Solved: dot1x fail loop

ipagliani · ‎08-10-2012

Ciao,

I isolated a stange case in dot1x scenario:

IP phones are authenticate via MAB in multi-domain (Cisco IP Phone 7962 Version : SCCP42.9-0-3S)
Switch C3560-IPBASEK9-M ios Version 12.2(55)SE1 and 12.2(55)SE6
Cisco ACS 5.2

Dot1x are enabled wrongly on the Phone and it try to authenticate using MIC. That OK

ACS, doesn't have Cisco MIC CA ROOT and then it doesn't authenticate the phone: That OK

EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

Now this process looped as I can see on AUTHMGR:

Aug 10 13:44:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000ED00367B2C

PED-SW-TESTNAC-136#

Aug 10 13:44:55: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000EE0036832B

PED-SW-TESTNAC-136#

Aug 10 13:44:57: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000EF00368B2A

PED-SW-TESTNAC-136#

Aug 10 13:44:59: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F000369318

PED-SW-TESTNAC-136#

Aug 10 13:45:02: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F100369B0E

PED-SW-TESTNAC-136#

Aug 10 13:45:04: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F20036A2F4

PED-SW-TESTNAC-136#

Aug 10 13:45:06: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F30036AAEA

PED-SW-TESTNAC-136#

Aug 10 13:45:08: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F40036B2F2

PED-SW-TESTNAC-136#

Aug 10 13:45:10: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F50036BAF9

PED-SW-TESTNAC-136#

Aug 10 13:45:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F60036C2E7

PED-SW-TESTNAC-136#

Aug 10 13:45:14: %AUTHMGR-5-START: Starting 'dot1x' for client (0817.35d5.94db) on Interface Fa0/2 AuditSessionID C0A8A888000000F70036CAE6

No MAB or guest VLAN are deployed....... That is not OK

Port configuration:

interface FastEthernet0/2

description HIGH SEC MODE

switchport access vlan 117

switchport mode access

switchport voice vlan 417

priority-queue out

authentication event fail action authorize vlan 195

authentication event server dead action authorize vlan 117

authentication event no-response action authorize vlan 195

authentication host-mode multi-domain

authentication port-control auto

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust dscp

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

I try to authenticate with MIC. That works

I modified authentication order in mab dot1x That works

But is there a method to avoid it ? Why the phone doesn't stop after 3 attempts ?

Grazie a tutti,

Iarno

Tarik Admani · ‎08-13-2012

Hi,

This maybe the issue you are hitting:

Because MAB begins immediately after an IEEE 802.1X failure, there are no timing issues. However, to trigger MAB, the endpoint must send a packet after the IEEE 802.1X failure. In other words, the IEEE 802.1X supplicant on the endpoint must fail open.

This is at the beginning of the guide you posted before.

Sent from Cisco Technical Support iPad App

View solution in original post

Tarik Admani · ‎08-10-2012

Hi,

Guest vlan will only work for data devices, the port knows that this a phone through cdp, that is why you arent able to get placed on the guest vlan.

As far as the authentication attempts can you issue a show dot1x interface fa 0/2 in order to verify the quiet timer (the default is 60 seconds).

Thanks,

Tarik Admani
*Please rate helpful posts*

ipagliani · ‎08-11-2012

Ciao,

Ok for the guest but what about Mab?

Quiet timer is 60 secs but it is not invoke : If 802.1X fails and there are no failover mechanisms enabled (MAB, Web Authentication, AuthFail VLAN), the switch waits for a period of time known as the quiet-period

Grazie

Sent from Cisco Technical Support iPad App

Tarik Admani · ‎08-11-2012

Since the port knows that this a phone. It will not fail the phone over into what is called the data domain. Guest and auth fail vlans are only for data devices.

ipagliani · ‎08-12-2012

Thanks for quick response.

However I expected that switch, after some dot1x failure, it tried with MAB, even in voice VLAN.

Tarik Admani · ‎08-12-2012

It will not try mab if dot1x fails I finally found the doc that states this:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html

The last note makes a note about this.

thanks,

Tarik Admani
*Please rate helpful posts*

ipagliani · ‎08-12-2012

Hei,

I read the document but I think it isn't my case. The document speak about a configuring MAB before dot1x; in this case I know that MAB cannot be used as a next method for IEEE 802.1X authentication failures.

This document treat a MAB as Failover for dot1x failure:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html#wp9000243

But even configuring on port:

authentication event fail action next-method

It doesn't work

Tarik Admani · ‎08-13-2012

Hi,

This maybe the issue you are hitting:

Because MAB begins immediately after an IEEE 802.1X failure, there are no timing issues. However, to trigger MAB, the endpoint must send a packet after the IEEE 802.1X failure. In other words, the IEEE 802.1X supplicant on the endpoint must fail open.

This is at the beginning of the guide you posted before.

Sent from Cisco Technical Support iPad App

aglenn2001 · ‎06-19-2021