cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9978
Views
5
Helpful
14
Replies

MAB auth with voice vlan not working on Cat 3560

Wojciech Mitus
Level 1
Level 1

Hello,

I'm trying to configure MAB auth for cisco 7961 ip-phone on a cat 3560 (WS-C3560-48PS, c3560-ipservicesk9-mz.122-55.SE1.bin).

Port config is as follows:

interface FastEthernet0/31

switchport access vlan 10

switchport mode access

switchport voice vlan 20

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

authentication event fail action next-method

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication timer restart 30

authentication timer reauthenticate 1200

authentication timer inactivity server

authentication violation protect

mab

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x timeout tx-period 31

storm-control broadcast level 2.00

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 15

end

Client PC should authenticate using dot1x (this works OK). Phone is not working at all, regardless of passed MAB auth (ISE radius authorizes phone without problems).

"debug auth all" log catched after doing "shut / no shut" on port:

Jul  2 17:26:54.538: %ILPOWER-5-POWER_GRANTED: Interface Fa0/31: Power granted

Jul  2 17:26:55.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/31, changed state to down

Jul  2 17:26:55.092: %SYS-5-CONFIG_I: Configured from console by 123875 on vty0 (10.150.60.18)

Jul  2 17:26:56.267: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to down

Jul  2 17:26:56.535: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Fa0/31, operational port trust state is now untrusted.

Jul  2 17:26:56.795: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0A963F200000003259671276

Jul  2 17:26:58.859: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to up

Jul  2 17:26:59.958: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/31, changed state to up

wroc1p31#

Jul  2 17:27:37.371: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac 001d.4543.8b2f

Jul  2 17:27:37.371: %AUTHMGR-5-START: Starting 'mab' for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276

Jul  2 17:27:37.413: %MAB-5-SUCCESS: Authentication successful for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276

Jul  2 17:27:37.413: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276

Jul  2 17:27:37.413: AUTH-EVENT: Enter auth_mgr_idc_modify_keys

Jul  2 17:27:37.422: AUTH-EVENT: Started Auth Manager tick timer

Jul  2 17:27:38.454: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276

Jul  2 17:27:38.454: AUTH-EVENT: Started Auth Manager tick timer

Jul  2 17:27:47.270: AUTH-EVENT: auth_mgr_idc_add_record: Recv mac 0015.c5cf.44fb

Jul  2 17:27:47.270: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0A963F20000000335967D7A1

Jul  2 17:27:47.270: %AUTHMGR-5-START: Starting 'mab' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Jul  2 17:27:47.295: %MAB-5-FAIL: Authentication failed for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Jul  2 17:27:47.295: AUTH-EVENT: Enter auth_mgr_idc_modify_keys

Jul  2 17:27:47.295: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Jul  2 17:27:47.304: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Jul  2 17:27:47.304: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Jul  2 17:27:53.788: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa0/31, port's configured trust state is now operational.

Jul  2 17:27:53.813: AUTH-EVENT: Enter auth_mgr_idc_modify_keys

Jul  2 17:27:54.132: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID

Jul  2 17:27:54.132: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Jul  2 17:27:54.132: AUTH-EVENT: Enter auth_mgr_idc_modify_keys

Jul  2 17:27:54.786: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa0/31, port's configured trust state is now operational.

Jul  2 17:27:54.929: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1

Problem is visible here:

switch#sh mac address-table int fa0/31

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

10    0015.c5cf.44fb    STATIC      Fa0/31

10    001d.4543.8b2f    STATIC      Fa0/31

20    001d.4543.8b2f    DYNAMIC     Drop

Phone's traffic in voice vlan is dropped... is there something wrong with my port config, or is it a bug?

Thanks,

WM

14 Replies 14

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

Are you using ise or acs? Can you see if the av pair device-traffic-class=voice is being sent? Yiu can verify this if you have the debug radius authentication enabled.


Sent from Cisco Technical Support Android App

Jatin Katyal
Cisco Employee
Cisco Employee

I agree with Tarik, ISE should be configured to sends the device-traffic-class=voice VSA for phones. This way, known phones will be correctly identified and assigned to the voice domain.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi, i'm using ISE 1.1.3.

I've enabled "debug radius auth" , "debug aaa auth" and "debug authentication all" on the switch, and unfortunately nothing from radius/aaa debugs is appearing during port authentication process! It's strange, cause i know how these debugs normally look like...

switch#show debugging

General OS:

  AAA Authentication debugging is on

Radius protocol debugging is on

Radius packet protocol (authentication) debugging is on

Auth Manager:

  Auth Manager errors debugging is on

  Auth Manager events debugging is on

  Auth Manager sync debugging is on

Condition 1: interface Fa0/26 (1 flags triggered)

        Flags: Fa0/26

Regardless of this, i've looked at authorization event log in ISE, and it seems that device-traffic-class=voice is passed to the switch:

UserName=00:1D:45:43:8B:2F

User-Name=00-1D-45-43-8B-2F

State=ReauthSession:0A963F200000003A598D944A

Class=CACS:0A963F200000003A598D944A:ise-test/158503421/15401

Termination-Action=RADIUS-Request

cisco-av-pair=device-traffic-class=voice

cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-5165e13c

cisco-av-pair=profile-name=Cisco-IP-Phone

Thanks,

WM

Tarik Admani
VIP Alumni
VIP Alumni

Can you check the vlan configuration and see if vlan20 is configured.

Show vlan brief shiuld show this.

As far as the debugs please only turn on the radius debugs and see if your luck changes.


Sent from Cisco Technical Support Android App

Hi, yes, the vlan is configured correctly for sure, as there are other phones on this switch, wchich are working ok. If i'll change auth mode to "authentication host-mode single-host" (voice vlan auth bypass), this phone also starts to work.

Turning "debug radius authentication" exclusively, haven't changed anything - still no logs from this debug...

Thanks,

WM

Did you try MDA for testing purpose? Are you facing the same issue with that as well?

You need to run:

debug radius

debug aaa authentication

debug aaa authorization

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hello, yes i've tried multi-domain also - same effect. I've even tried this on a second switch, upgraded to the newest

c3560-ipbasek9-mz.122-55.SE8.bin. Traffic in voice vlan is still dropped...

But on this second switch i had more luck with aaa debug:

Switch#

*Mar  1 00:17:26.747: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

*Mar  1 00:17:27.753: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

Switch#

*Mar  1 00:17:27.820: %SYS-5-CONFIG_I: Configured from console by vty0 (10.150.60.18)

*Mar  1 00:17:29.028: AAA/BIND(00000006): Bind i/f

Switch#

Switch#

Switch#

*Mar  1 00:17:29.322: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:17:30.018: %AUTHMGR-5-START: Starting 'mab' for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4

*Mar  1 00:17:30.018: AAA/AUTHEN/8021X (00000006): Pick method list 'default'

*Mar  1 00:17:30.018: RADIUS/ENCODE(00000006):Orig. component type = DOT1X

*Mar  1 00:17:30.018: RADIUS(00000006): Config NAS IP: 0.0.0.0

*Mar  1 00:17:30.018: RADIUS/ENCODE(00000006): acct_session_id: 6

*Mar  1 00:17:30.018: RADIUS(00000006): sending

*Mar  1 00:17:30.018: RADIUS/ENCODE: Best Local IP-Address 10.142.49.9 for Radius-Server 10.42.0.25

*Mar  1 00:17:30.018: RADIUS(00000006): Send Access-Request to 10.42.0.25:1812 id 1645/5, len 206

*Mar  1 00:17:30.018: RADIUS:  authenticator 4B 87 DF 97 18 1D CE CD - 57 85 AB D5 C2 79 9B 6E

*Mar  1 00:17:30.018: RADIUS:  User-Name           [1]   14  "001da2b785d2"

*Mar  1 00:17:30.018: RADIUS:  User-Password       [2]   18  *

*Mar  1 00:17:30.018: RADIUS:  Service-Type        [6]   6   Call Check                [10]

*Mar  1 00:17:30.018: RADIUS:  Framed-MTU          [12]  6   1500

*Mar  1 00:17:30.018: RADIUS:  Called-Station-Id   [30]  19  "00-19-06-C2-7D-03"

*Mar  1 00:17:30.018: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-A2-B7-85-D2"

*Mar  1 00:17:30.018: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:17:30.018: RADIUS:   DF 27 2E BC AD AE B2 33 C0 81 2D FD 34 87 55 99            [ '.3-4U]

*Mar  1 00:17:30.018: RADIUS:  EAP-Key-Name        [102] 2   *

*Mar  1 00:17:30.018: RADIUS:  Vendor, Cisco       [26]  49

*Mar  1 00:17:30.018: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A8E310900000001001001C4"

*Mar  1 00:17:30.018: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

*Mar  1 00:17:30.018: RADIUS:  NAS-Port            [5]   6   50001

*Mar  1 00:17:30.018: RADIUS:  NAS-Port-Id         [87]  17  "FastEthernet0/1"

*Mar  1 00:17:30.018: RADIUS:  NAS-IP-Address      [4]   6   10.142.49.9

*Mar  1 00:17:30.027: RADIUS(00000006): Started 5 sec timeout

*Mar  1 00:17:30.069: RADIUS: Received from id 1645/5 10.42.0.25:1812, Access-Accept, len 303

*Mar  1 00:17:30.069: RADIUS:  authenticator F5 84 EB 7B 9E 96 0B 6B - 34 7F 74 D1 9E 28 0D CA

*Mar  1 00:17:30.069: RADIUS:  User-Name           [1]   19  "00-1D-A2-B7-85-D2"

*Mar  1 00:17:30.069: RADIUS:  State               [24]  40

*Mar  1 00:17:30.069: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41  [ReauthSession:0A]

*Mar  1 00:17:30.069: RADIUS:   38 45 33 31 30 39 30 30 30 30 30 30 30 31 30 30  [8E31090000000100]

*Mar  1 00:17:30.069: RADIUS:   31 30 30 31 43 34            [ 1001C4]

*Mar  1 00:17:30.069: RADIUS:  Class               [25]  56

*Mar  1 00:17:30.069: RADIUS:   43 41 43 53 3A 30 41 38 45 33 31 30 39 30 30 30  [CACS:0A8E3109000]

*Mar  1 00:17:30.069: RADIUS:   30 30 30 30 31 30 30 31 30 30 31 43 34 3A 69 73  [00001001001C4:is]

*Mar  1 00:17:30.077: RADIUS:   65 2D 74 65 73 74 2F 31 35 38 35 30 33 34 32 31  [e-test/158503421]

*Mar  1 00:17:30.077: RADIUS:   2F 31 36 37 36 32            [ /16762]

*Mar  1 00:17:30.077: RADIUS:  Termination-Action  [29]  6   1

*Mar  1 00:17:30.077: RADIUS:  Message-Authenticato[80]  18

*Mar  1 00:17:30.077: RADIUS:   F7 30 96 86 CF AB 44 5A 99 E1 C5 F1 94 6F 37 99             [ 0DZo7]

*Mar  1 00:17:30.077: RADIUS:  Vendor, Cisco       [26]  34

*Mar  1 00:17:30.077: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"

*Mar  1 00:17:30.077: RADIUS:  Vendor, Cisco       [26]  75

*Mar  1 00:17:30.077: RADIUS:   Cisco AVpair       [1]   69  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-5165e13c"

*Mar  1 00:17:30.077: RADIUS:  Vendor, Cisco       [26]  35

*Mar  1 00:17:30.077: RADIUS:   Cisco AVpair       [1]   29  "profile-name=Cisco-IP-Phone"

*Mar  1 00:17:30.077: RADIUS(00000006): Received from id 1645/5

*Mar  1 00:17:30.077: AAA/ATTR: invalid attribute prefix: "ACS"

*Mar  1 00:17:30.077: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

*Mar  1 00:17:30.077: AAA/AUTHOR (00000006): Method list id=0 not configured. Skip author

*Mar  1 00:17:30.077: %MAB-5-SUCCESS: Authentication successful for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4

*Mar  1 00:17:30.077: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4

*Mar  1 00:17:30.329: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar  1 00:17:31.109: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4

What do you guys think about this "parse unknown cisco vsa "profile-name" - IGNORE"? Is it somehow important that this is not recoginzed?

Thanks,

WM

Hello,

To sum up the thread:

I've tried exactly the same config on WS-C2960-24PC-L with following results:

- with c2960-lanbasek9-mz.122-52.SE.bin, 2960 chokes on radius response for MAB auth:

Jul  4 13:00:20.061: RADIUS(0000006B): Started 5 sec timeout

Jul  4 13:00:20.111: RADIUS: Received from id 1645/5 10.42.0.25:1812, Access-Accept, len 303

Jul  4 13:00:20.111: RADIUS:  authenticator 98 E1 D5 17 E7 FA 0C 96 - E3 95 6B C1 97 C1 2D E6

Jul  4 13:00:20.111: RADIUS:  User-Name           [1]   19  "00-1E-13-B0-04-FF"

Jul  4 13:00:20.111: RADIUS:  State               [24]  40

Jul  4 13:00:20.111: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41  [ReauthSession:0A]

Jul  4 13:00:20.111: RADIUS:   38 45 33 31 30 38 30 30 30 30 30 30 30 34 31 33  [8E31080000000413]

Jul  4 13:00:20.111: RADIUS:   42 41 42 33 45 35            [ BAB3E5]

Jul  4 13:00:20.111: RADIUS:  Class               [25]  56

Jul  4 13:00:20.111: RADIUS:   43 41 43 53 3A 30 41 38 45 33 31 30 38 30 30 30  [CACS:0A8E3108000]

Jul  4 13:00:20.119: RADIUS:   30 30 30 30 34 31 33 42 41 42 33 45 35 3A 69 73  [0000413BAB3E5:is]

Jul  4 13:00:20.119: RADIUS:   65 2D 74 65 73 74 2F 31 35 38 35 30 33 34 32 31  [e-test/158503421]

Jul  4 13:00:20.119: RADIUS:   2F 31 38 39 37 38            [ /18978]

Jul  4 13:00:20.119: RADIUS:  Termination-Action  [29]  6   1

Jul  4 13:00:20.119: RADIUS:  Message-Authenticato[80]  18

Jul  4 13:00:20.119: RADIUS:   16 2A E9 6E 5C 78 25 A5 FF E0 E0 15 07 1B E4 2A            [ *n\x?*]

Jul  4 13:00:20.119: RADIUS:  Vendor, Cisco       [26]  34

Jul  4 13:00:20.119: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"

Jul  4 13:00:20.119: RADIUS:  Vendor, Cisco       [26]  75

Jul  4 13:00:20.119: RADIUS:   Cisco AVpair       [1]   69  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-5165e13c"

Jul  4 13:00:20.119: RADIUS:  Vendor, Cisco       [26]  35

Jul  4 13:00:20.119: RADIUS:   Cisco AVpair       [1]   29  "profile-name=Cisco-IP-Phone"

Jul  4 13:00:20.119: RADIUS(0000006B): Received from id 1645/5

Jul  4 13:00:20.119: AAA/ATTR: invalid attribute prefix: "ACS"

Jul  4 13:00:20.119: RADIUS/DECODE: convert VSA string; FAIL

Jul  4 13:00:20.119: RADIUS/DECODE: cisco VSA type 1; FAIL

Jul  4 13:00:20.119: RADIUS/DECODE: VSA; FAIL

Jul  4 13:00:20.119: RADIUS/DECODE: decoder; FAIL

Jul  4 13:00:20.119: RADIUS/DECODE: attribute Vendor-Specific; FAIL

Jul  4 13:00:20.119: RADIUS/DECODE: parse response op decode; FAIL

Jul  4 13:00:20.119: RADIUS/DECODE: parse response; FAIL

Jul  4 13:00:20.119: %MAB-5-FAIL: Authentication failed for client (001e.13b0.04ff) on Interface Fa0/12 AuditSessionID 0A8E31080000000413BAB3E5

- with c2960-lanbasek9-mz.150-2.SE4.bin, everything works flawlessly, and traffic in voice vlan is allowed after passed MAB auth.

I'm not sure if 3560 an 2960 share IOS codebase, but i think that they are (at least some part of it). And for me it looks like this is some bug or defficiency in 12.2 train for these platforms (and this bug on 4500 series: https://tools.cisco.com/bugsearch/bug/CSCtj56811 looks very familiar too).

Unfortunately 3560-48TS's can't be upgraded to 15.0 release, cause they have to little space on internal flash, so it looks like MAB with voice vlan and multi-domain dot1x auth will never work on 3560 models which cannot be upgraded to 15.0...

Thanks,

WM

Guess we were working on the similar error but they had some issue with DACL defined on ISE

https://supportforums.cisco.com/thread/2198945

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

It works on my  2960S and 2960X switches with

...

  authentication host-mode multi-domain

...

multi-host is for more than one device in the same vlan on one port.

Tarik Admani
VIP Alumni
VIP Alumni

Can you send the show run | inc aaa from your switch.


Sent from Cisco Technical Support Android App

Hi, sure, i've removed lines related to tacacs+ login/enable authentication and accounting.

Rest is below:

switch#sh run | include aaa

aaa new-model

aaa authentication dot1x default group radius

aaa session-id common

Thanks,

WM

I think you are missing

 

aaa authorization network default group <radius server group>

 

command that should tell the switch to apply  policies sent by the radius server

 

Regards

M


@marco.merlo wrote:

I think you are missing

 

aaa authorization network default group <radius server group>

 

command that should tell the switch to apply  policies sent by the radius server

 

Regards

M


Your recommendaiton helped me out, thanks a lot.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: