Dear Jatin,

I attached the output of the debug and show commands. The NPS logging only shows a succesfull login, so nothing special there.

Rene, the debugs shows that radius successfully authenticated the access-request and did send the required attribute to put the phone in voice vlan but it seems like some restriction is preventing the authorization part.

May  7 18:30:26.724: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"

May  7 18:30:26.724: RADIUS(00002766): Received from id 1645/81

May  7 18:30:26.732: mab-ev(Gi1/0/39): MAB received an Access-Accept for 0x1A00005F (442b.03a2.f9e8)

May  7 18:30:26.732: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39

You wrote that you have tried other ports as well and same issue. Do we have any phone connected to a different interface/port working fine.

Jatin Katyal


- Do rate helpful posts -

Hey Jatin,

The problems only occurs with this specific Cisco IP Phone and only on this specific Cisco Catalyst 3750X switch / stack. All other Cisco IP Phones are working fine.

We patched the specific phone to another 3750X switch (with the same IOS firmware) and authentication and authorization is working fine on that switch. So it seems like a bug, but a bug for only one Cisco IP Phone?!?!?!

could you please share the interface configuration of another 3750X where you patch the IP phone and it worked.

Jatin Katyal


- Do rate helpful posts -

The configuration of all MAB-enabled switch ports are exactly the same as in the first post. We use a macro configuration to configure the switch ports.

let's try this

unplug the phone

clear the mac address table for that interface.

clear mac address-table interface

Plug the phone back to the interface

Go to the interface execute

shut and no shut

share the results plz.

Jatin Katyal


- Do rate helpful posts -

I still get the same result.

00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 66 CA            [ M7G*pf]
May  7 20:18:27.722: RADIUS:  Vendor, Cisco       [26]  34
May  7 20:18:27.722: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
May  7 20:18:27.739: RADIUS(00002769): Received from id 1645/205
May  7 20:18:27.739: mab-ev(Gi1/0/39): MAB received an Access-Accept for 0xE601003B (442b.03a2.f9e8)
May  7 20:18:27.739: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8
May  7 20:18:27.739: mab-sm(Gi1/0/39): Received event 'MAB_RESULT' on handle 0xE601003B
May  7 20:18:27.739:     mab : during state mab_authorizing, got event 5(mabResult)
May  7 20:18:27.739: @@@ mab : mab_authorizing -> mab_terminate
May  7 20:18:27.739: mab-ev(Gi1/0/39): Deleted credentials profile for 0xE601003B (dot1x_mac_auth_442b.03a2.f9e8)
May  7 20:18:27.739: mab-ev(Gi1/0/39): Sending event (2) to AuthMGR for 442b.03a2.f9e8
May  7 20:18:27.739: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8
SER-02-SW01#
May  7 20:18:27.747: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002722EEA070B8
May  7 20:18:28.728: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/39, port's configured trust state is now operational.
SER-02-SW01#
May  7 20:18:29.668: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/39, port's configured trust state is now operational.

This is strange.

I'd like to see more debugs to narrow it down.

debug dot1x all

debug mab all

debug radius

debug aaa authentication

shut/ no shut the interface

Switch# show mab int details

switch# show dot1x int details

Also send me a scree shot of the error message and policy we are hitting on the radius server

go to NPS > administrative tools > event viewer > Custom views > server roles > network policy and access-services.

go to NPS > administrative tools > NPS > policies > network policies > edit policy > radius attributes > standard and vendor specific.

Jatin Katyal

- Do rate helpful posts -

Tell me something. Strange is an understatement ;-)

I attached the requested information. The NPS event logging only shows "access granted" messages for the client, which relate to the Authentication succeed messages from MAB.

Again analysed the debug you sent over. Unfortunately, nothing new in that too. The Mab session JUST shows authentication status success and not authorized.

MAB SM state              = TERMINATE

Authen Status               = SUCCESS

Do we have a different phone working fine with the same switch on a different port/interface?

If no, than please share the following info from the working and non-working switch:

show run | in aaa

show ver

In case it doesn't help us, two things I'd be interested in here:

- Sniffer traces of the Radius packet exchange between this switch and the server (having the shared secret would be ideal but isn't strictly  needed) and

- It may be worthwhile to run the same debugs on one of the working switches so I can double-check to make sure there isn't a slight difference in the authorization response we received.

debug dot1x all

debug mab all

debug radius

debug aaa authentication

The last restore would be to reload the switch (in case it's possible )

Jatin Katyal


- Do rate helpful posts -

Hey Jatin,

Other phones work on the same switch on the same port, on the same switch on different port and on different switches. I am thinking about a bug, so we will schedule a reload of the switch to see if this solves the problem.

Alrighty...I did see the similar issue for someother customer couple of years ago and we finally reloaded the switch to get that resolved. I wish this may do magic in your case as well.

Good luck

Jatin Katyal


- Do rate helpful posts -

Before we reload try

try disabling dot1x globally and re-apply it.

no dot1x system auth control

dot1x system auth control

Jatin Katyal


- Do rate helpful posts -