Solved: Re: Voice VLAN with 802.1x and MAB PC Authentication on ISE.

msompong1 · ‎03-30-2020

Hi,

I've tried to setup the ISE to authenticate the PC with (802.1x or MAB depend on the PC type)

The connection must have IP-phone direct connect to switch port and then connect to the PC.

Below is the port configuration.

interface FastEthernet0/1
description Test 802.1x
switchport mode access
switchport voice vlan 104
shutdown
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable
end

From my understanding, the IP-Phone will allow to access voice VLAN without authentication (with Voice domain) and PC will authenticate with 802.1x or MAB. After testing the IP-Phone tried to used the 802.1x and MAB for authentication and has been failed like below.

sh authentication sessions int f0/1
Interface: FastEthernet0/1
MAC Address: 0018.b97b.f84a
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Failed
Domain: DATA <<<< Why not Voice Domain ?
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AC4488800000169B22D14D2
Acct Session ID: 0x000008C9
Handle: 0x41000169

Runnable methods list:
Method State
dot1x Failed over
mab Failed over

Then I've checked the IP-Phone network , it have got the Voice VLAN and it worked as normal !!!

I'm not so sure what's wrong in configuration.

And from the switch log the IP-Phone continuous periodic authenticate to switch as below

ar 30 09:07:07.902: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server y.y.y.y
Mar 30 09:07:07.902: RADIUS(0000027A): Send Access-Request to y.y.y.y:1645 id 1645/74, len 206
Mar 30 09:07:07.902: RADIUS: authenticator 78 43 F2 67 ED 04 19 CA - 94 4C DA C8 13 CA 7A E7
Mar 30 09:07:07.902: RADIUS: User-Name [1] 14 "0018b97bf84a"
Mar 30 09:07:07.902: RADIUS: User-Password [2] 18 *
Mar 30 09:07:07.902: RADIUS: Service-Type [6] 6 Call Check [10]
Mar 30 09:07:07.902: RADIUS: Framed-MTU [12] 6 1500
Mar 30 09:07:07.902: RADIUS: Called-Station-Id [30] 19 "1C-1D-86-27-DC-81"
Mar 30 09:07:07.902: RADIUS: Calling-Station-Id [31] 19 "00-18-B9-7B-F8-4A"
Mar 30 09:07:07.902: RADIUS: Message-Authenticato[80] 18
Mar 30 09:07:07.902: RADIUS: 58 31 09 18 1F 75 5D 2A 4F 80 84 55 2D 87 57 37 [ X1u]*OU-W7]
Mar 30 09:07:07.902: RADIUS: EAP-Key-Name [102] 2 *
Mar 30 09:07:07.902: RADIUS: Vendor, Cisco [26] 49
Mar 30 09:07:07.902: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AC4488800000169B22D14D2"
Mar 30 09:07:07.911: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 30 09:07:07.911: RADIUS: NAS-Port [5] 6 50001
Mar 30 09:07:07.911: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
Mar 30 09:07:07.911: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
Mar 30 09:07:07.911: RADIUS(0000027A): Started 5 sec timeout
Mar 30 09:07:07.969: RADIUS: Received from id 1645/74 y.y.y.y:1645, Access-Reject, len 38
Mar 30 09:07:07.969: RADIUS: authenticator DC E2 BC BF 41 0D 5F 95 - 9C 87 7D 91 BB 00 C2 99
Mar 30 09:07:07.969: RADIUS: Message-Authenticato[80] 18
Mar 30 09:07:07.969: RADIUS: E6 78 3D 8E D8 B4 CF 83 47 51 E7 BE B2 B8 B9 2D [ x=GQ-]
Mar 30 09:07:07.969: RADIUS(0000027A): Received from id 1645/74
Mar 30 09:07:07.969: %MAB-5-FAIL: Authentication failed for client (0018.b97b.f84a) on Interface Fa0/1 AuditSessionID 0AC4488800000
169B22D14D2
Mar 30 09:07:07.978: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0018.b97b.f84a) on Interface Fa0
/1 AuditSessionID 0AC4488800000169B22D14D2
Mar 30 09:07:07.978: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0018.b97b.f84a) on Interface Fa0/1 AuditSessionID 0AC
4488800000169B22D14D2
Mar 30 09:07:07.978: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0018.b97b.f84a) on Interface Fa0/1
AuditSessionID 0AC4488800000169B22D14D2
Mar 30 09:07:07.978: %AUTHMGR-5-FAIL: Authorization failed for client (0018.b97b.f84a) on Interface Fa0/1 AuditSessionID 0AC4488800
000169B22D14D2

So my question is

what's wrong in configuration?

How can bypass the IP-Phone from authentication?

Cristian Matei · ‎03-30-2020

Hi,

What you're seeing is due to the configured "authentication open" on the port, which means you've deployed what is called ISE in Monitor Mode. All MAC addresses on the port will try to be authenticated via MAB/802.1x against ISE, but there is no enforcement (the end result success or fail is not relevant), and each MAC address is actually given full access to the network.

The moment you remove "authentication open", each MAC address will have to be authenticated/authorized in order to get network access.

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎03-30-2020

Hi,

Once you enabled authentication on the port, you can't allow unauthenticated access, as you want, to basically just allow the IP Phone access to the network. Once authentication is enabled on the port, the "host-mode" defines how many devices you can get per port:

- single-host:1 device in voice domain OR 1 device in data domain , both need to be authenticated (MAB, 802.1x)

- multi-domain: 1 device in the voice domain AND1 device in the data domain, both need to be authenticated (MAB, 8021.x)

- multi-auth: 1 device in the voice domain AND multiple devices in the data domain, all need to be authenticated (MAB, 8021.x)

- multi-host: 1 device in the voice domain AND multiple device in the data domain, at least one device needs to be authenticated (MAB, 8021x)

The device in the voice VLAN, not only needs to be authenticated, but also needs to be authorised to use the voice VLAN. Here's a good reference to help you work it out for a wired deployment.

Regards,

Cristian Matei.

msompong1 · ‎03-30-2020

Thank you, Your reply is very clear for authentication mode.

tonyang · ‎10-09-2022

Hi Cristian Matei,

I met the same issue that the endpoint can't get the valid IP of voice vlan. I set the configuraiton "authentication host-mode multi-auth" on the switch port. Do you have any idea for this issue ?

Switch#show access-session mac 6416.7fb8.8cf9 details
Interface: GigabitEthernet3/0/16
IIF-ID: 0x1309BD79
MAC Address: 6416.7fb8.8cf9
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 64-16-7F-B8-8C-F9
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 900s (local), Remaining: 849s
Common Session ID: 04A8AC0A00008B76BCB3A942
Acct Session ID: 0x0000009f
Handle: 0x360000bd
Current Policy: POLICY_Gi3/0/16

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:

Method status list:
Method State
dot1x Stopped
mab Authc Success

thomas · ‎03-30-2020

I assume we are talking about an IP Phone doing MAB authentication.

What does the ISE LiveLog details say about the authorization of the IP phone?

What authorization rule was matched in your policy for the IP Phone?

msompong1 · ‎03-30-2020

The log shows IP phone MAC is rejected.

But in IP phone it can access voice VLAN , got the IP address and can call as normal

Cristian Matei · ‎03-30-2020

Hi,

What you're seeing is due to the configured "authentication open" on the port, which means you've deployed what is called ISE in Monitor Mode. All MAC addresses on the port will try to be authenticated via MAB/802.1x against ISE, but there is no enforcement (the end result success or fail is not relevant), and each MAC address is actually given full access to the network.

The moment you remove "authentication open", each MAC address will have to be authenticated/authorized in order to get network access.

Regards,

Cristian Matei.