Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18563
Views
20
Helpful
20
Replies

MAB with Cisco Phone - Authorization failed

Go to solution
Rene Jorissen
Level 1
Level 1

‎05-07-2013 07:05 AM - edited ‎03-10-2019 08:24 PM

Hello everybody,

I am using MAB to authenticate clients and Cisco IP Phones against a Microsoft NPS Radius server. Everything is working perfectly, except for 1 Cisco phone. The phone is successfully authentication, but authorization fails. The switch port has the following configuration.

 switchport access vlan 500
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 92
 no logging event link-status
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication control-direction in
 authentication event server dead action authorize voice
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 10800
 authentication timer inactivity 1800
 mab
 no snmp trap link-status
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description mab
 auto qos voip cisco-phone
 storm-control broadcast level 5.00
 storm-control action shutdown
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

I receive the following RADIUS logging from the client authentication process.

May  7 15:24:53.349: RADIUS:   4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79           [ M7G*p_y]
May  7 15:24:53.349: RADIUS:  Vendor, Cisco       [26]  34
May  7 15:24:53.349: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
May  7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
May  7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
May  7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
SER-02-SW01#clear authentication
May  7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

I checked online and blog posts and forums suggest to check the usage of downloadable access-list, but they aren't used in the switch. As mentioned, all Cisco IP Phones work perfectly, except this one. I already removed the object from Active Directory and created a new object from scratch, but the same result. I also tried another port on the switch, still an authorization failed.

Currently I have no idea where to look further, so maybe some of you can help me!!!

4 people had this problem
Labels:
0 Helpful
20 Replies 20

Go to solution
Rene Jorissen
Level 1
Level 1
In response to Jatin Katyal

‎05-09-2013 07:56 AM

Jatin,

Didn't help either. A reboot of the switch solved the problem. So I guess some kind of bug or something.

Thanx for all the support

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Rene Jorissen

‎05-09-2013 08:02 AM

Thanks for updating Rene. I suggested for disabling and re-enabling the dot1x globally to see in case it got stuck somewhere. However, it looks the thought didn't go well. Would appreciate if you mark it resolved so that someone else can take benefits out of it.

Your welcome

Have a nice day!!!

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
msonnie
Level 1
Level 1

‎05-08-2013 01:09 PM

Hello Rene,

As you must have observed that it's just an issue with  this particular model of Cisco IP phone, hence I would recommend  checking the various conditions that have been specified on the radius  server for the Cisco IP phone, as usually the dACL's/conditions ( rules)  are a reason for the authorization failure.

May I know if there's any other Authenticator in the Network such as Cisco ISE ?

HTH.

0 Helpful

Go to solution
Rene Jorissen
Level 1
Level 1
In response to msonnie

‎05-09-2013 07:57 AM

Mohit,

A reboot of the switch did the trick!!!

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to msonnie

‎05-09-2013 08:04 AM

Mohit,

thanks for Joining the discussion. Actually, I thought the same thing initially that we might need to apply port-based ACL. We did clarify this piece in this post https://supportforums.cisco.com/message/3931416#3931416

Screen shots are attached from NPS.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
msonnie
Level 1
Level 1
In response to Jatin Katyal

‎05-09-2013 08:13 AM

Great work Jatin and Rene.

I am sometimes amazed working with the technology.

Still all is well that ends well.

Good going.. Guys..!!!!

0 Helpful
Customers Also Viewed These Support Documents