cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
555
Views
0
Helpful
5
Replies

Cisco Secure ACS authentication problems after 3750 switch stack reboot.

billy_vaughn
Level 1
Level 1

We are running version 5.2.0.26.4 of Cisco Secure ACS. We are using it to control access to our wired network and only allow our Cisco phones and our domain computers on the network. We use MAB for the phones and dot1x for the PC's. The system works pretty well except whenever we reboot our closet switches quite a few of our phones will not come up and work. They just say configuring and registering. You have to unplug the network cable and reboot the phone then it will authenticate just fine. We are using Cisco 3750 switches that are stacked. We only have around 100 employees so it's not 1000's of devices trying to auth. I'm thinking we are having issues due to all the devices coming online and trying to authenticate at once. Looking for some help in figuring out if this is something we can fix. Thanks in advance.

 

Billy Vaughn

5 Replies 5

nspasov
Cisco Employee
Cisco Employee

Can you share your radius switch configs and port configs?

Also, can you post the output of the following commands while the phones are stuck in "registering state"

show authentication session interface interface_name_number

show aaa servers

 

Thank you for rating helpful posts! 

Unfortunatley I don't have a phone stuck in the registering/configuration state anymore. I can only re-produce the issue by rebooting a switch stack. I'll have to capture those ouputs once I can get some downtime to re-create the issue.

Switch Commands

aaa authentication login default group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

tacacs-server host 10.1.254.50 key **********
tacacs-server host 10.1.254.51 key **********
tacacs-server directed-request

radius-server host 10.1.254.50 auth-port 1645 acct-port 1646 key ***********
radius-server host 10.1.254.51 auth-port 1645 acct-port 1646 key ***********

Interface Commands

 switchport access vlan XX
 switchport mode access
 switchport nonegotiate
 switchport voice vlan XX
 authentication event server dead action authorize
 authentication host-mode multi-domain
 authentication order mab dot1x webauth
 authentication port-control auto
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable

 

Billy

Hi Billy-

It would be hard to troubleshoot this since you are unable to replicate the issue...perhaps you can get a test switch and a test phone and try it again :)

In the meantime, I would suggest that you add/remove the following commands to your switchports:

no authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server dead action authorize vlan your_data_vlan
authentication event server alive action reinitialize

 

The first command would authorize phones to the voice VLAN if/when the Radius server is unavailable. The second command will do the same as first one but for your computers/laptops, etc. The last command would force all of the sessions that were authorized during a Radius server outage to be re-authorized. 

I have the feeling that the phones boot up before the Radius server is reachable and marked as "alive." Thus, the phones are authorized but not on the voice VLAN. 

Outside the issue that you have, I would recommend that you also add the following commands:

authentication priority dot1x mab
dot1x timeout tx-period 10

 

The first command will allow hosts that are dot1x capable to perform dot1x before mab (even though mab is set to take priority over dot1x). The second command just trims down the timeout timer which can help prevent hosts from giving up on acquiring DHCP address and assigning themselves a 169.x.x.x address. 

Well I hope all of this helps!

 

Thank you for rating helpful posts!

Sorry for the late reply. Thanks for the information. I had my peer setup a switch and we are going to do some testing to see if we can re-create the phone state. If we can I'll capture some output from the show commands. I'll reveiw your reccomended changes.

 

Thanks

Billy

No worries. Please let us know of the outcome!

 

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: