Solved: cisco phone getting drop on 802.1x port

valenciaa · ‎03-28-2023

I've configured 802.1x on 3850 running 16.3.8, the cisco phone is not registering and its getting Drop. Please see below port configuration

interface GigabitEthernet1/0/10
switchport mode access
switchport voice vlan 7
authentication event fail action authorize vlan 800
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 1
dot1x timeout supp-timeout 5
spanning-tree portfast

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 1833.9d15.fa36 DYNAMIC Drop
7 1833.9d15.fa36 DYNAMIC Drop

Interface: GigabitEthernet1/0/10
IIF-ID: 0x1AAB5D9B
MAC Address: 1833.9d15.fa36
IPv6 Address: Unknown
IPv4 Address: Unknown
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1411020000008A2B5A0C7A
Acct Session ID: Unknown
Handle: 0x2f000080
Current Policy: POLICY_Gi1/0/10

Method status list:
Method State
dot1x Stopped

Arne Bier · ‎03-29-2023

Hi @valenciaa

Just curious - are you following the steps in the ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community ?

And you need to share your ISE Policy Set config. Because I can't tell how your MAB is configured? If your phones are not configured for 802.1X, then it means the switch will need to allow the phone on via MAB. Do you have a MAB policy for your phones?

View solution in original post

Arne Bier · ‎03-28-2023

Is the port err-disabled? Check with a show interface gig1/0/10

Is CDP enabled?

The MAC address of the phone should land in the Voice Domain - VLAN 7 - and the switch communicates this to the phone via CDP. If you happen to have a PC connected to the phone at the same time and the port is err-disabled, then the reason for the violation is that you are using multi-domain host mode - and in multi-domain mode, the DATA domain may only have one MAC address. You can try using multi-auth instead.

valenciaa · ‎03-28-2023

Yes CDP is enable on the port. Same issue when i change it to multi-auth.

GigabitEthernet1/0/10 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0056.2b21.e58a (bia 0056.2b21.e58a)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
579316 packets input, 230501810 bytes, 0 no buffer
Received 13917 broadcasts (11179 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 11179 multicast, 0 pause input
0 input packets with dribble condition detected
1360638 packets output, 1024431924 bytes, 0 underruns
0 output errors, 0 collisions, 19 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

valenciaa · ‎03-28-2023

dot1x debug:

Mar 29 16:04:01: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/10, port's configured trust state is now operational.
Mar 29 16:04:04: %DOT1X-5-FAIL:Switch 1 R0/0: smd: Authentication failed for client (1833.9D15.FA36) on Interface Gi1/0/10 AuditSessionID AC141102000000942BBF75AE
Mar 29 16:04:04: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (1833.9D15.FA36) on Interface GigabitEthernet1/0/10 AuditSessionID AC141102000000942BBF75AE
Mar 29 16:04:04: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (1833.9D15.FA36) on Interface GigabitEthernet1/0/10 AuditSessionID AC141102000000942BBF75AE
Mar 29 16:05:07: %DOT1X-5-FAIL:Switch 1 R0/0: smd: Authentication failed for client (1833.9D15.FA36) on Interface Gi1/0/10 AuditSessionID AC141102000000942BBF75AE

Arne Bier · ‎03-28-2023

Sounds like the phone is configured for 802.1X - what is it using ? certs? Is ISE configured to process that type of 802.1X and authorize these devices?

What is Live Logs telling you?

valenciaa · ‎03-29-2023

I've checked the phone settings and it's not configured for 802.1x.

Arne Bier · ‎03-29-2023

Hi @valenciaa

Just curious - are you following the steps in the ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community ?

And you need to share your ISE Policy Set config. Because I can't tell how your MAB is configured? If your phones are not configured for 802.1X, then it means the switch will need to allow the phone on via MAB. Do you have a MAB policy for your phones?

valenciaa · ‎03-30-2023

Thanks Arne. It was a miss configuration, i completely forgot to add the following line.

aaa authorization network default group XXX

Sheraz.Salim · ‎03-30-2023

Based on the provided configuration, it looks like 802.1x authentication is failing on interface GigabitEthernet1/0/10. Here are some steps you can take to troubleshoot the issue:

Verify that the switch and phone are using the same voice VLAN: Check the phone configuration and make sure it's configured to use VLAN 7 for voice traffic. Verify that VLAN 7 is also configured on the switch and that the switchport is configured with the "switchport voice vlan 7" command.

Check the switch logs for any error messages: Use the "show log" command to view the switch logs and look for any error messages related to 802.1x authentication.

Verify the 802.1x authentication settings on the phone: Check the phone configuration and make sure it's configured to use the correct EAP type and authentication credentials.

Verify the 802.1x authentication settings on the switch: Check the switch configuration and make sure it's configured to use the correct EAP type and authentication credentials. Also, make sure that the authentication server is reachable from the switch and that the switch is configured with the correct server key or shared secret.

Verify that the switchport is configured correctly for 802.1x authentication: Check the switchport configuration and make sure it's configured with the "dot1x pae authenticator" command. Also, make sure that the port is not blocked by any other security features, such as port security or MAC address filtering.

Verify that the switch and phone are using compatible 802.1x authentication protocols: Check the switch and phone documentation to make sure they support the same 802.1x authentication protocols, such as EAP-TLS, PEAP, or EAP-FAST.

Once you have identified and resolved the issue, the phone should be able to authenticate successfully and register with the switch

please do not forget to rate.