Solved: Re: PC authentication with dot1x and IP Phone with MAB

promero · ‎04-05-2021

Team,

I have a problem, I want to connect a PC and a Polycom phone but the PC does not authenticate to ISE.

By having the PC connected to the phone, the ISE recognizes it by MAB and it should be by DOT1X.

When doing tests, I connect the PC directly to the network point (without a telephone) and it authenticates correctly the same happens with the telephone alone.

What could be the problem? The phone is Polycom.

- ISE 2.7

- Patch 2

- SW WS-C3650-48PS

- SW IOS Version 16.3.6

SW:

Current configuration : 546 bytes
!
interface GigabitEthernet1/0/5
description ###PC + IP PHONE###
switchport access vlan 60
switchport mode access
switchport voice vlan 777
duplex full
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
end

Regards,

Greg Gibbs · ‎04-05-2021

Be aware that, if you use the FlexAuth configuration of 'order mab dot1x' and 'priority dot1x mab' you will need to ensure your AuthZ Profile for the PC includes the 'termination-action-modifier=1' av-pair as described in the TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication document.

If the PC is working correctly when directly connected to the switchport, it sounds like the phone is not passing the EAPOL message through to the PC. You would have to do a packet capture on the switchport and the PC to confirm what's happening with EAPOL.

The Avaya phones should support an EAP pass-through function, but there may need to be configuration or a minimum firmware version required to enable this. You might need to engage the Avaya support team to help investigate further.

View solution in original post

promero · ‎04-06-2021

Greg,

Thank you for your comment, I will run the tests and report the results.

View solution in original post

balaji.bandi · ‎04-05-2021

try below order :

authentication order mab dot1x
authentication priority dot1x mab

still not working, look at the Live Event Logs in ISE will give you full information on why this was failed?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

promero · ‎04-05-2021

Hi BB, I will coordinate the tests and comment on the results.

Greg Gibbs · ‎04-05-2021

Be aware that, if you use the FlexAuth configuration of 'order mab dot1x' and 'priority dot1x mab' you will need to ensure your AuthZ Profile for the PC includes the 'termination-action-modifier=1' av-pair as described in the TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication document.

If the PC is working correctly when directly connected to the switchport, it sounds like the phone is not passing the EAPOL message through to the PC. You would have to do a packet capture on the switchport and the PC to confirm what's happening with EAPOL.

The Avaya phones should support an EAP pass-through function, but there may need to be configuration or a minimum firmware version required to enable this. You might need to engage the Avaya support team to help investigate further.

promero · ‎04-06-2021

Greg,

Thank you for your comment, I will run the tests and report the results.