Re: Dot1x issues

sullyjman12 · ‎06-30-2011

I had dot1x working with a guest vlan, data vlan and voice vlan. I have upgraded my IOS and now im having this issue:

1. IP Phone can register with cisco call manager (Great)

2. Plug in a computer on the domain with a certificate into the phone and dot1x allows it on the network (Great).

3. Plug my macbook into the switch port of the IP Phone and it times out and doesnt kick the macbook into the guest vlan (Sucks) It just gets an APIPA ip address

I get these errors:

%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6

%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6

I guess its going off the mac address of the machine when its plugged into the phone is there any way to disable this and have it dump straight into the guest vlan if there is no suppliment or the suppliment fails?

I had this working working perfectly before the IOS upgrade I am running IOS verison cat4500-ipbasek9-mz.150-2.SG.bin I am running the Cisco 4507 with dual supervisor boards

Mod Ports Card Type Model

---+-----+--------------------------------------+------------------+-----------

1 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+

2 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+

3 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45

4 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45

5 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45

6 48 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V

7 48 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V

Here is what I have configured on my testing port:

interface FastEthernet6/35

switchport mode access

switchport voice vlan 50

logging event link-status

authentication event fail retry 5 action authorize vlan 69

authentication event no-response action authorize vlan 69

authentication host-mode multi-host

authentication order dot1x

authentication priority dot1x

authentication port-control auto

authentication timer restart 10800

authentication timer reauthenticate 10800

dot1x pae authenticator

dot1x timeout quiet-period 5

dot1x timeout server-timeout 10

dot1x timeout tx-period 5

dot1x max-reauth-req 1

spanning-tree portfast

Now here is the kicker, if I unplug my phone and plug in my macbook pro into the port directly it bumps the port into VLAN 69 which is the guest vlan and what I wanted. So it has something to do with the port not transitioning to the guest vlan while plugged into the IP Phone.

Any clues?

Tarik Admani · ‎07-01-2011

Auth fail vlan assignment is only supported on single host mode found here -

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/15.02SG/configuration/guide/dot1x.html#wp1198927

See if you can set this port to single host and try again.

Thanks,

sullyjman12 · ‎07-01-2011

Thank you for this information, ill look into this but this was working fine with a voice vlan and auth fail vlan assignment before I moved to the new IOS.

sullyjman12 · ‎07-05-2011

What is really odd is when I reboot the phone and plug the mac book into the second port the macbook gets dumped into the guest vlan (which is what I want). If I unplug the macbook and plug in a computer that is on our domain (and uses dot1x to authenicate) It gets dumped into the data vlan (which is what I want). Now if I unplug the domain laptop and plug my macbook back into that port I get an APIPA address. If I reboot the phone again plug the macbook in it gets dumped to the guest vlan. I unplug the macbook and wait a few minutes and plug the macbook in again I get dumped into the guest vlan again.

So it works until I remove the guest machine and plug in a domain computer, its like the port doesnt transition back to an unauthenicated port.

Tarik Admani · ‎07-05-2011

What version of phone are you running on this port (show cdp neighbors detail) keep in mind that these phones need to be deployed with the 2nd port feature enabled. Also if you do show mac address interface type x/x, do you still see the mac address of the previous laptop/macbook, still on the port?

Thanks,

Tarik

sullyjman12 · ‎07-06-2011

To answer your first question:

Device ID: SEP002584A27BC9

Entry address(es):

IP address: 10.130.10.171

Platform: Cisco IP Phone 7942, Capabilities: Host Phone Two-port Mac Relay

Interface: FastEthernet6/35, Port ID (outgoing port): Port 1

Holdtime : 127 sec

Second Port Status: Down

Version :

SCCP42.8-4-4S

advertisement version: 2

Duplex: full

Power drawn: 6.300 Watts

Power request id: 31689, Power management id: 3

Power request levels are:6300 0 0 0 0

Management address(es):

(No computer is plugged into the phone at the moment)

Im not sure what you mean that the second port feature enabled, isnt that on default? Since I can connect to the network fine on the second network card I assume that is what you mean. Ill check the mac address issue today!

gerald.suiza · ‎07-11-2011

i think you shoudl have this configured : dot1x port-control auto

sullyjman12 · ‎07-12-2011

The new IOS doesnt support that command, what you are talking about is done by issuing the command "authentication port-control auto" which I have done.