ios switch with deployment 802.1x guest vlan is not working

ivan.martin · ‎12-02-2014

Hi my name is Ivan

I have an issue with deployment 802.1x to guest users. I'm working with multidomain. When a guest computer is behind of a cisco ip phone and try to access to wired network, we can not see any log dot1x, or mab and after 45 seconds the computer is unauthorized. But when the guest computer is only connected from the switch, the computer is authorized in the vlan guest 140.

The ios is 15.02se6. When I see the mac address table in the interface of conection of the guest computer, I see the mac of the computer dropped.

I try with 4 guest computers and the issue is continue. The server radius is ACS 5.6.

I would like to know if the issue is in the IOS.

Please could you help me?

The configuration 802.1x is:

aaa new-model

aaa authentication dot1x default group radius.

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client 10.24.1.7 server-key 7 124D2624245B5D277E05
client 10.24.1.9 server-key 7 040F283539711D6D5D37

dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol

interface GigabitEthernet1/0/X
description 8A102-038
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport voice vlan 40
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 50
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 140
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

!

nspasov · ‎12-02-2014

Hello Ivan. Try this:

1. Remove all of the port-security related commands:

 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity

2. Remove the "authentication event fail action next-method" or replace it with "authentication event fail action authorize 140"

Thank you for rating helpful posts!

ivan.martin · ‎12-03-2014

Hi Neno Spasov

We did it, and our issue continue. When I change the IOS 12.2.55se7 on the switch, the issue was resolved.

Perhaps exists a bug in the IOS?

Please could you help me?

andrew.butterworth · ‎04-30-2018

Hi Ivan

Did you ever solve this with IOS 15.0x? I am having the same issue and I think it might be a bug. I have a 3560-8PC running IOS 15.0(2)SE11.

This is my configuration:

interface FastEthernet0/1
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport voice vlan 305
no logging event link-status
authentication event fail retry 1 action authorize vlan 310
authentication event server dead action authorize vlan 310
authentication event no-response action authorize vlan 310
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

If I connect a PC directly to the switchport it works whether 802.1x fails or the 802.1x service on the client isn't started. If I connect a Cisco 7970G IP phone to the switch port and piggy back the PC it doesn't. The phone is discovered via CDP and works without any authentication on the Voice VLAN. The port seems to go through the same states whether an IP phone is connected or not with it trying to authenticate the PC and then failing over to the Guest VLAN, however once its failed over the PC's MAC address is removed and only the MAC of the IP phone is learned.

If the PC successfully authenticates with 802.1x it all works.

I think I have played with all the settings and the behaviour remains the same. I therefore think its either a bug or some undocumented 'feature'. Firmware on the phone is 9.4(2)SR1.

Andy

andrew.butterworth · ‎05-01-2018

I have been playing around with this today and have upgraded the firmware on the 7970G to 9.4(2)SR2 and I also tried a 7941G with 9.4(2)SR3 (latest) - I can't get hold of 9.4(2)SR3 for the 7970G anywhere. It seems there is no access at all for a PC behind the 7970G but it works fine with the 7941G as long as the PC passes dot1x authentication.

I also have a Mitel 5330 IP phone and I tried this with no changes to the configuration of the switch. Bizzarely this worked (I am guessing the CDP bypass works for Mitel IP phones as well as Cisco?), the PC also works dot1x authenticated or Guest VLAN fallback.... The Mitel IP phone doesn't send a proxy EAPoL disconnect if the cable is disconnected which the Cisco IP phones do so I am wondering whether this is actually a Cisco IP phone issue now rather than a switch issues (albeit the dot1x interaction).

Both the Cisco IP phones are EoL so its unlikely to ever get fixed I guess?

Venkatesh Attuluri · ‎12-08-2014

what is switch model