Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
4
Replies

Dot1x 'Open' implementation and unreachable RADIUS

JAN DEVOS
Level 1
Level 1

‎06-17-2013 06:20 AM - edited ‎03-10-2019 08:33 PM

              Hello,

I'm trying to setup an open dot1x environment on C3750, with ACS 5.3 as RADIUS and Avaya as IP-phones.

When configuring on the interface

authentication port-control auto

authentication open

authentication  host-mode multi-auth

the phone and PC can connect to their respective VLANs, obtain DHCP address and operate as expected.  (Please note the switchport shows up as authenticated/authorized if the device has a dot1x supplicant on board, with valid credentials, but shows up as  unauthorized if wrong credentials, or if no dot1x supplicant at all;  however, I think this is normal behavior of the switchport).

Now, if the ACS is unreachable, the PC can still connnect to its VLAN and proceed, but the phone stays stuck in dot1x authentication. 

My question : is this a misbehavior of the phone? I expect the phone to start with an EAPOL START, maybe switch and phone will subsequently exchange an 'identity request/response' but as the switch has no ACS in its backend, the process stops there, in other words, the phone will never be challenged for its credentials.  I would expect the phone from then on  to consider itself as authenticated and proceed 'just like it would proceed if authenticated, i.e. DHCP etc.

Nevertheless the phone seems to 'stay stuck' in its dot1x authentication procedure.

I don't expect that coding an authentication event server-dead action authorize ;... will unblock the phone's supplicant in this case of an already open dot1x port configuration.

Thanks for any clarification.

##### important update #####

From dot1x debug on the switch, it appears the phone sends each minute an EAPOL-start, triggering a EAPOL_Request_Identity (sw to phone) and EAPOL_Resp_Identity (phone to sw) and finally an EAPOL_FAIL code 4  (sw to phone).  This last message does cause the phone to quick its dot1x process, it simply iterates on this sequence by reissuing EAPOL-start.  Unlike the PC behind, which proceeds after the FAIL, considering itself as being authorized to the port (and the switch accepting, as we are in Open dot1x).

When now adding to the switchport

auth event server dead action authorize voice

auth ............................................................  vlan <native vlan>

the switch replies with an EAPOL code 4 - (auth) FAIL immediately.  Again, the PC quits dot1x procedure and  proceeds considering itself as authorized.  And the phone continues sticking to dot1x EAPOL-start.

May we suspect here a 'bug' in the Phone, and should it stop further dot1x attempts (EAPOL-start) as soon as an EAPOL-Fail is received?      

Labels:
0 Helpful
4 Replies 4

hdussa
Level 1
Level 1

‎07-04-2013 06:52 AM

Hi Jan,

usually a voice vlan needs to be configured on the switchport. The phone starts in the access vlan and if authentication is ok the switch puts the Phone into a voice domain. On ACS  you must configure device-traffic-class = voice.

Are you using a CISCO-Phone. Only Cisco-Phone send via CDP that a PC is disconncet. With a NON Cisco Phone the session remains forever. That is the reason that PC can go in working without a connection to ACS

sh authentication session

a good documentation:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎07-04-2013 07:41 AM

Hi can you send your port configuration?


Sent from Cisco Technical Support Android App

0 Helpful

hdussa
Level 1
Level 1
In response to Tarik Admani

‎07-04-2013 10:17 PM

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control
!
interface FastEthernet0/1
description Telefonport mit PC
switchport mode access
switchport voice vlan 24
speed 100
duplex full
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-req 3
dot1x max-reauth-req 1
spanning-tree portfast
!
ip radius source-interface Vlan311
!
radius server ACS_Pri
address ipv4 1.1.1.1 auth-port 1645 acct-port 1646
timeout 3
key 123

------------------------------------------

On ACS

Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles
Create a Profile VOICE and select under Comon Task "Voice VLAN from unused to static. Then you can see

Yes (device-traffic-class=voice).

Thats it

0 Helpful

Octavian Szolga
Level 4
Level 4

‎07-04-2013 09:38 AM

Have you configured dot1x critical eapol?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents