The switch port config is:

interface GigabitEthernet1/0/12

switchport mode access

switchport voice vlan 3

ip access-group ACL-DEFAULT in

load-interval 30

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication event fail action next-method

authentication event server dead action reinitialize vlan 1

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

mls qos trust dscp

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

C3750G-24P#sh ip access

C3750G-24P#sh ip access-lists ACL-DEFAULT

Extended IP access list ACL-DEFAULT

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit icmp any any

    40 permit udp any any eq tftp

    50 deny ip any any log

It was on 12.2.58 last release and i moved it to 15.0(2)SE3 just in case but no difference observed.

ISE is 1.1.3

Thanks Richard

The ISE AuthN policy is basically use anything.

The ISE AuthZ policy is:

• MAB IP Phone = Voice Domain & permit ip any any
• Domain User = permit ip any any
• Domain Computer = permit ip any any
• MAB Computers (including the tested PC) = permit ip any [RFC1918]

If the MAB Computers is disabled the PC does not Authenticate if its attached to an authenticated phone.

If the MAB Computers is enabled the PC will match it after reporting EAP timeouts of 120 seconds.

As a side comment:

I was testing an IP Phone with EAP-MD5 instead of MAB yesterday (I dont have a CUCM system to test full certs for TLS).  I got the phone to authn only after tweaking the Allowed Protocol preference, but this had problems with the Domain PC authn which is why i posted another Q yesterday about multi EAP authn methods with ISE yesterday.

Below is the ISE log showing from bottom up.  Machine Auth fail, IP Phone then succeeding via MAB, the computer matching via MAB failover, and then the Domain User auth failing once I log into the machine.

I cant seem to find a good example of an IP Phone test in TrustSec 2.1 (but its multi document style doesnt make it easier to find things) so I am looking at other references for help, including the TS2.0, IBNS and other docs including another forum post: Deploying 802.1x when workstations are connected behind IP phones

(https://supportforums.cisco.com/docs/DOC-22478)

Which has the following line in it:  "The only caveat that you need to be aware of is that once MAB is  enabled, it applies to both the data VLAN as well as the voice VLAN. If  the workstation does not respond to the EAP packets, its MAC address  will be used to try and authenticate it."

Which almost sounds to me like that once MAB is used by the IP Phone it means MAB has to be used by the data domain device too?

After seeing your ISE logs it says "no response received after 120 seconds". If you click for details, most probably you will find that this is an authentication error. Could you share what are your authentication rules?

Cisco IP Phone is using MAB only because 802.1x is failing. The same goes to the workstation, since 802.1x is failing then it uses MAB. But both processes are completely independent

Please rate if it helps

The IP Phone isnt using MAB as dot1x if failing, its not setup to use 802.1X.  Im following the trustsec 2.1 design guidw where its using MAB for IP Phones.

I deduced that because of your switchport configuration

authentication order dot1x mab

authentication priority dot1x mab

Even if a device is not configured with 802.1x, your switchport is and so the switch will try 802.1x first toauthenticate any device and only if it fails (after the 802.1x timer and retries expire) the switchport will use mab.

But back to your issue, when using "authentication host-mode multi-domain" every device connected to the switchport will authenticate independently, so the ip phone authentication won't interfere with your PC authentication.

Your ISE logs say "no response received after 120 seconds". If you click for details, most probably you will find that this is an authentication error. It wil be great to see the details of this log and also what are your authentication rules.

Regards

The ISE log detailed steps are as follows:

Steps

Hi,

According to your issue can you confirm that your client has a certificate because if you would like to use EAP-TLS you need to have a certifcates on both sites.

In log it looks like the client didn't sent its sertificate if any ?

Regards,

Is the PC port enabled on the IP phone?

Try to replace the phone. It is quite likely that it fails to relay EAP frames.

Hello,

Did you resolve your problem to authenticate PC by EAP-TLS connected to phone port?