Configuring Inaccessible Authentication Bypass and Critical Voice VLAN, togheter with guest VLAN

Kjetil Fleten · ‎03-19-2015

Hi

On a Catalyst 2960, I'm trying to allow a IP phone and a computer on the same port, and verify those devices against RADIUS (ISE). Unauthenticated devices should be placed in guest VLAN. In the event of a RADIUS failure, no device should be placed in guest, but go to the access vlan.

When authentication fails for a device, it goes to guest VLAN 50, as desired. When RADIUS is down, it should bypass authentication and go to access VLAN, but it does not. Why ?

My port setting and RADIUS setup looks like this:

interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport voice vlan 6
authentication event server dead action authorize vlan 5
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 50
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 120
radius-server retry method reorder
radius-server transaction max-tries 3
!
radius server ISE
address ipv4 [omitted by me] auth-port 1812 acct-port 1813
key [omitted by me]

Output from switch when I connect:

%DOT1X-5-FAIL: Authentication failed for client (001e.330c.7871) on Interface Gi1/0/5 AuditSessionID C0A80BDC0000008F013B8CF6
Mar 30 07:12:28.821: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Mar 30 07:12:28.821: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Regards

Kjetil

PedroReforco · ‎05-29-2015

Hi

For me it get's worse...I wan't it to go to VlanGuest and it won't...ever...I compared my port configuration with yours and it's almost identical...

Config from my port:

interface FastEthernet0/28
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 113
switchport port-security maximum 2
switchport port-security
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action authorize vlan 165
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

Errors from switch when plugging to the port

045739: May 29 16:35:21.045 PT: %AUTHMGR-5-START: Starting 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045740: May 29 16:35:21.054 PT: %MAB-5-FAIL: Authentication failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045741: May 29 16:35:21.054 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045742: May 29 16:35:21.062 PT: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045743: May 29 16:35:21.062 PT: %AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045744: May 29 16:35:22.866 PT: %LINK-3-UPDOWN: Interface FastEthernet0/28, changed state to up
045745: May 29 16:35:23.872 PT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/28, changed state to up

045747: May 29 16:36:53.691 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045748: May 29 16:36:53.691 PT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
045749: May 29 16:36:53.691 PT: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E
QL-SW1#
045750: May 29 16:36:53.699 PT: %AUTHMGR-5-FAIL: Authorization failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF0100001448E5D4800E

PedroReforco · ‎05-29-2015

Hi!!!

Mine is working allready... here's my configuration, please check if it works with you!

Here's the input:

interface FastEthernet0/28

switchport access vlan 100

switchport mode access

switchport nonegotiate

switchport voice vlan 113

switchport port-security maximum 2

switchport port-security

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication timer restart 120

authentication timer reauthenticate server

authentication timer inactivity 600

mab

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

storm-control broadcast level 20.00

storm-control action trap

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard loop

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

dot1x mac-auth-bypass

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x control-direction in

dot1x timeout quiet-period 2

dot1x timeout server-timeout 2

dot1x timeout reauth-period server

dot1x timeout tx-period 1

dot1x timeout supp-timeout 2

dot1x max-reauth-req 1

dot1x reauthentication

dot1x guest-vlan 166

dot1x auth-fail vlan 166

The output came out with sintax fixed for the 2960 model:

interface FastEthernet0/28

switchport access vlan 100

switchport mode access

switchport nonegotiate

switchport voice vlan 113

switchport port-security maximum 2

switchport port-security

shutdown

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication control-direction in

authentication event fail action authorize vlan 166

authentication event no-response action authorize vlan 166

authentication event server alive action reinitialize

authentication host-mode multi-host

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication timer restart 120

authentication timer reauthenticate server

authentication timer inactivity 600

mab

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x timeout quiet-period 2

dot1x timeout server-timeout 2

dot1x timeout tx-period 1

dot1x timeout supp-timeout 2

dot1x max-reauth-req 1

storm-control broadcast level 20.00

storm-control action trap

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard loop

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

end

And the Terminal monitor Output is like this :

046200: May 29 18:01:32.251 PT: %AUTHMGR-5-START: Starting 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046201: May 29 18:01:32.268 PT: %MAB-5-FAIL: Authentication failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046202: May 29 18:01:32.268 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046203: May 29 18:01:32.268 PT: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046204: May 29 18:01:32.268 PT: %AUTHMGR-5-START: Starting 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046205: May 29 18:01:34.097 PT: %LINK-3-UPDOWN: Interface FastEthernet0/28, changed state to up

046206: May 29 18:01:34.332 PT: %DOT1X-5-FAIL: Authentication failed for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID

046207: May 29 18:01:34.332 PT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046208: May 29 18:01:34.332 PT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046209: May 29 18:01:34.332 PT: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (d4be.d953.4e2d) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046210: May 29 18:01:34.332 PT: %AUTHMGR-5-VLANASSIGN: VLAN 166 assigned to Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB

046211: May 29 18:01:35.112 PT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/28, changed state to up

046212: May 29 18:01:35.322 PT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/28 AuditSessionID 0A07FF010000146BE62367DB