Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

802.1X - IP Phone fails with MAB in MDA - Phone mac in data VLAN as well

pthiel
Level 1
Level 1

‎07-18-2011 06:51 AM - edited ‎03-09-2019 11:36 PM

Hello,

I'm facing a problem, where the ip phone mac address cause a security violation in the data vlan when using 802.1X and MAB with multi-domain authentication on a switchport.

below are the "logs" about what's going on.

Desktop PC:

002191: Jul 18 10:23:49: %AUTHMGR-5-START: Starting 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1

Phone:

002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

Desktop PC success:

002193: Jul 18 10:24:07: %DOT1X-5-SUCCESS: Authentication successful for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID

002194: Jul 18 10:24:07: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1

002195: Jul 18 10:24:08: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0025.b3cc.03df) on Interface Fa0/3 AuditSessionID 00000000000000025AD497E1

Phone - works with fallback to MAB:

002192: Jul 18 10:23:53: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002196: Jul 18 10:24:08: %DOT1X-5-FAIL: Authentication failed for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID

002197: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002198: Jul 18 10:24:08: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002199: Jul 18 10:24:08: %AUTHMGR-5-START: Starting 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002200: Jul 18 10:24:08: %MAB-5-SUCCESS: Authentication successful for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

002201: Jul 18 10:24:08: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0024.c4fe.afe5) on Interface Fa0/3 AuditSessionID 00000000000000035AD4A9AC

but Phone caused security violation error-disable state, because it's MAC Address is seen on VLAN 1 as well:

002202: Jul 18 10:24:08: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/3, new MAC address (0024.c4fe.afe5) is seen.AuditSessionID  00000000000000035AD4A9AC

002203: Jul 18 10:24:08: %PM-4-ERR_DISABLE_VP: security-violation error detected on Fa0/3, vlan 1.  Putting in err-disable stat

With no 8021.X Konfiguration - three MACaddresses are seen on the port.

Example:

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

   1    0025.b3cc.0380    DYNAMIC     Fa0/12

   1    aca0.166e.f2ff    DYNAMIC     Fa0/12

140    aca0.166e.f2ff    DYNAMIC     Fa0/12

Total Mac Addresses for this criterion: 3

the strange thing is:

we ahve working locations with this setuop, and at the working location, just two MAC adresses are seen.

(with MAC type "static", after 802.1X authentication)

I don't found a satisfying answer about how come that the Phone MAC is seen in the Data VLAN as well.

And I have the the strong feeling that this cause the trouble I'm having.

May be some one can brighten my day, and wrote some clarification, or has a solution how to solve this issue.

TIA

kind regards

Peter

PS:

Authentication against IAS

Phoneload:

Anw.-Software-ID  jar42sccp.9-1-1TH1-16.sbn

Boot-Software-ID  tnp62.8-3-1-21a.bin

Version      SCCP42.9-1-1SR1S

Interface Configuration:

interface FastEthernet0/3

switchport mode access

switchport voice vlan 140

authentication control-direction in

authentication event fail action authorize vlan 150

authentication event no-response action authorize vlan 150

authentication host-mode multi-domain

authentication open

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout quiet-period 2

dot1x timeout tx-period 5

spanning-tree portfast

Other Configuration Parameter:

aaa group server radius 8021x

server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz

server-private x.x.x.x auth-port 1812 acct-port 1813 key xyz

!

aaa authentication dot1x default group 8021x

aaa authorization network default group 8021x

!

dot1x system-auth-control

dot1x guest-vlan supplicant

!

errdisable detect cause security-violation shutdown vlan

!

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic