Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
0
Helpful
1
Replies

Multi Auth - data device on Voice domain

Go to solution
mustafa83
Level 1
Level 1

‎07-01-2019 10:36 AM

Hello,

 

I have a handful of HP printers in the voice domain even their IP from data VLAN and their authorization is correct, they are directly connected to the switch(no phone in between) and we are using multi-auth, below the config and the details, any idea why not in data domain?

hardware cat 4510 with sup 8, running version 3.8.5 

 

 

4510#show authentication sessions int gig 1/36 det
Interface: GigabitEthernet1/36
MAC Address: ace2.d3xx.xxxx
IPv6 Address: Unknown
IPv4 Address: 10.100.x.x
User-Name: AC-E2-D3-xx-xx-xx
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A640B0400004D707A17E108
Acct Session ID: 0x000063FD
Handle: 0xFB00007D
Current Policy: POLICY_Gi1/36

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:

ACS ACL: xACSACLx-IP-PRINTERS-5cf86881

Method status list:
Method State

dot1x Stopped
mab Authc Success

4510#show run int gig 1/36
Building configuration...

Current configuration : 937 bytes
!
interface GigabitEthernet1/36
description USER DATA and VOIP PHONES
switchport access vlan 105
switchport mode access
switchport block multicast
switchport voice vlan 115
ip device tracking maximum 10
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 105
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 0.50
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
end

4510#

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-01-2019 11:15 AM

The first step would be to look at the mac in the context visibility database, are they being profiled as phones? If yes, then you need to correct the profiling issue.

If they are not being profiled as phones, you will have to check the authorization rule they are hitting, then from there confirm the authorization profile result doesn't include the check box for "Voice Domain Permission", aka cisco-av-pair = device-traffic-class=voice.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-01-2019 11:15 AM

The first step would be to look at the mac in the context visibility database, are they being profiled as phones? If yes, then you need to correct the profiling issue.

If they are not being profiled as phones, you will have to check the authorization rule they are hitting, then from there confirm the authorization profile result doesn't include the check box for "Voice Domain Permission", aka cisco-av-pair = device-traffic-class=voice.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents