ISE 2.1 with 4510R+E NAD : when PC (802.1x) behind IP Phone (MAB) restarts, the phone automatically ...

issmoussa1 · ‎01-12-2018

Hi Guys,

when the PCs behind the IP phone 7811 resumes or goes to sleep, the phone restarts automatically.
At each change of user session, the phone restart too.

How can I fix that?

thanks

Ben Walters · ‎01-12-2018

What does your port configuration look like?

Could you also include show auth session for an interface when both devices are authenticated?

issmoussa1 · ‎01-15-2018

Bellow my port config :

interface GigabitEthernet0/16

switchport mode access

switchport voice vlan 20 authentication event fail action next-method

authentication event server dead action authorize vlan 40

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 3600

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast edge

spanning-tree bpduguard enable

show auth session int gi 0/16

show authentication sessions interface gigabitEthernet 0/16

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi0/16 xxxx.xxxx.xxxx mab VOICE Auth C0A84B020000001B007D1BB4
Gi0/16 xxxx.xxxx.xxxx dot1x DATA Auth C0A84B020000002D009DB331

Mohammed al Baqari · ‎01-13-2018

Hi,

I had similar issues initially with some strange bugs. Then I found this
article which fixed everything.

https://supportforums.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109

***** Please rate useful posts*

issmoussa1 · ‎01-19-2018

Thank you Mohammed.
I tested all the paches but still the same issues. IP Phones continue to restart when I changed session.

nspasov · ‎01-22-2018

Can you provide the following information:

1. Switchport config

2. Version of code used on the 4510

3. What is the default action set for profiling? (port-bounce, re-auth, nothing)?

Thank you for rating helpful posts!

Thank you for rating helpful posts!

issmoussa1 · ‎01-22-2018

Hi nspasov,

switchport config :

switchport mode access

switchport voice vlan 2
authentication event fail action authorize vlan X
authentication event server dead action authorize vlan Y
authentication event no-response action authorize vlan Z
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 3600
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Version of code use on 4510 :

- IOS firmware version : 03.07.03.E

- Rommon : 15.1(1r)SG8

Default action set for ISE profiling : No COA

Thank you!

nspasov · ‎02-01-2018

Apologies for the delayed reply here as I had some personal matters to attend to. This behavior does sound a lot like a bug. However, I did a quick bug scrub and could not find any dot1x/mab bugs with that switch model and software version.

With regards to your config. I would suggest trying the following:

Add:

authentication event fail action next-method
authentication timer inactivity server
authentication control-direction both
dot1x pae authenticator
dot1x timeout quiet-period 60
dot1x timeout tx-period 10
dot1x max-req 2
dot1x max-reauth-req 2

Remove:

authentication timer inactivity 3600

Give that a try and let us know how it goes. It might be also worth opening a TAC case.

Thank you for rating helpful posts!

Thank you for rating helpful posts!

ISE 2.1 with 4510R+E NAD : when PC (802.1x) behind IP Phone (MAB) restarts, the phone automatically restarts and try to register