09-17-2010 11:42 AM - edited 03-10-2019 05:25 PM
Hello team:
I configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message.
The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.
¿Any ideas of what I could be doing wrong?
This is the configuration on the switch port where the PC chained to the phone fails:
interface FastEthernet0/6
switchport access vlan 701
switchport mode access
switchport voice vlan 123
authentication event fail action next-method
authentication event server dead action authorize vlan 704
authentication event no-response action authorize vlan 701
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):
interface FastEthernet0/7
switchport access vlan 701
switchport mode access
switchport voice vlan 123
authentication event fail action next-method
authentication event server dead action authorize vlan 704
authentication event no-response action authorize vlan 701
authentication open
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
When the PC fails to get connected, I see the following messages on the switch:
Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.ae
b8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFC
Sep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x'
for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310
080FDFC
Sep 17 18:36:18: %AUTHMGR-5-FAIL: Authorization failed for client (0023.aeb8.ce4
4) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFC
Sep 17 18:36:18: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for
client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FD
FC
Sep 17 18:36:18: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0023.ae
b8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFC
Any hints will be greatly appreciated.
Best regards, Rogelio
09-17-2010 01:27 PM
Guys, I found the context in which it fails.
The switch fails to authorize (but authentication is still OK) if CiscoSecure ACS sends the contents of an ACL when the port is configured in multidomain.
It does not matter whether the PC is directly attached to the port or behind a phone. As soon as I include the multidomain command, the switch fails to grant the PC the right to get into the port.
As soon as I remove the ACL information (either downloadable ACL or inacl# entries), the PC is successfully authenticated and moved to the VLAN ordered by ACS to the switch.
By other hand, as I mentioned in my previous note, the ACL is succesfully loaded to the port if this port is not configured is not in multidomain.
So the problem is with ACLs or ACL entries. ¿Shouldn´t this be supported on multidomain?
Any help will be greatly appreciated.
Regards, Rogelio
09-20-2010 02:08 PM
Hello Rogelio
Can you check this on you configration:
1. Remove authentication open from port config
2. Add ACL (some general ACL with few entries) to port
3. Add ip device tracking to global config
4. After authentication check following: sh ip acccess-l and sh ip access-l int fax/x. If output from second command is empty try execute sh auth session int fax/x detail. Switch should correctly recognize ip address for ip phone and PC. If not this is a bug in IOS.
Regards,
Stas
09-20-2010 02:28 PM
Hello Stan, thank you very much for your advice.
I will check on this tomorrow when I test in the customer site, and let you know.
Best regards,
09-21-2010 11:14 AM
Hello Stas:
I tested as suggested, without success. Basically, I removed the "authentication open" command, added an ACL to the port (permit ip any any), and the "ip device tracking" command.
Now the switch failed to authorize BOTH ports (PC and Phone). Just in case of interest:
1. The output of the "show ip access-list interface Fa0/6" commands is empty
2. The output of the "show auth session int fa 0/6" command is the following
Switch# sh auth session int fa0/6
Interface: FastEthernet0/6
MAC Address: Unknown
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Guest Vlan
Vlan Policy: 701
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A01460A0000009814F3D712
Acct Session ID: 0x000000A2
Handle: 0xAB000098
Runnable methods list:
Method State
dot1x Failed over
Switch#
Finally, I collecte a set of syslog messages, just in case someone would like to take a look. 001e.138c.5bf5 is the Phone`s MAC.
Thank you very much.
Regards, Rogelio
09-21-2010 12:15 PM
Hello Rogelio
Could you also remove from fa0/6 following strings:
authentication event fail action next-method
authentication event server dead action authorize vlan 704
authentication event no-response action authorize vlan 701
authentication periodic
Also if you can't use Downloadable ACL please remove ACL from fa0/6.
Next chek port settings. In output from sh auth sess int fa0/6 Oper host mode is multi-host. This is incorrect. It should be multi-domain.
Next in first message you wrote that you have phone and PC behind phone. How you phone authenticated? By dot1x or MAB? In multidomain mode ACS should provide for switch av-pair for voice vlan.
Example from 3750 with MAB for phone and open auth for PC
sh authentication sessions interface gigabitEthernet 3/0/1
Interface: GigabitEthernet3/0/1
MAC Address: 0001.0001.0001
IP Address: x.x.x.x
User-Name: 000100010001
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC112E6A000002B5DA302795
Acct Session ID: 0x000007AE
Handle: 0x590002B5
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Regards,
Stas
09-21-2010 06:56 PM
Hello Stas:
I am also confused about the output of the switch, since the configuration of the port says "multidomain".I will start it over from zero and let you know the results.
With respect to the phone, I am authenticating it with 802.1X. This works OK. I am not using MAB for it.
I have never used Downloadable ACLs. Instead, I have been using Cisco avpairs ip:inacl#xx=permit ip
I plan to visit the customer site in two or three days. I will let you know as soon as I get new output.
Thank you for your support.
Rogelio
10-01-2010 01:26 AM
HI,
I have experiensed the same problem and it has to be a BUG, I have a C4506 with gig access-ports, I have ACS5.1 and Cisco 7940 phones, if i run multi-host it works fine but then i have security issues, if i switch to multi-domain al looks fine (success in ACS loggs and debug output) but the phone and client are not able to communicate (ex can´t ping the default gw), the phone and client recieves an ip address.
I have logged a case at cisco TAC and are wating for an answer.
/Magnus
07-05-2011 08:08 AM
Did you ever get an answer for this?
07-05-2011 01:51 PM
Hello
Bug with Multi Domain Authentication was fixed in Catalyst IOS since 12.5.50SE5 (Oct, 2010). I think most IOS's released after Oct,2010 include fix, but for me problem in 3750-48PSS was gone after I updated to 12.2.50SE5
Stas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: