04-03-2025 07:39 AM
We encountered a problem:
When connecting a workstation via a telephone, network access is limited by NAC, because instead of username = host/U_..... the client sends its MAC address to the RADIUS request
When connecting a workstation without a telephone, the client sends the correct request to RADIUS - User-Name = host/U_.....
The telephone model is cisco7821, and the workstation has been connected via this telephone for over a year and there have been no problems. But a month ago the problems described above began
We replaced the telephone with another device (also cisco 7821) - everything works correctly, the supplicant sends host/username to the authentication server
This is not the first time we have encountered a problem with NAC when connecting via a telephone.
Symptoms: Network access suddenly becomes unavailable on the computer, the computer is not accessible via RDP
Also, having taken a dump from the PSN node, I found that in this case, in the eapol frame, instead of username host/<FQDN of hostname>, the MAC address of the PC comes to ISE and, accordingly, the session falls into the default policy with limited access to the network.
When connecting the PC directly (without the Cisco 7821 IP phone) or changing the phone to the same model, everything goes as normal.
Additional information:
- Cables were checked and changed
- The problem occurs on different models of telephones,
- Resetting the phone to factory settings did not solve the problem
- We checked only on a Windows supplicant, there are no hosts with other OSs on the network
We checked on different switches - first we found out that
1. The workstation connected via the problematic phone does not work correctly when connecting the workstation via the phone to different ports of different switches in the office;
2. The workstation connected to the switch port without a phone is authenticated correctly,
3. Then we checked the operation via another phone (connection in the same office to the same switch port) - it works correctly;
4. Then the problematic phone was moved to another office and the “correct” workstation was connected through it – the result is that the supplicant sends INCORRECT data (mac instead of host/<hostname>)
5. We connect through another phone – correct registration
And the most interesting thing is that while I was writing a letter with the test results, it turned out that now the workstation is registered correctly through the problematic phone!
The switch models are different C9200L-48T-4G, C9200L-24P-4G, WS-C3850-48P (one of them for example model WS-C3850-48P-E, software ver. 16.12.08)
Cold you help me to solve this problem?
Thank you in advance!
04-03-2025 06:17 PM
Upgrade the firmware on the phone.
04-03-2025 09:43 PM
Hi,
could you please share your access point configuration?
Regards
04-03-2025 11:10 PM
The issue lies with the supplicant (i.e. the phone) and resolving the issue means, getting the phone to do the right thing- none of the other components have anything to do with this issue. @ahollifield is spot on.
04-04-2025 12:31 AM
The PC send this or SW do that?
Are you sure you use 802.1x not MAB?
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide