cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6936
Views
0
Helpful
3
Replies

802.1X - IP Phone fails with MAB in MDA - Phone mac in data VLAN as well

pthiel
Beginner
Beginner

Hello,

I'm facing a problem, where the ip phone mac address cause a security violation in the data vlan when using 802.1X and MAB with multi-domain authentication on a switchport.

below are the "logs" about what's going on.

Desktop PC:

002191: Jul 18 10:23:49: %AUTHMGR-5-START: Starting 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1

Phone:

002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

Desktop PC success:

002193: Jul 18 10:24:07: %DOT1X-5-SUCCESS: Authentication successful for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID

002194: Jul 18 10:24:07: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1

002195: Jul 18 10:24:08: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1

Phone - works with fallback to MAB:

002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002196: Jul 18 10:24:08: %DOT1X-5-FAIL: Authentication failed for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID

002197: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002198: Jul 18 10:24:08: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002199: Jul 18 10:24:08: %AUTHMGR-5-START: Starting 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002200: Jul 18 10:24:08: %MAB-5-SUCCESS: Authentication successful for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002201: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

but Phone caused security violation error-disable state, because it's MAC Address is seen on VLAN 1 as well:

002202: Jul 18 10:24:08: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/3, new MAC address (0024.c4fe.afe5) is seen.AuditSessionID  00000000000000035AD4A9AC

002203: Jul 18 10:24:08: %PM-4-ERR_DISABLE_VP: security-violation error detected on Fa0/3, vlan 1.  Putting in err-disable stat

With no 8021.X Konfiguration - three MACaddresses are seen on the port.

Example:

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

   1    0025.b3cc.0380    DYNAMIC     Fa0/12

   1    aca0.166e.f2ff    DYNAMIC     Fa0/12

140    aca0.166e.f2ff    DYNAMIC     Fa0/12

Total Mac Addresses for this criterion: 3

the strange thing is:

we ahve working locations with this setuop, and at the working location, just two MAC adresses are seen.

(with MAC type "static", after 802.1X authentication)

I don't found a satisfying answer about how come that the Phone MAC is seen in the Data VLAN as well.

And I have the the strong feeling that this cause the trouble I'm having.

May be some one can brighten my day, and wrote some clarification, or has a solution how to solve this issue.

TIA

kind regards

Peter

PS:

Authentication against IAS

Phoneload:

Anw.-Software-ID  jar42sccp.9-1-1TH1-16.sbn

Boot-Software-ID  tnp62.8-3-1-21a.bin

Version      SCCP42.9-1-1SR1S

Interface Configuration:

interface FastEthernet0/3

switchport mode access

switchport voice vlan 140

authentication control-direction in

authentication event fail action authorize vlan 150

authentication event no-response action authorize vlan 150

authentication host-mode multi-domain

authentication open

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout quiet-period 2

dot1x timeout tx-period 5

spanning-tree portfast

Other Configuration Parameter:

aaa group server radius 8021x

server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz

server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz

!

aaa authentication dot1x default group 8021x

aaa authorization network default group 8021x

!

dot1x system-auth-control

dot1x guest-vlan supplicant

!

errdisable detect cause security-violation shutdown vlan

!

3 Replies 3

paul.l.kyte
Beginner
Beginner

Peter,

Did you ever resolve this?

I am seeing the same thing but on my network the phones are configured for 802.1x. the switch attempts MAB first and then 802.1x. what I see is that the switch fails over from MAB to 802.1x but this is left in a 'running' state and never completes. The phones MAC is seen in the MDA ports base VLAN and also the Voice VLAN, there is a security violation for the base VLAN. The 802.1x never completes.

Thsi anomaly only happens for a few phones.

If you can pass on any information as to what is causing the problem I would be grateful.

Regards,

PAul

paul.l.kyte
Beginner
Beginner

Peter,

Did you ever resolve this?

I am seeing the same thing but on my network the phones are configured for 802.1x. the switch attempts MAB first and then 802.1x. what I see is that the switch fails over from MAB to 802.1x but this is left in a 'running' state and never completes. The phones MAC is seen in the MDA ports base VLAN and also the Voice VLAN, there is a security violation for the base VLAN. The 802.1x never completes.

Thsi anomaly only happens for a few phones.

If you can pass on any information as to what is causing the problem I would be grateful.

Regards,

PAul

Hello,

 

Don't know if you already resolved your problem, but I had exactly the same issue and for me the solution was to re-enable CDP on the interface configuration...

 

So I had the command "no cdp enable" on my interface and as soon as I configure a "cdp enable", the phone MAC in the data VLAN has directly disapeared...

 

Here is the documentation that helped me --> https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-605524.html#wp9000480

 

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers