06-30-2011 05:29 PM - edited 03-12-2019 05:39 PM
I had dot1x working with a guest vlan, data vlan and voice vlan. I have upgraded my IOS and now im having this issue:
1. IP Phone can register with cisco call manager (Great)
2. Plug in a computer on the domain with a certificate into the phone and dot1x allows it on the network (Great).
3. Plug my macbook into the switch port of the IP Phone and it times out and doesnt kick the macbook into the guest vlan (Sucks) It just gets an APIPA ip address
I get these errors:
%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6
I guess its going off the mac address of the machine when its plugged into the phone is there any way to disable this and have it dump straight into the guest vlan if there is no suppliment or the suppliment fails?
I had this working working perfectly before the IOS upgrade I am running IOS verison cat4500-ipbasek9-mz.150-2.SG.bin I am running the Cisco 4507 with dual supervisor boards
Mod Ports Card Type Model
1 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+
2 2 Supervisor II+ 1000BaseX (GBIC) WS-X4013+
3 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45
4 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45
5 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45
6 48 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V
7 48 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V
Here is what I have configured on my testing port:
switchport mode access
switchport voice vlan 50
logging event link-status
authentication event fail retry 5 action authorize vlan 69
authentication event no-response action authorize vlan 69
authentication host-mode multi-host
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication timer restart 10800
authentication timer reauthenticate 10800
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 10
dot1x timeout tx-period 5
dot1x max-reauth-req 1
Now here is the kicker, if I unplug my phone and plug in my macbook pro into the port directly it bumps the port into VLAN 69 which is the guest vlan and what I wanted. So it has something to do with the port not transitioning to the guest vlan while plugged into the IP Phone.
07-01-2011 03:23 AM
Auth fail vlan assignment is only supported on single host mode found here -
See if you can set this port to single host and try again.
07-01-2011 06:47 AM
Thank you for this information, ill look into this but this was working fine with a voice vlan and auth fail vlan assignment before I moved to the new IOS.
07-05-2011 09:02 AM
What is really odd is when I reboot the phone and plug the mac book into the second port the macbook gets dumped into the guest vlan (which is what I want). If I unplug the macbook and plug in a computer that is on our domain (and uses dot1x to authenicate) It gets dumped into the data vlan (which is what I want). Now if I unplug the domain laptop and plug my macbook back into that port I get an APIPA address. If I reboot the phone again plug the macbook in it gets dumped to the guest vlan. I unplug the macbook and wait a few minutes and plug the macbook in again I get dumped into the guest vlan again.
So it works until I remove the guest machine and plug in a domain computer, its like the port doesnt transition back to an unauthenicated port.
07-05-2011 10:36 PM
What version of phone are you running on this port (show cdp neighbors detail) keep in mind that these phones need to be deployed with the 2nd port feature enabled. Also if you do show mac address interface type x/x, do you still see the mac address of the previous laptop/macbook, still on the port?
07-06-2011 04:28 AM
To answer your first question:
Device ID: SEP002584A27BC9
IP address: 10.130.10.171
Platform: Cisco IP Phone 7942, Capabilities: Host Phone Two-port Mac Relay
Interface: FastEthernet6/35, Port ID (outgoing port): Port 1
Holdtime : 127 sec
Second Port Status: Down
advertisement version: 2
Power drawn: 6.300 Watts
Power request id: 31689, Power management id: 3
Power request levels are:6300 0 0 0 0
(No computer is plugged into the phone at the moment)
Im not sure what you mean that the second port feature enabled, isnt that on default? Since I can connect to the network fine on the second network card I assume that is what you mean. Ill check the mac address issue today!
07-11-2011 08:21 PM
i think you shoudl have this configured : dot1x port-control auto
07-12-2011 09:45 AM
The new IOS doesnt support that command, what you are talking about is done by issuing the command "authentication port-control auto" which I have done.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: