cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
907
Views
0
Helpful
1
Replies

MAB ACS 5.2 IP Phone

s.kho
Level 1
Level 1

Hi,

I am unable to get my Cisco IP Phone to authenticate using MAB on ACS5.2. The phone is not being allocated to the Voice vlan, and hence not getting IP address from DHCP. My switch port config below:

interface FastEthernet1/0/10
switchport access vlan 11
switchport mode access
switchport voice vlan 2
switchport port-security maximum 4
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 900
authentication timer reauthenticate 5400
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable

It appears to be authenticating repeatedly, am I missing configuration in ACS to allow the Phone to the Voice Vlan? Under Authorization Profile I had Voice VLAN Permission to Join: set to Static, which is Yes (device-traffic-class=voice).

Capture of the authentication below:

*Mar  1 02:06:19.333: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:06:19.350: %MAB-5-SUCCESS: Authentication successful for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:06:19.350: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:06:20.373: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:15.814: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:15.822: %MAB-5-SUCCESS: Authentication successful for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:15.822: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:07:16.862: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:15.834: %AUTHMGR-5-START: Starting 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:15.851: %MAB-5-SUCCESS: Authentication successful for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:15.851: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001e.be91.6baa) on Interface Fa1/0/10
*Mar  1 02:08:16.883: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001e.be91.6baa) on Interface Fa1/0/10

Thanks

1 Reply 1

jedubois
Cisco Employee
Cisco Employee

Hello,

     You can get more information about why it is cycling with (debug dot1x all, debug radius, debug authenticaion all, debug auth feature all).  Also ACS does not assign the phone to the voice vlan, that is going to happen as if the 802.1x was not enabled, this will be via CDP, LLDP, DHCP or Staticaly defined on the phone.  The attribute device-traffic-class=voice assigns the phone to the voice domain which is strictly an authentication manager designation.

--Jesse

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: