Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1650
Views
0
Helpful
3
Replies

MAB Cisco Phones Authentication Successful, VLANASSIGN Unassigned, and Authorization Failed??

Go to solution
Jim Araujo
Level 1
Level 1

ā€Ž04-07-2016 06:42 AM - edited ā€Ž03-10-2019 11:39 PM

I'm getting some odd behaviour with a Catalyst switch and 802.1x. I am using multi-auth, with a PC and Cisco Phone patched in. Both devices authenticate correctly, but only the PC is authorized based on the switch logs.

Switch terminal logs:

Apr  7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09
Apr  7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09
Apr  7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID Unassigned
Apr  7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09
Apr  7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Apr  7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 
Apr  7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Apr  7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082

Switch config:

aaa authentication dot1x default group RADIUS-DOT1X
aaa authorization network default group radius 
ip radius source-interface Loopback0 
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
dot1x guest-vlan supplicant

Interface config:

interface FastEthernet0/1
 switchport mode access
 srr-queue bandwidth share 10 10 60 20
 priority-queue out 
 authentication event fail action next-method
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 999
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation protect
 mab
 mls qos trust cos
 auto qos voip trust 
 dot1x pae authenticator
 no mdix auto
 spanning-tree portfast

Windows NPS Policy:

and

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Jim Araujo

ā€Ž04-12-2016 02:36 AM

Hello Jim,

Try to use host mode multi-domain instead of multi-auth.

Regards,

Poonam Garg

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Joseph Johnson
Level 1
Level 1

ā€Ž04-07-2016 06:49 AM

Try configuring a voice VLAN on the port.

switchport voice vlan <vlan-id>

0 Helpful

Go to solution
Jim Araujo
Level 1
Level 1
In response to Joseph Johnson

ā€Ž04-07-2016 06:53 AM

That will work...but I'm trying to dynamically assign the VLAN based on RADIUS attributes.

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Jim Araujo

ā€Ž04-12-2016 02:36 AM

Hello Jim,

Try to use host mode multi-domain instead of multi-auth.

Regards,

Poonam Garg

0 Helpful
Customers Also Viewed These Support Documents