Solved: Re: ISE 2.7, 2960 and pc behind cisco phone

DavidAceti · ‎05-10-2021

Hi,

I prepared a switch 2960 version 15.0(2) SE6 and a phone 7940 connected to this switch, and all work fine with MAB ,after that I connect a win 10 pc to the phone using 802.1x and the switch complain about security violation and automatically shutdown the port.

If I connect the pc directly to the port ,no problem.

I´m looking for discrepancies between ISE and 2960 versions, but nothing for the moment.

Any help will be appreciated

Thanks

balaji.bandi · ‎05-11-2021

You are using radius Group :

aaa group server radius dot1x_auth
server name ISE1
!

then this may need to change :

aaa authentication dot1x default group dot1x_auth
aaa authorization network default group dot1x_auth
aaa accounting dot1x default start-stop group dot1x_auth

I try below config :

interface FastEthernet0/13
description Pruebas_ISE

switchport access vlan 320

switchport mode access
switchport voice vlan 411
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain ( if you want you can use multi-auth - i have explained bottom)

authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

Multi-auth—While in this mode, multiple devices are allowed to independently authenticate through the same port.
Multi-domain—While in this mode, the authenticator will allow one host from the data domain and one from the voice domain; this is a typical configuration on switchports with IP phones connected.
Multi-host—While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently; if the authenticated device becomes authorized the switchport will be closed.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

marce1000 · ‎05-10-2021

- Show the running-config of the particular port(s) ; you may also find some hints in this thread :

https://community.cisco.com/t5/network-access-control/cisco-ise-pc-behind-the-phone-issue/td-p/3736477

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎05-10-2021

Can you post the switch configuration ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DavidAceti · ‎05-11-2021

Hi,

thanks for your replies.

@marce1000 I tried the hints in the link you posted but no chance.

@balaji.bandi I attach the conf with the essential conf, the test port is 0/13 and vlan 320 is for Data (for pc behind phone in 802.1x) and vlan 411 is for voice (MAB).

Thanks

marce1000 · ‎05-11-2021

>...and the switch complain about security violation and automatically shutdown the port

- What is the exact message as seen in the logs when this happens ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Greg Gibbs · ‎05-11-2021

The configuration you posted shows the interface host-mode configured as multi-host. Multi-host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. As per the IP Telephony for 802.1X Design Guide document, multi-host mode is not recommended for IP Telephony. I would recommend using either Multi-Domain or Multi-Auth mode.

One of the most common issues that results in a violation is if the phone is not authorised correctly for the VOICE domain. If the phone is authorised in the DATA domain and you connect a PC that is also authorised in the DATA domain, it can result in a violation unless you are using Multi-Auth mode.

I would suggest having a look at the 'show auth session interface fa0/13' output to see if the phone is in the DATA or VOICE domain. You should also review the ISE Secure Wired Access Prescriptive Deployment Guide guide to compare your configurations.

balaji.bandi · ‎05-11-2021

You are using radius Group :

aaa group server radius dot1x_auth
server name ISE1
!

then this may need to change :

aaa authentication dot1x default group dot1x_auth
aaa authorization network default group dot1x_auth
aaa accounting dot1x default start-stop group dot1x_auth

I try below config :

interface FastEthernet0/13
description Pruebas_ISE

switchport access vlan 320

switchport mode access
switchport voice vlan 411
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain ( if you want you can use multi-auth - i have explained bottom)

authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

Multi-auth—While in this mode, multiple devices are allowed to independently authenticate through the same port.
Multi-domain—While in this mode, the authenticator will allow one host from the data domain and one from the voice domain; this is a typical configuration on switchports with IP phones connected.
Multi-host—While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently; if the authenticated device becomes authorized the switchport will be closed.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help