802.1x and 7960's

Kiley Arena · ‎08-13-2014

Hello there,

I am having an issue with 7960/7940 phones and their connected pcs authenticating with 802.1x. I read a post that an individual had in 2009 but it doesn't quite describe the situation I'm having and cannot figure out. I know that the 7940 and 7960 phones have to be at version 8.1(1) in order to work with 802.1x; our phones are running at version 8.1(SR2) so, according to Cisco, they should work. The problem I'm having is that the port on the switch gets thrown into an err disabled state. Once I bounce the port, the phone will authenticate but the associated pc will not, even though both the phone and the pc are configured correctly in the NPS server and in AD. If I force the pc to authenticate to the user vlan, the pc will authenticate but the phone will not. Each device will authenticate independently if they are separated on the network.

The only way I can avoid this situation is if I put on the switch the following band-aid: errdisable recovery cause security-violation or I remove 802.x completely. I tried putting the errdisable recovery command on a bunch of switches and that caused the trunk ports and the ports that wanted to go into errdisable mode to start flapping and almost brought down the network soooo, I took it off.

The switches we use are 3750Gs or 3750V2s running ipservicesk9 images. I'm attaching the configurations we use.

I appreciate any insight into this maddening problem that just won't go away.

I should also note that it is not ALL of our 7940/7960 phones that do this.

Thanks,

Kiley

interface FastEthernetx/x/x
switchport access vlan 666
switchport mode access
switchport voice vlan 667
authentication event fail retry 1 action authorize vlan 666
authentication event server dead action authorize vlan 666
authentication event no-response action authorize vlan 666
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end

show mac address-table int fax/x/x
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
xx    xxxx.xxxx.e9f1    STATIC      Fax/x/x --> phone
666    xxxx.xxxx.2681    DYNAMIC     Drop --> pc

Leo Laohoo · ‎08-13-2014

What is the IOS version you are running? Post the output to the command "sh authen session interface <BLAH>"?

Kiley Arena · ‎08-14-2014

Leo,

the IOS is: 15.0(2)SE2. This particular user is on a 3750V2-48PS

#sho mac address-table int fax/x/x
Mac Address Table
-------------------------------------------

Vlan      Mac Address                Type     Ports
----        ----------- -                       -------     -----
90         xxxx.xxxx.a712             STATIC x/x/x

#sh authentication sessions int x/x/x
Interface: x/x/x
MAC Address: xxxx.xxxx.0727
IP Address: Unknown
User-Name: xxxxxxxx0727
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000C9E982BA216
Acct Session ID: 0x00005E48
Handle: 0x84000C9F

Runnable methods list:
Method State
mab Failed over
dot1x Running

----------------------------------------
Interface: x/x/x
MAC Address: xxxx.xxxx.a712
IP Address: Unknown
User-Name: xxxxxxxxa712
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 90
Session timeout: 3600s (local), Remaining: 3571s
Timeout action: Reauthenticate
Idle timeout: N/A

Common Session ID: 0000000000000C9F982BB8FD
Acct Session ID: 0x00005E49
Handle: 0xD4000CA0

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

#show mac address-table int x/x/x

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

90 xxxx.xxxx.a712 STATIC x/x/x – phone; should be in different vlan

90 xxxx.xxxx.0727 DYNAMIC Drop – pc; is in correct vlan

Total Mac Addresses for this criterion: 2