C9300 802.1x EAP-MD5 for IP-Phones not working

stefan.mathys · ‎08-25-2020

Hi,

we have cisco C3560X-48P Switches in our branches and use Avaya IP-Phones for our call agents. All switchports are protected by 802.1x and our Avaya IP-Phones use EAP-MD5 with username and password to authenticat the phone in the voice subnet.
this is our port config:

interface GigabitEthernet0/1
description Avaya IP-Phone
switchport access vlan 10
switchport mode access
switchport voice vlan 2000
ip arp inspection limit rate 130 burst interval 2
no logging event link-status
authentication control-direction in
authentication event fail action authorize vlan 10
authentication event server dead action authorize vlan 10
authentication event no-response action authorize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 1
no cdp enable
spanning-tree portfast

everything works well so far....

now we want to replace your c3560x switches with the new C9300-48UXM (IOS: 16.09.05) without change our IP-Phone Settings.

we use the same port config as we had on c3560x but the IP-Phones couldn't authenticate.

LLDP Neighbour Table is also empty and the c9300 switch send an error

Aug 25 15:33:00: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (001b.4f30.97e3) with reason (No Response from Client) on Interface Tw1/0/1 AuditSessionID 1410D10A0000001C25C446DF
Aug 25 15:33:00: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (001b.4f30.97e3) on Interface TwoGigabitEthernet1/0/1 AuditSessionID 1410D10A0000001C25C446DF. Failure Reason: VLAN Failure.

Switch-C9300-001#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Tw1/0/1 001b.4xxx.9xxx dot1x DATA Unauth 1410D10A0000001C25C446DF

if I made a span session and capture the traffic during the authentication, I can see a "EAP" Failure in Wireshark.

if I do not use 802.1x config on a switchport my phone working well.

could it be that the new c9300 does not support EAP-MD5 challenges or does anyone has an idea what i can try or what my problem is ?

many many thanks for your support

Francesco Molino · ‎08-25-2020

Hi

We see your phone in the data domain based on the output of authentication session (mac 001b.4f)
First question: when dot1x is disabled and your phone connected, do you see as lldp neighbor?
Have you enabled lldp run globally and lldp receive + lldp transmit on your interface to validate the switch see it in the lldp database?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

stefan.mathys · ‎08-25-2020

Hi Francesco,

when dot1x ise is disabled I can see all lldp neighbours.
I activate lldp globally and on interface level.

This is my LLDP output, if I have dot1x disabled:

Switch-C9300-001#sh lldp neighbors

Capability codes:

(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device

(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID Local Intf Hold-time Capability Port ID

AVB3097E3 Tw1/0/1 120 B,T 001b.4f30.97e3

This is the output if I have dot1x enabled on interface

Switch-C9300-001#sh lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID Local Intf Hold-time Capability Port ID

Total entries displayed: 0

Switch-C9300-001#sh lldp int tw 1/0/1

TwoGigabitEthernet1/0/1:
Tx: enabled
Rx: enabled
Tx state: IDLE
Rx state: WAIT FOR FRAME

thanks

regards

steve

Francesco Molino · ‎08-26-2020

Can you share your 9300 configuration?
Have you enabled sisf (device tracking)?
When authentication failed, do you see anything coming on ISE?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

stefan.mathys · ‎08-27-2020

Hi Francesco,

I attached a file with my actual running-all config.

I have no knowledge about sifs. so far, we don't enable it.

We use Microsoft NPS as a RADIUS.

this is the answer from our radius for a request from a phone:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 25.08.2020 16:15:56

Event ID: 6272

Task Category: Network Policy Server

Level: Information

Keywords: Audit Success

User: N/A

Computer: xxxxxxxxxxx

Description:

Network Policy Server granted access to a user.

User:

Security ID: xxxxxxxxxxx

Account Name: xxxxxxxxxxx

Account Domain: xxxxxxxxxxx

Fully Qualified Account Name: xxxxxxxxxxx

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-77-xxxxxxxxxxx

Calling Station Identifier: 00-1B-xxxxxxxxxxx

NAS:

NAS IPv4 Address: xx.xxx.16.20

NAS IPv6 Address: -

NAS Identifier: Switch-C9300-001

NAS Port-Type: Ethernet

NAS Port: 50101

RADIUS Client:

Client Friendly Name: Switch_MGMT

Client IP Address: xx.xxx..16.20

Authentication Details:

Connection Request Policy Name: CRP_Wired

Network Policy Name: NP_MD5_IP-Phone

Authentication Provider: Windows

Authentication Server: xxxxxxxxxxx

Authentication Type: EAP

EAP Type: MD5-Challenge

Account Session Identifier: -

Logging Results: Accounting information was written to the SQL data store and the local log file.

Quarantine Information:

Result: Full Access

Session Identifier: -

with the old 3560x switches I could still turn on radius and aaa debug to check what's goning-on on my switch.

with the same command on the c9300 I don't see any intressting output. do the change RADIUS debbuging ?

thanks in advanced

Francesco Molino · ‎08-28-2020

You must enable device-tracking, check the link below:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html

For debuggging:

set platform software trace smd switch active R0 aaa-authen debug
set platform software trace smd switch active R0 aaa debug
set platform software trace smd switch active R0 radius debug

You can then check the logs using the command:
show platform software trace message smd switch active R0

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

stefan.mathys · ‎08-31-2020

Hi,

device-tracking is new for me.

I try to configure device-tracking with helping myself form these two links with default DT policies on my "ip phone" Interface.

without success.... LLDP Table is still empty .. dot1x for my phone is not working.

do I need layer 3 from my voice vlan on this switch ? because this switch is only layer 2 for voice and data vlans.

Francesco Molino · ‎09-01-2020

No you don't need layer 3. I'll recheck your config and come back tomorrow. Sorry these last days were busy.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎09-01-2020

I forgot to mention. Have you ran debugs and then applied commands i sent (set platform)?

If yes, can you share the log using the show command i gave in a text file please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

stefan.mathys · ‎09-02-2020

Hi Francesco,

i attached a TXT File with the debug commands as you wish.

I'm very thankful for your support.

regards

steve

Francesco Molino · ‎09-03-2020

Can you share the policy you're pushing from ISE towards the client? and also share the authentication/authorization log from live log?

In your log file, it appears, the device is authenticated and authorized but when applying the authorization to the interface, you're getting a vlan failure.

2020/09/02 13:45:43.898 {smd_R0-0}{1}: [errmsg] [21664]: UUID: 0, ra: 0, TID: 0 (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (001b.4f30.97e3) on Interface TwoGigabitEthernet1/0/1 AuditSessionID 1410D10A0000000D4F1002AC. Failure Reason: VLAN Failure

2020/09/02 13:45:43.897 {smd_R0-0}{1}: [epm] [21664]: UUID: 0, ra: 0, TID: 0 (ERR): EPM_PLUGIN_VLAN_ERR: [HDL = 0x0] vlan attributes is missing 3

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

stefan.mathys · ‎09-04-2020

Hi,

we use NPS as Radius and not ISE :-)

I have attached a print screen with our NPS Policie for Avaya IP-Phones for our c3560x Switches. (left on printscreen)

on this policie the NPS is only send the "cisco-av-pair" back to the switch and this is working for C3560x switches but not for C9300.

you gave me a hint with "vlan failure". I add the "tunnel-pvt-group-id" with my voice-vlan-name on my actual Radius-IP-Phone Policy (right on printscreen) and it looks like that this is my solution. My IP-Phone is authenticated on the voice domain.

I'm supprised that my old Radius Policies (without "tunnel-pvt-group-id") is working for C3560x and is not working for C9300 switches.

you helped me a lot and showed me the right way to come to the solution

thank you

Francesco Molino · ‎09-07-2020

I'm glad your issue is solved.

I don't see the screenshot but if you just send back an access-accept, it should take the vlan setup on the interface and no need of tunnel-pvt-group-id attribute.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

stefan.mathys · ‎09-07-2020

sorry, I forgot the screenshot.

somethings is wrong, I can't upload it

Francesco Molino · ‎09-08-2020

If your issue isn't solved, PM me so I can give you an email where to send your screenshots

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question