Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3695
Views
5
Helpful
4
Replies

Issue when PC with 802.1X supplicant connected to an IP Phone authenticated via MAB

Elbrabra
Level 1
Level 1

‎12-18-2020 07:36 AM

Hello,

 

I’m looking for feedback on doing NAC with PC authenticated via 802.1X through a Cisco IP Phone authenticated via MAB (with profling).

 

I spent lot of times on an issue with laptop running Windows 10 and builtin 802.1X supplicant (WireAutoConfig) connected to a Cisco IP Phone 6941 authenticated with MAB on the network.

 

Detail about the issue:

  • Laptop powered off is connected to the IP Phone. The IP Phone is correctly authenticated on the network via MAB (IP Phone profiled by ISE)
  • Then laptop is powered on, no authentication request for the PC happen on the switch (sh auth sess int giX/X)
  • To trigger authentication we found two solutions:
    • Unplug and plug the network cable, this trigger 802.1X authentication and this one succeed
    • Restart WiredAutoConfig, this trigger also 802.1X authentication and succeed

 

We did several tests:

  • Reproduce the same scenario with laptop directly connected to the same switch (same port) -> 802.1X is triggered automatically as expected when the laptop is powered on and authentication succeed
  • We reconnect the laptop to the IP Phone and we reapply default wiredautoconfig configuration to force the supplicant to send a EAPol Start message and change the option from “Transmit per 802.1X” to “Transmit” -> No way, 802.1X authentication is not triggered on the switch when laptop is powered on behind an IP Phone.

 

So if anyone can help on this or if anyone has also encountered this issue, please help !

 

You will find attached interface configuration.

 

Thank you,

 

Regards

Preview file
1 KB
0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎12-20-2020 07:57 PM - edited ‎12-22-2020 06:01 PM

If I got it correctly, your issue is happening when the PC is connected behind a Cisco IP phone 6941.

End-of-Sale and End-of-Life Announcement for the Cisco Unified IP Phone 6911, 6921, 6941, 6945, and 6961 says the series no longer supported and recommends to replace with Cisco IP Phone 7800 series.

If you are seeing the issue with a Cisco IP phone that is still supported, please engage Cisco TAC to troubleshoot.

Panos Bouras
Level 1
Level 1

‎12-21-2020 07:48 AM

Hi @Elbrabra ,

 

If you can take a packet capture from the switch port and from the PC while the issue happens you can search if the PC is sending any EAPoL messages that never reach the switch.

Also I would check the CDP info that the phone sends to the switch, as this is the only way for the switch to be aware that the port behind the phone got connected to a client, the phone notifies the switch for it's PC port state via CDP.

 

Panos

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

Elbrabra
Level 1
Level 1
In response to Panos Bouras

‎12-22-2020 03:49 AM

Hello,

 

Thank you all for your help,

 

I'm little bit surprised because on the administration guide of Cisco IP Phone 6921 we can read:

"Cisco Unified IP Phones and Cisco Catalyst switches traditionally use Cisco Discovery Protocol (CDP) to identify each other and determine parameters such as VLAN allocation and inline power requirements. CDP does not identify locally attached workstations. Cisco Unified IP Phones provide an EAPOL pass-through mechanism. This mechanism allows a workstation attached to the Cisco Unified IP Phone to pass EAPOL messages to the 802.1X authenticator at the LAN switch. The pass-through mechanism ensures that the IP phone does not act as the LAN switch to authenticate a data endpoint before accessing the network."

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/6921_6941_6945_6961/10_0/english/adminguide/P690_BK_A2751107_00_admin_6921-6941-6945-6961-10_0/P690_BK_A2751107_00_admin_6921-6941-6945-6961-10_0_chapter_01.html

 

I don't know yet which firmware version is actually running on the IP Phone, I will ask for this. I know that IP Phone doesn't support the "CDP enhancement for the second port" but this IP Phone model should support EAPol message pass-through and EAPLog off proxy feature. 

 

Regards

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎12-21-2020 10:43 AM

it is a very old phone that does not perform 802.1X and most likely does not allow 802.1X message pass-through for the computer behind it. See Troubleshoot IP Telephony In an IEEE 802.1X-enabled environment

Symptom

Possible Root Causes

Resolution

IEEE 802.1X-capable devices behind phones get MAB authenticated or put in Guest VLAN
• Phone does not pass EAPoL messages correctly from data device
• Upgrade phone firmware

 

Your only hope would be a firmware upgrade that allows the 802.1X pass-through.

0 Helpful
Customers Also Viewed These Support Documents