Re: Multiple Session-IDs with Cisco Phone

jcisne001 · ‎09-26-2024

I have a 9300 switch running Version 17.09.03, I have a Cisco IP Phone 7821 connected to a switch and a computer connected to the phone. I'm running IBNS 2.0 with dot1x and mab running at the same time.

I'm encountering a weird issue because when I perform a shut/no shut on the port which connects the phone I'll see the following.

Sep 26 19:44:16.106: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:16.394: %ILPOWER-5-DETECT: Interface Gi3/0/13: Power Device detected: IEEE PD
Sep 26 19:44:17.416: %ILPOWER-5-POWER_GRANTED: Interface Gi3/0/13: Power granted
Sep 26 19:44:23.810: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:24.810: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:26.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:27.204: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:41.726: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:42.727: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:51.078: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:52.079: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:54.607: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:55.606: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up

and each time the LINEPROTO-5-UPDOWN comes up it creates a new session id for the computer causing multiple radius request sent to my RADIUS server, is there a command to add a delay to wait until the ports comes fully up and stable or a way to prevent multiple session ID's?

ahollifield · ‎09-26-2024

Whenever the interface goes down this should end the session on the RADIUS server. Do you have RADIUS Accounting enabled and configured? What is the RADIUS server?

I would also try upgrading to 17.9.5 or 17.12.4.

jcisne001 · ‎09-26-2024

Yes RADIUS accounting is enabled and configured, RADIUS server is a ClearPass, I have tried it with an updated switch but the interaction its still the same, I also noticed with a normal access switchport with no dot1x or mab configured the port flaps until the phone is fully turned on

Arne Bier · ‎09-26-2024

I can't say I have seen that behaviour before. Does this happen on more than one connected phone? I'd look into why the phone is dropping the link again after the initial PoE and LinkUp event. It seems like the phone is not happy with something and then re-initialises its networking stack again.

There is no switch interface de-bounce mechanism that I am aware of - the switch dutifully sends a RADIUS Access-Request with every new session creation. You can also try to debug the IOS-XE SMD (Session Manager Daemon) perhaps. But I suspect the phones are the culprit here.

I know there has been a lot of debate of doing concurrent MAB and 802.1X with IBNS 2.0 - at first, Cisco said it was the best thing since sliced bread ... and then changed their mind and said it was bad news. It is bad news for the RADIUS server, because 50% of the auths will work (e.g. if the device has a supplicant) and then the MAB will either fail or not be interesting, or vice-versa. The gold standard is to rather do it sequentially - 802.1X first, with some delay and then default to MAB. That's in the ideal world where all end devices (that don't speak 802.1X) can hold off with their DHCP requests until MAB has had a chance.

I'd say you might have better luck reducing your auths to the RADIUS server by making your IBNS 2.0 sequential, instead of concurrent.

jcisne001 · ‎09-26-2024

Hey Arne, I also attempted sequential, the problem is whenever the switchport line goes down and up it creates a new session id for the workstation causing 4 dot1x authentications, all with success.

Aref Alsouqi · ‎09-27-2024

I don't believe this is a normal behaviour and I don't remember ever seeing it in any deployment I'd done and moving from MAB do dot1x or vice versa shouldn't trigger the device to reload.

Where do you see these four authentication sessions? on the switch "show authentication" command output? did you try to check if there is any firmware update for the phones?

MHM Cisco World · ‎09-26-2024

In IBNS 2.0 Make dot1x first then mab

It seem to me when link is up the SW learn mac and send it to ISE

Where in dot1x the SW need to know identity before send access request to ISE

MHM

jcisne001 · ‎09-26-2024

I did make dot1x first, but the switch keeps creating new session ID's when the link flaps between off and on while the phone boots.

MHM Cisco World · ‎09-26-2024

Try use

Common session id

MHM

jcisne001 · ‎09-26-2024

I attempted this and no change.

MHM Cisco World · ‎09-26-2024

Show dot1x all <<- share this

MHM

jcisne001 · ‎09-26-2024

Dot1x Info for GigabitEthernet1/0/1

PAE = Authenticator

QuitePeriod = 60

Server Timeout = 0

SuppTimeout = 30

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

MHM Cisco World · ‎09-27-2024

Timer is defualt no problem

So I retrun to first point'

Dot1x need multi packet exchange between SW abd endpoint' if the link is flapping then this process not complete

So I think the SW use mab not dot1x that make SW fast send access request to radius.

Can you check debug radius

Check method is it mab or dot1x

MHM

Arne Bier · ‎09-26-2024

You can't change the behaviour of a (what I would call) a malfunctioning device. I would raise a TAC case with the Cisco Telephony Team to ask why the phone is behaving this way - it's not normal, and it's far from optimal. I have seen too many weird things with phones (not only Cisco). I also assume that CDP (or LLDP) is enabled on the switch interface AND the phone?