06-13-2013 12:13 PM - last edited on 03-25-2019 05:30 PM by ciscomoderator
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
I can get a PC on its own to authenticate via dot1x/tls
I can get a Cisco IP Phone on its own to authenticate via MAB.
When the two are on the same switchport, the phone will authenticate but not the PC. ISE logs EAP timeouts.
The switchport has the LowImpact port ACL of
ip access-group ACL-DEFAULT in
The IP Phone gets a dACL that allows it ok.
I assume MAB phone and dot1x PC is supported? Any ideas?
Thanks in advance.
06-14-2013 12:12 AM
What you're doing is fully supported. Can you please post your switchport Config and what software you're using on the switch and ISE?
Sent from Cisco Technical Support iPad App
06-14-2013 01:50 AM
The switch port config is:
interface GigabitEthernet1/0/12
switchport mode access
switchport voice vlan 3
ip access-group ACL-DEFAULT in
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
C3750G-24P#sh ip access
C3750G-24P#sh ip access-lists ACL-DEFAULT
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 deny ip any any log
It was on 12.2.58 last release and i moved it to 15.0(2)SE3 just in case but no difference observed.
ISE is 1.1.3
Thanks Richard
06-14-2013 01:58 AM
The ISE AuthN policy is basically use anything.
The ISE AuthZ policy is:
If the MAB Computers is disabled the PC does not Authenticate if its attached to an authenticated phone.
If the MAB Computers is enabled the PC will match it after reporting EAP timeouts of 120 seconds.
As a side comment:
I was testing an IP Phone with EAP-MD5 instead of MAB yesterday (I dont have a CUCM system to test full certs for TLS). I got the phone to authn only after tweaking the Allowed Protocol preference, but this had problems with the Domain PC authn which is why i posted another Q yesterday about multi EAP authn methods with ISE yesterday.
06-14-2013 02:09 AM
Below is the ISE log showing from bottom up. Machine Auth fail, IP Phone then succeeding via MAB, the computer matching via MAB failover, and then the Domain User auth failing once I log into the machine.
06-14-2013 02:20 AM
I cant seem to find a good example of an IP Phone test in TrustSec 2.1 (but its multi document style doesnt make it easier to find things) so I am looking at other references for help, including the TS2.0, IBNS and other docs including another forum post: Deploying 802.1x when workstations are connected behind IP phones
(https://supportforums.cisco.com/docs/DOC-22478)
Which has the following line in it: "The only caveat that you need to be aware of is that once MAB is enabled, it applies to both the data VLAN as well as the voice VLAN. If the workstation does not respond to the EAP packets, its MAC address will be used to try and authenticate it."
Which almost sounds to me like that once MAB is used by the IP Phone it means MAB has to be used by the data domain device too?
06-23-2013 01:19 AM
After seeing your ISE logs it says "no response received after 120 seconds". If you click for details, most probably you will find that this is an authentication error. Could you share what are your authentication rules?
Cisco IP Phone is using MAB only because 802.1x is failing. The same goes to the workstation, since 802.1x is failing then it uses MAB. But both processes are completely independent
Please rate if it helps
06-24-2013 05:45 AM
The IP Phone isnt using MAB as dot1x if failing, its not setup to use 802.1X. Im following the trustsec 2.1 design guidw where its using MAB for IP Phones.
06-24-2013 07:22 AM
I deduced that because of your switchport configuration
authentication order dot1x mab
authentication priority dot1x mab
Even if a device is not configured with 802.1x, your switchport is and so the switch will try 802.1x first toauthenticate any device and only if it fails (after the 802.1x timer and retries expire) the switchport will use mab.
But back to your issue, when using "authentication host-mode multi-domain" every device connected to the switchport will authenticate independently, so the ip phone authentication won't interfere with your PC authentication.
Your ISE logs say "no response received after 120 seconds". If you click for details, most probably you will find that this is an authentication error. It wil be great to see the details of this log and also what are your authentication rules.
Regards
07-29-2013 09:36 AM
The ISE log detailed steps are as follows:
Steps
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
Evaluating Service Selection Policy |
15048 Queried PIP |
15048 Queried PIP |
15004 Matched rule |
11507 Extracted EAP-Response/Identity |
12300 Prepared EAP-Request proposing PEAP with challenge |
12625 Valid EAP-Key-Name attribute received |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead |
12500 Prepared EAP-Request proposing EAP-TLS with challenge |
12625 Valid EAP-Key-Name attribute received |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated |
12800 Extracted first TLS record; TLS handshake started |
12805 Extracted TLS ClientHello message |
12806 Prepared TLS ServerHello message |
12807 Prepared TLS Certificate message |
12809 Prepared TLS CertificateRequest message |
12505 Prepared EAP-Request with another EAP-TLS challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12504 Extracted EAP-Response containing EAP-TLS challenge-response |
12505 Prepared EAP-Request with another EAP-TLS challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12504 Extracted EAP-Response containing EAP-TLS challenge-response |
12505 Prepared EAP-Request with another EAP-TLS challenge |
11006 Returned RADIUS Access-Challenge |
5411 No response received during 120 seconds on last EAP message sent to the client |
07-29-2013 09:43 AM
As a reminder of the situation I am still facing.
TEST 1. I connect my Win7 PC that is setup to use EAP TLS, 802.1x authentication works as recorded in Windows and in the ISE log. Therefore there are no Windows supplicant issues.
TEST 2. I connect a Cisco 7942 IP Phone only to the switchport, authentication via MAB to the voice domain works as expected.
TEST 3. I connect the IP Phone and it works via MAB, I then plug the PC via the phone but the PC is failing to authenticate with EAP-TLS with the EAP timeouts as listed before.
TEST 4. I connect the IP Phone and it works via MAB, I then plug the PC via the phone but change from TLS to PEAP, and the PC authenticates successfully.
Anybody seen this behavious before? Any ideas at all?
11-06-2013 01:27 AM
Hi,
According to your issue can you confirm that your client has a certificate because if you would like to use EAP-TLS you need to have a certifcates on both sites.
In log it looks like the client didn't sent its sertificate if any ?
Regards,
11-06-2013 10:38 AM
Is the PC port enabled on the IP phone?
Try to replace the phone. It is quite likely that it fails to relay EAP frames.
05-19-2020 04:29 AM
Hello,
Did you resolve your problem to authenticate PC by EAP-TLS connected to phone port?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: