05-07-2013 07:05 AM - edited 03-10-2019 08:24 PM
Hello everybody,
I am using MAB to authenticate clients and Cisco IP Phones against a Microsoft NPS Radius server. Everything is working perfectly, except for 1 Cisco phone. The phone is successfully authentication, but authorization fails. The switch port has the following configuration.
switchport access vlan 500
switchport mode access
switchport nonegotiate
switchport voice vlan 92
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
macro description mab
auto qos voip cisco-phone
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
I receive the following RADIUS logging from the client authentication process.
May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]
May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34
May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
SER-02-SW01#clear authentication
May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
I checked online and blog posts and forums suggest to check the usage of downloadable access-list, but they aren't used in the switch. As mentioned, all Cisco IP Phones work perfectly, except this one. I already removed the object from Active Directory and created a new object from scratch, but the same result. I also tried another port on the switch, still an authorization failed.
Currently I have no idea where to look further, so maybe some of you can help me!!!
Solved! Go to Solution.
05-09-2013 07:56 AM
Jatin,
Didn't help either. A reboot of the switch solved the problem. So I guess some kind of bug or something.
Thanx for all the support
05-09-2013 08:02 AM
Thanks for updating Rene. I suggested for disabling and re-enabling the dot1x globally to see in case it got stuck somewhere. However, it looks the thought didn't go well. Would appreciate if you mark it resolved so that someone else can take benefits out of it.
Your welcome
Have a nice day!!!
Jatin Katyal
- Do rate helpful posts -
05-08-2013 01:09 PM
Hello Rene,
As you must have observed that it's just an issue with this particular model of Cisco IP phone, hence I would recommend checking the various conditions that have been specified on the radius server for the Cisco IP phone, as usually the dACL's/conditions ( rules) are a reason for the authorization failure.
May I know if there's any other Authenticator in the Network such as Cisco ISE ?
HTH.
05-09-2013 07:57 AM
Mohit,
A reboot of the switch did the trick!!!
05-09-2013 08:04 AM
Mohit,
thanks for Joining the discussion. Actually, I thought the same thing initially that we might need to apply port-based ACL. We did clarify this piece in this post https://supportforums.cisco.com/message/3931416#3931416
Screen shots are attached from NPS.
Jatin Katyal
- Do rate helpful posts -
05-09-2013 08:13 AM
Great work Jatin and Rene.
I am sometimes amazed working with the technology.
Still all is well that ends well.
Good going.. Guys..!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide