08-06-2017 03:40 PM - edited 03-08-2019 11:38 AM
Hello my understanding was that an 802.1x wired port would not pass traffic unless BOTH devices on that port had authenticated successfully.
I have a situation where I have a phone and a computer on the same port (VOICE and DATA VLANs). The phone has successfully authenticated via MAB, however the PC has not authenticated successfully due to not having an 802.1x supplicant configured i.e. the PC is still in the authentication 'running' state.
But I notice the phone is still powered up and working normally. The port is connected. Should this be the case ?
Or is it only when either the phone or PC have received an authorisation REJECT that the port will actually prevent data flow ?
Thank you kindly.
mySwitch1#sh dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Gi1/0/16 AUTH none UNAUTHORIZED
mySwitch#sh authentication int gi1/0/16
Client list:
Interface MAC Address Method Domain Status Session ID
Gi1/0/16 0025.8416.b904 mab VOICE Authz Success C0A8084200004451C56FF3F5
Gi1/0/16 b8ca.3a7e.e6d9 N/A DATA Authz Failed C0A8084200004452C56FF3F5
mySwitch#sh int gi1/0/16 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/16 DOT1X_TEST connected 58 a-full a-100 10/100/1000BaseTX
interface GigabitEthernet1/0/16
description DOT1X_TEST
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication event server dead action authorize vlan 58
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
mySwitch#show authentication sessions interface gi1/0/16
Interface: GigabitEthernet1/0/16
MAC Address: b8ca.3a7e.e6d9
IP Address: Unknown
User-Name: b8ca3a7ee6d9
Status: Authz Failed
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8084200004452C56FF3F5
Acct Session ID: 0x00000505
Handle: 0xCD0004A4
Runnable methods list:
Method State
mab Failed over
dot1x Failed over
----------------------------------------
Interface: GigabitEthernet1/0/16
MAC Address: 0025.8416.b904
IP Address: 10.110.8.114
User-Name: 00258416b904
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8084200004451C56FF3F5
Acct Session ID: 0x00000504
Handle: 0xD5000526
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
Solved! Go to Solution.
08-06-2017 04:01 PM
Hi
This is a normal behaviour with your actual configuration.
Your port is configured as authentication host-mode multi-domain. This means that you can have a voice device and data device attached to the same port with independent authentication.
If the phone is authenticated, this doesn't mean that your laptop will be authenticated and vice versa.
The behaviour you describe where 1 host authenticates and all others attached to the same port are authenticated is called multiple-host
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
08-06-2017 04:01 PM
Hi
This is a normal behaviour with your actual configuration.
Your port is configured as authentication host-mode multi-domain. This means that you can have a voice device and data device attached to the same port with independent authentication.
If the phone is authenticated, this doesn't mean that your laptop will be authenticated and vice versa.
The behaviour you describe where 1 host authenticates and all others attached to the same port are authenticated is called multiple-host
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
08-06-2017 09:08 PM
Hello, thank you for that. I have also noticed that if the phone fails authentication, then the PC connected to the phone cannot authenticate. Is this expected behaviour i.e. does the phone block the connected PC if the phone cannot authenticate ?
08-07-2017 04:18 PM
Hi
What's exactly the configuration and the radius message on the phone?
If the phone hasn't been authenticated that means the switch didn't received the class voice from this device and will assume that device is in the days the domain. Then the laptop behind will fail as it's a violation. You can't have 2 devices in the same domain.
Hope that's clear.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide