Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
3
Replies

802.1x port authentication expectation

Go to solution
tedauction
Level 1
Level 1

‎08-06-2017 03:40 PM - edited ‎03-08-2019 11:38 AM

Hello my understanding was that an 802.1x wired port would not pass traffic unless BOTH devices on that port had authenticated successfully.

I have a situation where I have a phone and a computer on the same port (VOICE and DATA VLANs). The phone has successfully authenticated via MAB, however the PC has not authenticated successfully due to not having an 802.1x supplicant configured i.e. the PC is still in the authentication 'running' state.

But I notice the phone is still powered up and working normally. The port is connected. Should this be the case ?

Or is it only when either the phone or PC have received an authorisation REJECT that the port will actually prevent data flow ?

Thank you kindly.

mySwitch1#sh dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Gi1/0/16 AUTH none UNAUTHORIZED


mySwitch#sh authentication int gi1/0/16

Client list:
Interface MAC Address Method Domain Status Session ID
Gi1/0/16 0025.8416.b904 mab VOICE Authz Success C0A8084200004451C56FF3F5
Gi1/0/16 b8ca.3a7e.e6d9 N/A DATA Authz Failed C0A8084200004452C56FF3F5

mySwitch#sh int gi1/0/16 status

Port Name Status Vlan Duplex Speed Type
Gi1/0/16 DOT1X_TEST connected 58 a-full a-100 10/100/1000BaseTX

interface GigabitEthernet1/0/16
description DOT1X_TEST
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication event server dead action authorize vlan 58
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

mySwitch#show authentication sessions interface gi1/0/16

Interface:  GigabitEthernet1/0/16

MAC Address:  b8ca.3a7e.e6d9

IP Address:  Unknown

User-Name:  b8ca3a7ee6d9

Status:  Authz Failed

Domain:  DATA

Oper host mode:  multi-domain

Oper control dir:  both

Session timeout:  N/A

Idle timeout:  N/A

Common Session ID:  C0A8084200004452C56FF3F5

Acct Session ID:  0x00000505

Handle:  0xCD0004A4

Runnable methods list:

Method   State

mab      Failed over

dot1x    Failed over

----------------------------------------

Interface:  GigabitEthernet1/0/16

MAC Address:  0025.8416.b904

IP Address:  10.110.8.114

User-Name:  00258416b904

Status:  Authz Success

Domain:  VOICE

Oper host mode:  multi-domain

Oper control dir:  both

Authorized By:  Authentication Server

Session timeout:  N/A

Idle timeout:  N/A

Common Session ID:  C0A8084200004451C56FF3F5

Acct Session ID:  0x00000504

Handle:  0xD5000526

 

Runnable methods list:

Method   State

mab      Authc Success

dot1x    Not run

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-06-2017 04:01 PM

Hi 

This is a normal behaviour with your actual configuration. 

Your port is configured as authentication host-mode multi-domain. This means that you can have a voice device and data device attached to the same port with independent authentication. 

If the phone is authenticated, this doesn't mean that your laptop will be authenticated and vice versa. 

The behaviour you describe where 1 host authenticates and all others attached to the same port are authenticated is called multiple-host 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-06-2017 04:01 PM

Hi 

This is a normal behaviour with your actual configuration. 

Your port is configured as authentication host-mode multi-domain. This means that you can have a voice device and data device attached to the same port with independent authentication. 

If the phone is authenticated, this doesn't mean that your laptop will be authenticated and vice versa. 

The behaviour you describe where 1 host authenticates and all others attached to the same port are authenticated is called multiple-host 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
tedauction
Level 1
Level 1
In response to Francesco Molino

‎08-06-2017 09:08 PM

Hello, thank you for that. I have also noticed that if the phone fails authentication, then the PC connected to the phone cannot authenticate. Is this expected behaviour i.e. does the phone block the connected PC if the phone cannot authenticate ?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to tedauction

‎08-07-2017 04:18 PM

Hi 

What's exactly the configuration and the radius message on the phone?

If the phone hasn't been authenticated that means the switch didn't received the class voice from this device and will assume that device is in the days the domain. Then the laptop behind will fail as it's a violation. You can't have 2 devices in the same domain. 

Hope that's clear.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card