

Cisco IP Phone is using MAB only because 802.1x is failing. The same goes to the workstation, since 802.1x is failing then it uses MAB. But both processes are completely independent

Please rate if it helps

Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

The IP Phone isnt using MAB as dot1x if failing, its not setup to use 802.1X.  Im following the trustsec 2.1 design guidw where its using MAB for IP Phones.

Highlighted
Enthusiast

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

I deduced that because of your switchport configuration

authentication order dot1x mab

authentication priority dot1x mab

Even if a device is not configured with 802.1x, your switchport is and so the switch will try 802.1x first toauthenticate any device and only if it fails (after the 802.1x timer and retries expire) the switchport will use mab.

But back to your issue, when using "authentication host-mode multi-domain" every device connected to the switchport will authenticate independently, so the ip phone authentication won't interfere with your PC authentication.

Your ISE logs say "no response received after 120 seconds". If you click for details, most probably you will find that this is an authentication error. It wil be great to see the details of this log and also what are your authentication rules.

Regards

Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

The ISE log detailed steps are as follows:

Steps

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

11507  Extracted EAP-Response/Identity

12300  Prepared EAP-Request proposing PEAP with challenge

12625  Valid EAP-Key-Name attribute received

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead

12500  Prepared EAP-Request proposing EAP-TLS with challenge

12625  Valid EAP-Key-Name attribute received

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

12800  Extracted first TLS record; TLS handshake started

12805  Extracted TLS ClientHello message

12806  Prepared TLS ServerHello message

12807  Prepared TLS Certificate message

12809  Prepared TLS CertificateRequest message

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12504  Extracted EAP-Response containing EAP-TLS challenge-response

12505  Prepared EAP-Request with another EAP-TLS challenge

11006  Returned RADIUS Access-Challenge

5411  No response received during 120 seconds on last EAP message sent to the client

Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

As a reminder of the situation I am still facing.

TEST 1.  I connect my Win7 PC that is setup to use EAP TLS, 802.1x authentication works as recorded in Windows and in the ISE log.  Therefore there are no Windows supplicant issues.

TEST 2.  I connect a Cisco 7942 IP Phone only to the switchport, authentication via MAB to the voice domain works as expected.

TEST 3.  I connect the IP Phone and it works via MAB, I then plug the PC via the phone but the PC is failing to authenticate with EAP-TLS with the EAP timeouts as listed before.

TEST 4.  I connect the IP Phone and it works via MAB, I then plug the PC via the  phone but change from TLS to PEAP, and the PC authenticates successfully.

Anybody seen this behavious before?  Any ideas at all?

Highlighted
Beginner

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

Hi,

According to your issue can you confirm that your client has a certificate because if you would like to use EAP-TLS you need to have a certifcates on both sites.

In log it looks like the client didn't sent its sertificate if any ?

Regards,

Highlighted
Frequent Contributor

Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

Is the PC port enabled on the IP phone?

Try to replace the phone. It is quite likely that it fails to relay EAP frames.

Highlighted
Beginner

Re: Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-do

Hello,

Did you resolve your problem to authenticate PC by EAP-TLS connected to phone port?