Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1511
Views
5
Helpful
24
Replies

Multiple Session-IDs with Cisco Phone

jcisne001
Level 1
Level 1

‎09-26-2024 12:55 PM

I have a 9300 switch running Version 17.09.03, I have a Cisco IP Phone 7821 connected to a switch and a computer connected to the phone. I'm running IBNS 2.0 with dot1x and mab running at the same time.

I'm encountering a weird issue because when I perform a shut/no shut on the port which connects the phone I'll see the following.

Sep 26 19:44:16.106: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:16.394: %ILPOWER-5-DETECT: Interface Gi3/0/13: Power Device detected: IEEE PD
Sep 26 19:44:17.416: %ILPOWER-5-POWER_GRANTED: Interface Gi3/0/13: Power granted
Sep 26 19:44:23.810: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:24.810: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:26.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:27.204: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:41.726: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:42.727: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:51.078: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:52.079: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to down
Sep 26 19:44:54.607: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/13, changed state to up
Sep 26 19:44:55.606: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/13, changed state to up

 

and each time the LINEPROTO-5-UPDOWN comes up it creates a new session id for the computer causing multiple radius request sent to my RADIUS server, is there a command to add a delay to wait until the ports comes fully up and stable or a way to prevent multiple session ID's?

Labels:
0 Helpful
24 Replies 24

MHM Cisco World
VIP
VIP
In response to andrewswanson

‎09-27-2024 07:06 AM

Friend any device connect especially with PoE will have same link up/down until be stable.

Can you check debug radius 

Let us see what happened when link first be up and later when it down and up again 

MHM

0 Helpful

andrewswanson
Level 7
Level 7
In response to MHM Cisco World

‎09-27-2024 07:54 AM

Can't do a radius debug on switch as its a 9 stack switch and is in production. RADIUS server used on my deployment is ISE 3.1. When I check the ISE reports for the 7821 authentication I just see one entry and for accounting I see one "start" followed by an "interim" ( despite the fact that the interface flaps a few times when the phone boots)

I beleive that the original poster is using Clearpass rather than ISE

Andy

jcisne001
Level 1
Level 1
In response to andrewswanson

‎09-27-2024 09:08 AM

That flapping causes multiple Session IDs on my dot1x deployment, every time the phone flaps a mab and dot1x session is created, the MAB fails as designed but dot1x does get accepted, the issue is I get 3 - 4 requests for dot1x and mab due to the flapping

 


Sep 27 11:56:31.719 EDT: %ILPOWER-5-PD_ENTRY_REMOVAL: Interface GigabitEthernet1/0/1: power device entry removed, admin_state=AUTO oper_state=OFF Sep 27 11:56:32.716 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:33.405 EDT: %ILPOWER-5-DETECT: Interface Gil/0/13: Power Device detected: IEEE PD
Sep 27 11:56:33.717 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:34.402 EDT: %ILPOWER-5-POWER_GRANTED: Interface Gil/0/13: Power granted
Sep 27 11:56:39.293 EDT: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (a029.193e.61ea) with reason (Cred Fail) on Interface Gil/0/1 3 AuditSessionID OAF53F0A000003293432D371
Sep 27 11:56:40.974 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Sep 27 11:56:41.974 EDT: LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Sep 27 11:56:43.710 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:44.710 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
Sep 27 11:56:46.058 EDT: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (a029.193e.61ea) with reason (Cred Fail) on Interface Gil/0/1 3 AuditSessionID OAF53F0A0000032A3432EE59
Sep 27 11:56:59.054 EDT: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (a029.193e.61ea) with reason (Cred Fail) on Interface Gil/0/1 3 AuditSessionID 0AF53F0A0000032B34332119
Sep 27 11:57:00.871 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Sep 27 11:57:01.871 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

0 Helpful

MHM Cisco World
VIP
VIP
In response to jcisne001

‎09-27-2024 09:14 AM

As I and Mr @Arne Bier mentioned before seq is matter' MAB is check first then dot1x.

Since mac of endpoint unknown the server failed authc.

So issue with IBN2.0 not for SW nor ip phone 

Share IBN2.0 config here let make check

MHM

0 Helpful

jcisne001
Level 1
Level 1
In response to MHM Cisco World

‎09-27-2024 09:21 AM

This is the current

event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
20 authenticate using dotlx priority 10
event authentication-failure match-first
5 class DOT1X_FAIL do-until-failure
10 terminate dotlx
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure 10 terminate dotlx
20 authenticate using mab priority 20
20 class DOT1X_TIMEOUT do-until-failure 10 terminate dotlx
20 authenticate using mab priority 20
event authentication-success match-first 10
class MAB SUCCESS do-until-failure
10 terminate dotlx both

 

I've also tried with only doing dot1x on event session started and the 3 - 4 sessions keep happening with dot1x with the only difference being the mab does not occur.

0 Helpful

Arne Bier
VIP
VIP

‎09-27-2024 01:10 PM

Looks like the link flaps have nothing to do with IBNS (NAC) config on that switch. I bet if you defaulted that interface and put an access and a voice vlan config on it, you'd see the same flapping in the switch's logs.

MAB and 802.1X operate at layer 2 of the OSI. Link flap means that the Ethernet signal on the pins went off/on - either due to physical disconnect or in this case, most likely a device driver initialisation on the phone. I'd do the commands below to test what happens without NAC

default int gig 1/0/1
int gi 1/0/1
switchport mode access
switchport access vlan 12
switchport voice vlan 
spanning-tree portfast

Reconnect/boot the phone and observe the logs

 

jcisne001
Level 1
Level 1
In response to Arne Bier

‎09-27-2024 01:14 PM

I've tried this already, link still flaps, I also tested using different port, different phone and different computer, same thing

Arne Bier
VIP
VIP

‎09-27-2024 01:57 PM

Well there you have it - my point exactly. This is not even a NAC discussion. It's a problem with the phone and I would raise this with Cisco TAC. There's nothing you can do about it on the switch. In ISE you can implement noise suppression, if that makes your logs easier to read?

Maybe tinker with these features below - they are designed to reduce the noise - they can't change the behaviour though, but it might bring some relief to the logs

ArneBier_0-1727470592360.png

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-01-2024 02:12 AM

I would check if there is any available recommended firmware for those phones, alternatively I would try to raise it with TAC.

0 Helpful
Customers Also Viewed These Support Documents