05-07-2013 07:05 AM - edited 03-10-2019 08:24 PM
Hello everybody,
I am using MAB to authenticate clients and Cisco IP Phones against a Microsoft NPS Radius server. Everything is working perfectly, except for 1 Cisco phone. The phone is successfully authentication, but authorization fails. The switch port has the following configuration.
switchport access vlan 500
switchport mode access
switchport nonegotiate
switchport voice vlan 92
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
macro description mab
auto qos voip cisco-phone
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
I receive the following RADIUS logging from the client authentication process.
May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]
May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34
May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
SER-02-SW01#clear authentication
May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
I checked online and blog posts and forums suggest to check the usage of downloadable access-list, but they aren't used in the switch. As mentioned, all Cisco IP Phones work perfectly, except this one. I already removed the object from Active Directory and created a new object from scratch, but the same result. I also tried another port on the switch, still an authorization failed.
Currently I have no idea where to look further, so maybe some of you can help me!!!
Solved! Go to Solution.
05-09-2013 08:02 AM
Thanks for updating Rene. I suggested for disabling and re-enabling the dot1x globally to see in case it got stuck somewhere. However, it looks the thought didn't go well. Would appreciate if you mark it resolved so that someone else can take benefits out of it.
Your welcome
Have a nice day!!!
Jatin Katyal
- Do rate helpful posts -
05-07-2013 07:29 AM
Please provide the below mentioned info:
debug mab all
debug radius
show authentication session interface
error message from the NPS > event viewer
show mac address-table interface
I beleive the mac address of the phone is 442b.03a2.f9e8
Jatin Katyal
- Do rate helpful posts -
05-07-2013 09:34 AM
05-07-2013 10:53 AM
Rene, the debugs shows that radius successfully authenticated the access-request and did send the required attribute to put the phone in voice vlan but it seems like some restriction is preventing the authorization part.
May 7 18:30:26.724: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 18:30:26.724: RADIUS(00002766): Received from id 1645/81
May 7 18:30:26.732: mab-ev(Gi1/0/39): MAB received an Access-Accept for 0x1A00005F (442b.03a2.f9e8)
May 7 18:30:26.732: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39
You wrote that you have tried other ports as well and same issue. Do we have any phone connected to a different interface/port working fine.
Jatin Katyal
- Do rate helpful posts -
05-07-2013 10:57 AM
Hey Jatin,
The problems only occurs with this specific Cisco IP Phone and only on this specific Cisco Catalyst 3750X switch / stack. All other Cisco IP Phones are working fine.
We patched the specific phone to another 3750X switch (with the same IOS firmware) and authentication and authorization is working fine on that switch. So it seems like a bug, but a bug for only one Cisco IP Phone?!?!?!
05-07-2013 11:03 AM
could you please share the interface configuration of another 3750X where you patch the IP phone and it worked.
Jatin Katyal
- Do rate helpful posts -
05-07-2013 11:06 AM
The configuration of all MAB-enabled switch ports are exactly the same as in the first post. We use a macro configuration to configure the switch ports.
05-07-2013 11:14 AM
let's try this
unplug the phone
clear the mac address table for that interface.
clear mac address-table interface
Plug the phone back to the interface
Go to the interface execute
shut and no shut
share the results plz.
Jatin Katyal
- Do rate helpful posts -
05-07-2013 11:19 AM
I still get the same result.
00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 66 CA [ M7G*pf]
May 7 20:18:27.722: RADIUS: Vendor, Cisco [26] 34
May 7 20:18:27.722: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 20:18:27.739: RADIUS(00002769): Received from id 1645/205
May 7 20:18:27.739: mab-ev(Gi1/0/39): MAB received an Access-Accept for 0xE601003B (442b.03a2.f9e8)
May 7 20:18:27.739: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8
May 7 20:18:27.739: mab-sm(Gi1/0/39): Received event 'MAB_RESULT' on handle 0xE601003B
May 7 20:18:27.739: mab : during state mab_authorizing, got event 5(mabResult)
May 7 20:18:27.739: @@@ mab : mab_authorizing -> mab_terminate
May 7 20:18:27.739: mab-ev(Gi1/0/39): Deleted credentials profile for 0xE601003B (dot1x_mac_auth_442b.03a2.f9e8)
May 7 20:18:27.739: mab-ev(Gi1/0/39): Sending event (2) to AuthMGR for 442b.03a2.f9e8
May 7 20:18:27.739: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8
SER-02-SW01#
May 7 20:18:27.747: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8
May 7 20:18:28.728: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/39, port's configured trust state is now operational.
SER-02-SW01#
May 7 20:18:29.668: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/39, port's configured trust state is now operational.
05-07-2013 04:58 PM
This is strange.
I'd like to see more debugs to narrow it down.
debug dot1x all
debug mab all
debug radius
debug aaa authentication
shut/ no shut the interface
Switch# show mab int
switch# show dot1x int
Also send me a scree shot of the error message and policy we are hitting on the radius server
go to NPS > administrative tools > event viewer > Custom views > server roles > network policy and access-services.
go to NPS > administrative tools > NPS > policies > network policies > edit policy > radius attributes > standard and vendor specific.
Jatin Katyal
- Do rate helpful posts -
05-08-2013 12:08 AM
05-08-2013 06:08 AM
Again analysed the debug you sent over. Unfortunately, nothing new in that too. The Mab session JUST shows authentication status success and not authorized.
MAB SM state = TERMINATE
Authen Status = SUCCESS
Do we have a different phone working fine with the same switch on a different port/interface?
If no, than please share the following info from the working and non-working switch:
show run | in aaa
show ver
In case it doesn't help us, two things I'd be interested in here:
- Sniffer traces of the Radius packet exchange between this switch and the server (having the shared secret would be ideal but isn't strictly needed) and
- It may be worthwhile to run the same debugs on one of the working switches so I can double-check to make sure there isn't a slight difference in the authorization response we received.
debug dot1x all
debug mab all
debug radius
debug aaa authentication
The last restore would be to reload the switch (in case it's possible )
Jatin Katyal
- Do rate helpful posts -
05-08-2013 06:13 AM
Hey Jatin,
Other phones work on the same switch on the same port, on the same switch on different port and on different switches. I am thinking about a bug, so we will schedule a reload of the switch to see if this solves the problem.
05-08-2013 06:35 AM
Alrighty...I did see the similar issue for someother customer couple of years ago and we finally reloaded the switch to get that resolved. I wish this may do magic in your case as well.
Good luck
Jatin Katyal
- Do rate helpful posts -
05-08-2013 01:23 PM
Before we reload try
try disabling dot1x globally and re-apply it.
no dot1x system auth control
dot1x system auth control
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide