07-02-2013 08:38 AM - edited 03-10-2019 08:36 PM
Hello,
I'm trying to configure MAB auth for cisco 7961 ip-phone on a cat 3560 (WS-C3560-48PS, c3560-ipservicesk9-mz.122-55.SE1.bin).
Port config is as follows:
interface FastEthernet0/31
switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 5
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 30
authentication timer reauthenticate 1200
authentication timer inactivity server
authentication violation protect
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 31
storm-control broadcast level 2.00
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
end
Client PC should authenticate using dot1x (this works OK). Phone is not working at all, regardless of passed MAB auth (ISE radius authorizes phone without problems).
"debug auth all" log catched after doing "shut / no shut" on port:
Jul 2 17:26:54.538: %ILPOWER-5-POWER_GRANTED: Interface Fa0/31: Power granted
Jul 2 17:26:55.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/31, changed state to down
Jul 2 17:26:55.092: %SYS-5-CONFIG_I: Configured from console by 123875 on vty0 (10.150.60.18)
Jul 2 17:26:56.267: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to down
Jul 2 17:26:56.535: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Fa0/31, operational port trust state is now untrusted.
Jul 2 17:26:56.795: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0A963F200000003259671276
Jul 2 17:26:58.859: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to up
Jul 2 17:26:59.958: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/31, changed state to up
wroc1p31#
Jul 2 17:27:37.371: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac 001d.4543.8b2f
Jul 2 17:27:37.371: %AUTHMGR-5-START: Starting 'mab' for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276
Jul 2 17:27:37.413: %MAB-5-SUCCESS: Authentication successful for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276
Jul 2 17:27:37.413: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276
Jul 2 17:27:37.413: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
Jul 2 17:27:37.422: AUTH-EVENT: Started Auth Manager tick timer
Jul 2 17:27:38.454: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.4543.8b2f) on Interface Fa0/31 AuditSessionID 0A963F200000003259671276
Jul 2 17:27:38.454: AUTH-EVENT: Started Auth Manager tick timer
Jul 2 17:27:47.270: AUTH-EVENT: auth_mgr_idc_add_record: Recv mac 0015.c5cf.44fb
Jul 2 17:27:47.270: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0A963F20000000335967D7A1
Jul 2 17:27:47.270: %AUTHMGR-5-START: Starting 'mab' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Jul 2 17:27:47.295: %MAB-5-FAIL: Authentication failed for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Jul 2 17:27:47.295: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
Jul 2 17:27:47.295: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Jul 2 17:27:47.304: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Jul 2 17:27:47.304: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Jul 2 17:27:53.788: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa0/31, port's configured trust state is now operational.
Jul 2 17:27:53.813: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
Jul 2 17:27:54.132: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID
Jul 2 17:27:54.132: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Jul 2 17:27:54.132: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
Jul 2 17:27:54.786: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa0/31, port's configured trust state is now operational.
Jul 2 17:27:54.929: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c5cf.44fb) on Interface Fa0/31 AuditSessionID 0A963F20000000335967D7A1
Problem is visible here:
switch#sh mac address-table int fa0/31
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0015.c5cf.44fb STATIC Fa0/31
10 001d.4543.8b2f STATIC Fa0/31
20 001d.4543.8b2f DYNAMIC Drop
Phone's traffic in voice vlan is dropped... is there something wrong with my port config, or is it a bug?
Thanks,
WM
07-02-2013 08:56 AM
Hi,
Are you using ise or acs? Can you see if the av pair device-traffic-class=voice is being sent? Yiu can verify this if you have the debug radius authentication enabled.
Sent from Cisco Technical Support Android App
07-02-2013 09:04 AM
I agree with Tarik, ISE should be configured to sends the device-traffic-class=voice VSA for phones. This way, known phones will be correctly identified and assigned to the voice domain.
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 09:22 AM
Hi, i'm using ISE 1.1.3.
I've enabled "debug radius auth" , "debug aaa auth" and "debug authentication all" on the switch, and unfortunately nothing from radius/aaa debugs is appearing during port authentication process! It's strange, cause i know how these debugs normally look like...
switch#show debugging
General OS:
AAA Authentication debugging is on
Radius protocol debugging is on
Radius packet protocol (authentication) debugging is on
Auth Manager:
Auth Manager errors debugging is on
Auth Manager events debugging is on
Auth Manager sync debugging is on
Condition 1: interface Fa0/26 (1 flags triggered)
Flags: Fa0/26
Regardless of this, i've looked at authorization event log in ISE, and it seems that device-traffic-class=voice is passed to the switch:
UserName=00:1D:45:43:8B:2F
User-Name=00-1D-45-43-8B-2F
State=ReauthSession:0A963F200000003A598D944A
Class=CACS:0A963F200000003A598D944A:ise-test/158503421/15401
Termination-Action=RADIUS-Request
cisco-av-pair=device-traffic-class=voice
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-5165e13c
cisco-av-pair=profile-name=Cisco-IP-Phone
Thanks,
WM
07-02-2013 09:28 AM
Can you check the vlan configuration and see if vlan20 is configured.
Show vlan brief shiuld show this.
As far as the debugs please only turn on the radius debugs and see if your luck changes.
Sent from Cisco Technical Support Android App
07-02-2013 09:41 AM
Hi, yes, the vlan is configured correctly for sure, as there are other phones on this switch, wchich are working ok. If i'll change auth mode to "authentication host-mode single-host" (voice vlan auth bypass), this phone also starts to work.
Turning "debug radius authentication" exclusively, haven't changed anything - still no logs from this debug...
Thanks,
WM
07-02-2013 10:39 AM
Did you try MDA for testing purpose? Are you facing the same issue with that as well?
You need to run:
debug radius
debug aaa authentication
debug aaa authorization
~BR
Jatin Katyal
**Do rate helpful posts**
07-03-2013 04:47 AM
Hello, yes i've tried multi-domain also - same effect. I've even tried this on a second switch, upgraded to the newest
c3560-ipbasek9-mz.122-55.SE8.bin. Traffic in voice vlan is still dropped...
But on this second switch i had more luck with aaa debug:
Switch#
*Mar 1 00:17:26.747: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar 1 00:17:27.753: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
Switch#
*Mar 1 00:17:27.820: %SYS-5-CONFIG_I: Configured from console by vty0 (10.150.60.18)
*Mar 1 00:17:29.028: AAA/BIND(00000006): Bind i/f
Switch#
Switch#
Switch#
*Mar 1 00:17:29.322: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:17:30.018: %AUTHMGR-5-START: Starting 'mab' for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4
*Mar 1 00:17:30.018: AAA/AUTHEN/8021X (00000006): Pick method list 'default'
*Mar 1 00:17:30.018: RADIUS/ENCODE(00000006):Orig. component type = DOT1X
*Mar 1 00:17:30.018: RADIUS(00000006): Config NAS IP: 0.0.0.0
*Mar 1 00:17:30.018: RADIUS/ENCODE(00000006): acct_session_id: 6
*Mar 1 00:17:30.018: RADIUS(00000006): sending
*Mar 1 00:17:30.018: RADIUS/ENCODE: Best Local IP-Address 10.142.49.9 for Radius-Server 10.42.0.25
*Mar 1 00:17:30.018: RADIUS(00000006): Send Access-Request to 10.42.0.25:1812 id 1645/5, len 206
*Mar 1 00:17:30.018: RADIUS: authenticator 4B 87 DF 97 18 1D CE CD - 57 85 AB D5 C2 79 9B 6E
*Mar 1 00:17:30.018: RADIUS: User-Name [1] 14 "001da2b785d2"
*Mar 1 00:17:30.018: RADIUS: User-Password [2] 18 *
*Mar 1 00:17:30.018: RADIUS: Service-Type [6] 6 Call Check [10]
*Mar 1 00:17:30.018: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:17:30.018: RADIUS: Called-Station-Id [30] 19 "00-19-06-C2-7D-03"
*Mar 1 00:17:30.018: RADIUS: Calling-Station-Id [31] 19 "00-1D-A2-B7-85-D2"
*Mar 1 00:17:30.018: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:17:30.018: RADIUS: DF 27 2E BC AD AE B2 33 C0 81 2D FD 34 87 55 99 [ '.3-4U]
*Mar 1 00:17:30.018: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 00:17:30.018: RADIUS: Vendor, Cisco [26] 49
*Mar 1 00:17:30.018: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A8E310900000001001001C4"
*Mar 1 00:17:30.018: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 00:17:30.018: RADIUS: NAS-Port [5] 6 50001
*Mar 1 00:17:30.018: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 1 00:17:30.018: RADIUS: NAS-IP-Address [4] 6 10.142.49.9
*Mar 1 00:17:30.027: RADIUS(00000006): Started 5 sec timeout
*Mar 1 00:17:30.069: RADIUS: Received from id 1645/5 10.42.0.25:1812, Access-Accept, len 303
*Mar 1 00:17:30.069: RADIUS: authenticator F5 84 EB 7B 9E 96 0B 6B - 34 7F 74 D1 9E 28 0D CA
*Mar 1 00:17:30.069: RADIUS: User-Name [1] 19 "00-1D-A2-B7-85-D2"
*Mar 1 00:17:30.069: RADIUS: State [24] 40
*Mar 1 00:17:30.069: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]
*Mar 1 00:17:30.069: RADIUS: 38 45 33 31 30 39 30 30 30 30 30 30 30 31 30 30 [8E31090000000100]
*Mar 1 00:17:30.069: RADIUS: 31 30 30 31 43 34 [ 1001C4]
*Mar 1 00:17:30.069: RADIUS: Class [25] 56
*Mar 1 00:17:30.069: RADIUS: 43 41 43 53 3A 30 41 38 45 33 31 30 39 30 30 30 [CACS:0A8E3109000]
*Mar 1 00:17:30.069: RADIUS: 30 30 30 30 31 30 30 31 30 30 31 43 34 3A 69 73 [00001001001C4:is]
*Mar 1 00:17:30.077: RADIUS: 65 2D 74 65 73 74 2F 31 35 38 35 30 33 34 32 31 [e-test/158503421]
*Mar 1 00:17:30.077: RADIUS: 2F 31 36 37 36 32 [ /16762]
*Mar 1 00:17:30.077: RADIUS: Termination-Action [29] 6 1
*Mar 1 00:17:30.077: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:17:30.077: RADIUS: F7 30 96 86 CF AB 44 5A 99 E1 C5 F1 94 6F 37 99 [ 0DZo7]
*Mar 1 00:17:30.077: RADIUS: Vendor, Cisco [26] 34
*Mar 1 00:17:30.077: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
*Mar 1 00:17:30.077: RADIUS: Vendor, Cisco [26] 75
*Mar 1 00:17:30.077: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-5165e13c"
*Mar 1 00:17:30.077: RADIUS: Vendor, Cisco [26] 35
*Mar 1 00:17:30.077: RADIUS: Cisco AVpair [1] 29 "profile-name=Cisco-IP-Phone"
*Mar 1 00:17:30.077: RADIUS(00000006): Received from id 1645/5
*Mar 1 00:17:30.077: AAA/ATTR: invalid attribute prefix: "ACS"
*Mar 1 00:17:30.077: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
*Mar 1 00:17:30.077: AAA/AUTHOR (00000006): Method list id=0 not configured. Skip author
*Mar 1 00:17:30.077: %MAB-5-SUCCESS: Authentication successful for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4
*Mar 1 00:17:30.077: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4
*Mar 1 00:17:30.329: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar 1 00:17:31.109: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.a2b7.85d2) on Interface Fa0/1 AuditSessionID 0A8E310900000001001001C4
What do you guys think about this "parse unknown cisco vsa "profile-name" - IGNORE"? Is it somehow important that this is not recoginzed?
Thanks,
WM
07-04-2013 05:39 AM
Hello,
To sum up the thread:
I've tried exactly the same config on WS-C2960-24PC-L with following results:
- with c2960-lanbasek9-mz.122-52.SE.bin, 2960 chokes on radius response for MAB auth:
Jul 4 13:00:20.061: RADIUS(0000006B): Started 5 sec timeout
Jul 4 13:00:20.111: RADIUS: Received from id 1645/5 10.42.0.25:1812, Access-Accept, len 303
Jul 4 13:00:20.111: RADIUS: authenticator 98 E1 D5 17 E7 FA 0C 96 - E3 95 6B C1 97 C1 2D E6
Jul 4 13:00:20.111: RADIUS: User-Name [1] 19 "00-1E-13-B0-04-FF"
Jul 4 13:00:20.111: RADIUS: State [24] 40
Jul 4 13:00:20.111: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]
Jul 4 13:00:20.111: RADIUS: 38 45 33 31 30 38 30 30 30 30 30 30 30 34 31 33 [8E31080000000413]
Jul 4 13:00:20.111: RADIUS: 42 41 42 33 45 35 [ BAB3E5]
Jul 4 13:00:20.111: RADIUS: Class [25] 56
Jul 4 13:00:20.111: RADIUS: 43 41 43 53 3A 30 41 38 45 33 31 30 38 30 30 30 [CACS:0A8E3108000]
Jul 4 13:00:20.119: RADIUS: 30 30 30 30 34 31 33 42 41 42 33 45 35 3A 69 73 [0000413BAB3E5:is]
Jul 4 13:00:20.119: RADIUS: 65 2D 74 65 73 74 2F 31 35 38 35 30 33 34 32 31 [e-test/158503421]
Jul 4 13:00:20.119: RADIUS: 2F 31 38 39 37 38 [ /18978]
Jul 4 13:00:20.119: RADIUS: Termination-Action [29] 6 1
Jul 4 13:00:20.119: RADIUS: Message-Authenticato[80] 18
Jul 4 13:00:20.119: RADIUS: 16 2A E9 6E 5C 78 25 A5 FF E0 E0 15 07 1B E4 2A [ *n\x?*]
Jul 4 13:00:20.119: RADIUS: Vendor, Cisco [26] 34
Jul 4 13:00:20.119: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
Jul 4 13:00:20.119: RADIUS: Vendor, Cisco [26] 75
Jul 4 13:00:20.119: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-5165e13c"
Jul 4 13:00:20.119: RADIUS: Vendor, Cisco [26] 35
Jul 4 13:00:20.119: RADIUS: Cisco AVpair [1] 29 "profile-name=Cisco-IP-Phone"
Jul 4 13:00:20.119: RADIUS(0000006B): Received from id 1645/5
Jul 4 13:00:20.119: AAA/ATTR: invalid attribute prefix: "ACS"
Jul 4 13:00:20.119: RADIUS/DECODE: convert VSA string; FAIL
Jul 4 13:00:20.119: RADIUS/DECODE: cisco VSA type 1; FAIL
Jul 4 13:00:20.119: RADIUS/DECODE: VSA; FAIL
Jul 4 13:00:20.119: RADIUS/DECODE: decoder; FAIL
Jul 4 13:00:20.119: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Jul 4 13:00:20.119: RADIUS/DECODE: parse response op decode; FAIL
Jul 4 13:00:20.119: RADIUS/DECODE: parse response; FAIL
Jul 4 13:00:20.119: %MAB-5-FAIL: Authentication failed for client (001e.13b0.04ff) on Interface Fa0/12 AuditSessionID 0A8E31080000000413BAB3E5
- with c2960-lanbasek9-mz.150-2.SE4.bin, everything works flawlessly, and traffic in voice vlan is allowed after passed MAB auth.
I'm not sure if 3560 an 2960 share IOS codebase, but i think that they are (at least some part of it). And for me it looks like this is some bug or defficiency in 12.2 train for these platforms (and this bug on 4500 series: https://tools.cisco.com/bugsearch/bug/CSCtj56811 looks very familiar too).
Unfortunately 3560-48TS's can't be upgraded to 15.0 release, cause they have to little space on internal flash, so it looks like MAB with voice vlan and multi-domain dot1x auth will never work on 3560 models which cannot be upgraded to 15.0...
Thanks,
WM
07-05-2013 08:31 AM
Guess we were working on the similar error but they had some issue with DACL defined on ISE
https://supportforums.cisco.com/thread/2198945
~BR
Jatin Katyal
**Do rate helpful posts**
01-31-2018 04:02 AM
It works on my 2960S and 2960X switches with
...
authentication host-mode multi-domain
...
multi-host is for more than one device in the same vlan on one port.
07-04-2013 07:44 AM
Can you send the show run | inc aaa from your switch.
Sent from Cisco Technical Support Android App
07-05-2013 08:21 AM
Hi, sure, i've removed lines related to tacacs+ login/enable authentication and accounting.
Rest is below:
switch#sh run | include aaa
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
Thanks,
WM
01-31-2018 01:35 PM
I think you are missing
aaa authorization network default group <radius server group>
command that should tell the switch to apply policies sent by the radius server
Regards
M
08-20-2018 11:14 AM
@marco.merlo wrote:
I think you are missing
aaa authorization network default group <radius server group>
command that should tell the switch to apply policies sent by the radius server
Regards
M
Your recommendaiton helped me out, thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: