Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4123
Views
0
Helpful
4
Replies

PC authentication with dot1x and IP Phone with MAB

Go to solution
promero
Level 1
Level 1

‎04-05-2021 09:54 AM

Team,

I have a problem, I want to connect a PC and a Polycom phone but the PC does not authenticate to ISE.

By having the PC connected to the phone, the ISE recognizes it by MAB and it should be by DOT1X.

When doing tests, I connect the PC directly to the network point (without a telephone) and it authenticates correctly the same happens with the telephone alone.

What could be the problem? The phone is Polycom.

 

- ISE 2.7

- Patch 2

- SW WS-C3650-48PS

- SW IOS Version 16.3.6 

 

SW:

 

Current configuration : 546 bytes
!
interface GigabitEthernet1/0/5
description ###PC + IP PHONE###
switchport access vlan 60
switchport mode access
switchport voice vlan 777
duplex full
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
end

 

 

 

Regards,

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to promero

‎04-05-2021 04:24 PM

Be aware that, if you use the FlexAuth configuration of 'order mab dot1x' and 'priority dot1x mab' you will need to ensure your AuthZ Profile for the PC includes the 'termination-action-modifier=1' av-pair as described in the TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication document.

If the PC is working correctly when directly connected to the switchport, it sounds like the phone is not passing the EAPOL message through to the PC. You would have to do a packet capture on the switchport and the PC to confirm what's happening with EAPOL.

The Avaya phones should support an EAP pass-through function, but there may need to be configuration or a minimum firmware version required to enable this. You might need to engage the Avaya support team to help investigate further.

View solution in original post

0 Helpful

Go to solution
promero
Level 1
Level 1
In response to Greg Gibbs

‎04-06-2021 01:18 PM

Greg,

Thank you for your comment, I will run the tests and report the results.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-05-2021 10:08 AM

try below order :

 

authentication order mab dot1x
authentication priority dot1x mab

 

still not working, look at the Live Event Logs in ISE will give you full information on why this was failed?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
promero
Level 1
Level 1

‎04-05-2021 11:01 AM

Hi BB, I will coordinate the tests and comment on the results.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to promero

‎04-05-2021 04:24 PM

Be aware that, if you use the FlexAuth configuration of 'order mab dot1x' and 'priority dot1x mab' you will need to ensure your AuthZ Profile for the PC includes the 'termination-action-modifier=1' av-pair as described in the TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication document.

If the PC is working correctly when directly connected to the switchport, it sounds like the phone is not passing the EAPOL message through to the PC. You would have to do a packet capture on the switchport and the PC to confirm what's happening with EAPOL.

The Avaya phones should support an EAP pass-through function, but there may need to be configuration or a minimum firmware version required to enable this. You might need to engage the Avaya support team to help investigate further.

0 Helpful

Go to solution
promero
Level 1
Level 1
In response to Greg Gibbs

‎04-06-2021 01:18 PM

Greg,

Thank you for your comment, I will run the tests and report the results.

0 Helpful
Top