cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
721
Views
0
Helpful
2
Replies

802.1x and 7960's

Kiley Arena
Level 1
Level 1

Hello there,

 

I am having an issue with 7960/7940 phones and their connected pcs authenticating with 802.1x.  I read a post that an individual had in 2009 but it doesn't quite describe the situation I'm having and cannot figure out.  I know that the 7940 and 7960 phones have to be at version 8.1(1) in order to work with 802.1x; our phones are running at version 8.1(SR2) so, according to Cisco, they should work.  The problem I'm having is that the port on the switch gets thrown into an err disabled state.  Once I bounce the port, the phone will authenticate but the associated pc will not, even though both the phone and the pc are configured correctly in the NPS server and in AD.  If I force the pc to authenticate to the user vlan, the pc will authenticate but the phone will not.  Each device will authenticate independently if they are separated on the network.

The only way I can avoid this situation is if I put on the switch the following band-aid: errdisable recovery cause security-violation or I remove 802.x completely.  I tried putting the errdisable recovery command on a bunch of switches and that caused the trunk ports and the ports that wanted to go into errdisable mode to start flapping and almost brought down the network soooo, I took it off.

The switches we use are 3750Gs or 3750V2s running ipservicesk9 images.  I'm attaching the configurations we use.

I appreciate any insight into this maddening problem that just won't go away.

I should also note that it is not ALL of our 7940/7960 phones that do this.

Thanks,

 

Kiley

 

interface FastEthernetx/x/x
 switchport access vlan 666
 switchport mode access
 switchport voice vlan 667
 authentication event fail retry 1 action authorize vlan 666
 authentication event server dead action authorize vlan 666
 authentication event no-response action authorize vlan 666
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 mab
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
end

 


show mac address-table int fax/x/x
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  xx    xxxx.xxxx.e9f1    STATIC      Fax/x/x --> phone
 666    xxxx.xxxx.2681    DYNAMIC     Drop --> pc

 

2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

What is the IOS version you are running?  Post the output to the command "sh authen session interface <BLAH>"?

Leo,

the IOS is: 15.0(2)SE2. This particular user is on a 3750V2-48PS

 

#sho mac address-table int fax/x/x
Mac Address Table
-------------------------------------------

Vlan      Mac Address                Type     Ports
----        ----------- -                       -------     -----
90         xxxx.xxxx.a712             STATIC x/x/x

 

#sh authentication sessions int x/x/x
Interface: x/x/x
MAC Address: xxxx.xxxx.0727
IP Address: Unknown
User-Name: xxxxxxxx0727
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000C9E982BA216
Acct Session ID: 0x00005E48
Handle: 0x84000C9F

Runnable methods list:
Method State
mab Failed over
dot1x Running

----------------------------------------
Interface: x/x/x
MAC Address: xxxx.xxxx.a712
IP Address: Unknown
User-Name: xxxxxxxxa712
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 90
Session timeout: 3600s (local), Remaining: 3571s
Timeout action: Reauthenticate
Idle timeout: N/A

Common Session ID: 0000000000000C9F982BB8FD
Acct Session ID: 0x00005E49
Handle: 0xD4000CA0

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

#show mac address-table  int  x/x/x

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

  90    xxxx.xxxx.a712    STATIC      x/x/x – phone; should be in different vlan

  90    xxxx.xxxx.0727    DYNAMIC     Drop – pc; is in correct vlan

Total Mac Addresses for this criterion: 2