01-09-2015 06:15 AM - last edited on 03-25-2019 05:32 PM by ciscomoderator
We are running version 5.2.0.26.4 of Cisco Secure ACS. We are using it to control access to our wired network and only allow our Cisco phones and our domain computers on the network. We use MAB for the phones and dot1x for the PC's. The system works pretty well except whenever we reboot our closet switches quite a few of our phones will not come up and work. They just say configuring and registering. You have to unplug the network cable and reboot the phone then it will authenticate just fine. We are using Cisco 3750 switches that are stacked. We only have around 100 employees so it's not 1000's of devices trying to auth. I'm thinking we are having issues due to all the devices coming online and trying to authenticate at once. Looking for some help in figuring out if this is something we can fix. Thanks in advance.
Billy Vaughn
01-09-2015 07:53 AM
Can you share your radius switch configs and port configs?
Also, can you post the output of the following commands while the phones are stuck in "registering state"
show authentication session interface interface_name_number
show aaa servers
Thank you for rating helpful posts!
01-09-2015 12:45 PM
Unfortunatley I don't have a phone stuck in the registering/configuration state anymore. I can only re-produce the issue by rebooting a switch stack. I'll have to capture those ouputs once I can get some downtime to re-create the issue.
Switch Commands
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
tacacs-server host 10.1.254.50 key **********
tacacs-server host 10.1.254.51 key **********
tacacs-server directed-request
radius-server host 10.1.254.50 auth-port 1645 acct-port 1646 key ***********
radius-server host 10.1.254.51 auth-port 1645 acct-port 1646 key ***********
Interface Commands
switchport access vlan XX
switchport mode access
switchport nonegotiate
switchport voice vlan XX
authentication event server dead action authorize
authentication host-mode multi-domain
authentication order mab dot1x webauth
authentication port-control auto
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
Billy
01-11-2015 12:39 AM
Hi Billy-
It would be hard to troubleshoot this since you are unable to replicate the issue...perhaps you can get a test switch and a test phone and try it again :)
In the meantime, I would suggest that you add/remove the following commands to your switchports:
no authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server dead action authorize vlan your_data_vlan
authentication event server alive action reinitialize
The first command would authorize phones to the voice VLAN if/when the Radius server is unavailable. The second command will do the same as first one but for your computers/laptops, etc. The last command would force all of the sessions that were authorized during a Radius server outage to be re-authorized.
I have the feeling that the phones boot up before the Radius server is reachable and marked as "alive." Thus, the phones are authorized but not on the voice VLAN.
Outside the issue that you have, I would recommend that you also add the following commands:
authentication priority dot1x mab dot1x timeout tx-period 10
The first command will allow hosts that are dot1x capable to perform dot1x before mab (even though mab is set to take priority over dot1x). The second command just trims down the timeout timer which can help prevent hosts from giving up on acquiring DHCP address and assigning themselves a 169.x.x.x address.
Well I hope all of this helps!
Thank you for rating helpful posts!
01-13-2015 05:50 AM
Sorry for the late reply. Thanks for the information. I had my peer setup a switch and we are going to do some testing to see if we can re-create the phone state. If we can I'll capture some output from the show commands. I'll reveiw your reccomended changes.
Thanks
Billy
01-13-2015 10:30 AM
No worries. Please let us know of the outcome!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide