Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
4
Replies

ip phone get access to network even it was rejected

descalante2007
Level 1
Level 1

‎04-23-2014 05:07 PM - edited ‎03-10-2019 09:39 PM

I don't understand why a phone I'm using to test my ISE setup get access and works although the MAB authentication is indicated as failed and ISE shows the device was rejected. The phone always stays in DATA domain

I have a 3750 in stack with  IOS 12.2-55.SE3

This is from Switch Console (Terminal Monitor)

SWPHP2ACCESO(config-if)#no shut
SWPHP2ACCESO(config-if)#
*May 11 05:52:08.843: %ILPOWER-7-DETECT: Interface Gi1/0/29: Power Device detected: IEEE PD
*May 11 05:52:09.254: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/29: Power granted
*May 11 05:52:09.892: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to down
*May 11 05:52:16.334: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to up
*May 11 05:52:17.341: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/29, changed state to up
*May 11 05:52:28.464: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.879: %DOT1X-5-FAIL: Authentication failed for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID
*May 11 05:52:45.887: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.887: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.887: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.896: %MAB-5-FAIL: Authentication failed for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.896: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.896: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.896: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1
*May 11 05:52:45.896: %AUTHMGR-5-FAIL: Authorization failed for client (001e.be91.920f) on Interface Gi1/0/29 AuditSessionID 0A229585000000DA6EE600D1

SWPHP2ACCESO#show auth sess

Interface  MAC Address     Method   Domain   Status         Session ID
Gi1/0/29   001e.be91.920f  N/A      DATA     Authz Failed   0A229585000000DA6EE600D1

SWPHP2ACCESO#show auth sess int g1/0/29
            Interface:  GigabitEthernet1/0/29
          MAC Address:  001e.be91.920f
           IP Address:  10.34.140.190
            User-Name:  001ebe91920f
               Status:  Running
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A229585000000DA6EE600D1
      Acct Session ID:  0x0000041F
               Handle:  0x480000DA

Runnable methods list:
       Method   State
       dot1x    Running
       mab      Not run

 

If I connect a PC behind the Phone it authenticates properly with 802.1X, in that case the PC stays in DATA domain, the phone stays in Unknown domain, but still working. In this case the switch indicates Security Violations because the MAC address

*May 11 05:58:50.246: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Gi1/0/29, new MAC address (001e.be91.920f) is seen.AuditSessionID  0A229585000000DC6EEB8EB0

SWPHP2ACCESO#show auth sess

Interface  MAC Address     Method   Domain   Status         Session ID
Gi1/0/29   e89a.8fcf.7f38  dot1x    DATA     Authz Success  0A229585000000DB6EEB89AC
Gi1/0/29   001e.be91.920f  dot1x    UNKNOWN  Running        0A229585000000DD6EECA505

 

Finally it is my port config

 

SWPHP2ACCESO#show run int g1/0/29
Building configuration...

Current configuration : 568 bytes
!
interface GigabitEthernet1/0/29
 description PRUEBAS 802.1X
 switchport access vlan 801
 switchport mode access
 switchport voice vlan 81
 authentication event fail action next-method
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

 

I should not worry as the phone is working, but I like to have clear if it is something expected or not.

On the ISE the Phone is profiled and identified as Cisco-Device, but even the default rule in ISE for Cisco-IP Phones appears to not match.

The ISE is running 1.2.0.899 Patch 6.

 

Regards.

Labels:
0 Helpful
4 Replies 4

hdussa
Level 1
Level 1

‎04-23-2014 11:41 PM

Hi,

you can use MAB or DOT1X to authenticate IP-Phones. I´m using ACS but i think ISE has got the same function. To authenticate a IP-Phone, ISE should send a radius attribute "device-traffic-class=voice". Then the IP-Phone will get into to the VOICE-DOMAIN. If a PC behind the IP-Phone is connected via MAB, the session remains forever. That means if you connect another PC, the port will get "error disabled". So PC and Phone will be disconnected.

i would insert 2 line into the portconfig

autentication oder mab dot1x (depends on what you prefer)

authentication violation replace (allows you to connect another PC than the one before)

authentication timer inactivity server (configured on ISE. Delete session after a configured time, if no traffic has been seen).

 

Hope it helps

Horst

 

 

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-02-2014 02:37 AM

what are the profiling probes enabled to identify ipphone , is cdp enabled on interface

0 Helpful

hdussa
Level 1
Level 1
In response to Venkatesh Attuluri

‎06-03-2014 12:48 AM

CDP with CISCO-IP Phone is helpful when the Client behind the Phone will be disconnected (802,1X not MAB) to send a Proxy Logoff to the switch.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎06-02-2014 09:17 AM

Couple of questions:

1. What authorization profile are you returning for these failed attempts?

2. What are the rules for the default authentication/authorization policies? (By default they are "allow access")

0 Helpful
Customers Also Viewed These Support Documents