03-19-2012 10:04 AM - edited 03-10-2019 06:55 PM
I am using 802.1x authentication with multi-domain ports; Phone and PC connected to phone. The phones are Nortel (Avaya) and the PCs are Dell/HP Laptops. All are configured for Certificate authentication and this works well. However we sometimes get some ports stuck in Guest mode. when a non certificated laptop connects to a phone port and fails authentication, the data port is placed in the Guest VLAN. However when the laptop disconnects the port isn't reset and remains in the guest state. When a subsequent good laptop connects and attempts to authenticate the switch ignores this and leaves the data port in the Guest VLAN. Anyone any idea why this happens and how I can overcome it?
The switch is a 2960S with Version 12.2(58)SE2 IOS.
The port is configured as follows:
!
interface GigabitEthernet1/0/15
description DANS Port
switchport access vlan 1807
switchport mode access
switchport voice vlan 1855
priority-queue out
authentication event fail action authorize vlan 1871
authentication event no-response action authorize vlan 1871
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 10
spanning-tree portfast
service-policy input INGRESS-CLASSIFY
end
The auth status and mac addresses on the port after the failed laptop disconnects are as follows:
sh auth sess inter g1/0/15
Interface: GigabitEthernet1/0/15
MAC Address: Unknown
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Guest Vlan
Vlan Policy: 1871
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AEF212D000003055C8D1DAC
Acct Session ID: 0x00000653
Handle: 0x94000306
Runnable methods list:
Method State
mab Failed over
dot1x Failed over
----------------------------------------
Interface: GigabitEthernet1/0/15
MAC Address: 0022.67cd.0eec
IP Address: Unknown
User-Name: RBT18991
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AEF212D00000026000286D1
Acct Session ID: 0x00000028
Handle: 0xFC000027
Runnable methods list:
Method State
mab Not run
dot1x Authc Success
sh mac address-table int g1/0/15
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1855 0022.67cd.0eec STATIC Gi1/0/15
Total Mac Addresses for this criterion: 1
I placed the AAA, dot1x, eap and auth debug on for all events and then connected a good laptop, the only debug message I got were as follows:
Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:03.708 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_authorized: client for mac address 0022.67cd.0eec is authorized GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open autn
Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:03.708 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_authorized: client for mac address 0022.67cd.0eec is authorized GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_auth_client_present: client for mac address 0022.67cd.0eec has been notified on GigabitEthernet1/0/15
Mar 19 16:18:43.784 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open autn
I would have expected the auth function to have reacted to the EAP packets sent by the good client when it connected and performed eap authentication but it didn't, all it did was say the ports in Guest mode and left the laptop in this VLAN.
All help will be much appreciated.
Thanks,
Paul
03-19-2012 02:26 PM
I 'm taking your PCs are behind nortel phones, if that is so, then when you disconnect your PC , the switch doesn't know anything about it because the switchport is still up
This issue won't happen with Cisco Phones , because they have two features to deal with it. Those features are called "proxy EAPOL logoff" and "CDP second port disconnect" features. Please see http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000357
Please rate if it helps. Kind regards
03-20-2012 04:46 AM
Thanks for this reply, although it does provide valuable information for the "Cisco" world it doesn't help me with the problem I have.
The big question is as follows:
Why doesn't the switch react to the EAP packets it gets from the good laptop connected to the port stuck in the Guest state. The port doesn't have a data MAC in its table for the port, only a Voice MAC. It recognises a device has connected as it then places the good laptops MAC in the table BUT it totally ignores the EAP packets from this device and leaves it in the Guest VLAN where the laptop gets a DHCP address once its EAP has timed out.
Completely wrong activity!!!
Is this a bug?
Any help is much appreciated.
Regards,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide