Solved: IOS 15.0.(1)SE2 802.1X configuration ignores VSA ?

thomashaecker · ‎03-09-2012

Hi all,

i configured dot1x on a 3750X with version 15.0.(1)SE2 but have a problem with MDA:

My phone is authenticating successfully but is placed in the DATA domain instead of voice:

show authentication interface gi3/0/9

Client list:

Interface MAC Address Method Domain Status Session ID

Gi3/0/9 0080.9fab.d2f2 dot1x DATA Authz Success 000000000000361C1BA5BAF5

though the switch receives an VSA from the radius server (output from debug radius authentication):

Mar 9 18:10:28.976: RADIUS: Received from id 1645/106 10.0.0.4:1645, Access-Accept, len 240

Mar 9 18:10:28.976: RADIUS: authenticator 6B 87 86 16 99 E7 A3 06 - 6B 98 63 12 16 C8 9C 48

Mar 9 18:10:28.985: RADIUS: EAP-Message [79] 6

Mar 9 18:10:28.985: RADIUS: 03 07 00 04

Mar 9 18:10:28.985: RADIUS: Class [25] 46

Mar 9 18:10:28.985: RADIUS: 47 1B 05 65 00 00 01 37 00 01 02 00 0A 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 01 CC F8 92 38 D7 D3 4D 00 00 00 00 00 02 68 07 [ Ge7(8Mh]

Mar 9 18:10:28.985: RADIUS: Vendor, Cisco [26] 34

Mar 9 18:10:28.985: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

Mar 9 18:10:28.985: RADIUS: Vendor, Microsoft [26] 58

Mar 9 18:10:28.985: RADIUS: MS-MPPE-Send-Key [16] 52 *

Mar 9 18:10:28.985: RADIUS: Vendor, Microsoft [26] 58

Mar 9 18:10:28.985: RADIUS: MS-MPPE-Recv-Key [17] 52 *

Mar 9 18:10:28.985: RADIUS: Message-Authenticato[80] 18

Mar 9 18:10:28.985: RADIUS: 82 9D F1 DB 64 0D 65 85 D2 C8 09 C7 10 9B C3 84 [ de]

Mar 9 18:10:29.001: RADIUS(00003686): Received from id 1645/106

Mar 9 18:10:29.001: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

Mar 9 18:10:29.010: %DOT1X-5-SUCCESS: Authentication successful for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720

Mar 9 18:10:29.010: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720

Mar 9 18:10:29.446: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720

Mar 9 18:10:29.454: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/9, changed state to up

and "radius-server vsa send authentication" is set

The switchport is configured in the following way:

interface GigabitEthernet3/0/9

switchport access vlan 115

switchport mode access

switchport nonegotiate

switchport voice vlan 113

authentication control-direction in

authentication event fail action authorize vlan 101

authentication event server dead action authorize vlan 100

authentication host-mode multi-domain

authentication order dot1x mab

authentication port-control auto

authentication violation replace

mls qos trust dscp

dot1x pae authenticator

storm-control broadcast level 10.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 20

Radius Server is MS W2K8 NPS.

Am i missing something or is it a bug in 15.0? I remeber it worked on 12.5something

Many thanks in advance for any hints!

Eduardo Aliaga · ‎03-19-2012

Hello

I've found a similar question in the forum. The problem was the following command was missing :

"aaa authorization network default group radius"

The forum is https://supportforums.cisco.com/thread/2011966

Please rate if helps. Kind regards

View solution in original post

Eduardo Aliaga · ‎03-13-2012

Hello.

Are you authentication the IP phone with 802.1x or with MAB ? I guess you're using MAB. You do have "authentication order dot1x mab" , but the actual "mab" command is missing from your configuration.

Could you please post the result of "show authentication sessions interface " and "show dot1x all details" ?

thomashaecker · ‎03-14-2012

Hi,

i am authenticating with dot1x, mab might be used some day for devices not supporting 802.1X.

Authentication works fine, i just wonder why the phone is placed into the DATA domain though the Radius Server returns a VSA "device-traffic-class=voice".

SWITCH#show authentication sessions interface gi3/0/9

Interface: GigabitEthernet3/0/9

MAC Address: 0080.9fab.d2f2

IP Address: Unknown

User-Name: ipphone

Status: Authz Success

Domain: DATA

Oper host mode: multi-domain

Oper control dir: in

Authorized By: Authentication Server

Vlan Group: N/A

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0000000000003AC232ED1550

Acct Session ID: 0x00003B3D

Handle: 0xB0000BD7

Runnable methods list:

Method State

dot1x Authc Success

SWITCH#show dot1x all details

Sysauthcontrol Enabled

Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet3/0/9

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = In

HostMode = MULTI_DOMAIN

QuietPeriod = 60

ServerTimeout = 0

SuppTimeout = 30

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

Dot1x Authenticator Client List

-------------------------------

EAP Method = (13)

Supplicant = 0080.9fab.d2f2

Session ID = 0000000000003AC232ED1550

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

thomashaecker · ‎03-19-2012

Anyone?

Eduardo Aliaga · ‎03-19-2012

Hello

I've found a similar question in the forum. The problem was the following command was missing :

"aaa authorization network default group radius"

The forum is https://supportforums.cisco.com/thread/2011966

Please rate if helps. Kind regards

thomashaecker · ‎03-20-2012

That's it, i added "aaa authorization network default group radius" and it works.

Many thanks for this hint, must have missed it in the docs.