08-25-2020 06:41 AM
Hi,
we have cisco C3560X-48P Switches in our branches and use Avaya IP-Phones for our call agents. All switchports are protected by 802.1x and our Avaya IP-Phones use EAP-MD5 with username and password to authenticat the phone in the voice subnet.
this is our port config:
interface GigabitEthernet0/1
description Avaya IP-Phone
switchport access vlan 10
switchport mode access
switchport voice vlan 2000
ip arp inspection limit rate 130 burst interval 2
no logging event link-status
authentication control-direction in
authentication event fail action authorize vlan 10
authentication event server dead action authorize vlan 10
authentication event no-response action authorize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 1
no cdp enable
spanning-tree portfast
everything works well so far....
now we want to replace your c3560x switches with the new C9300-48UXM (IOS: 16.09.05) without change our IP-Phone Settings.
we use the same port config as we had on c3560x but the IP-Phones couldn't authenticate.
LLDP Neighbour Table is also empty and the c9300 switch send an error
Aug 25 15:33:00: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (001b.4f30.97e3) with reason (No Response from Client) on Interface Tw1/0/1 AuditSessionID 1410D10A0000001C25C446DF
Aug 25 15:33:00: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (001b.4f30.97e3) on Interface TwoGigabitEthernet1/0/1 AuditSessionID 1410D10A0000001C25C446DF. Failure Reason: VLAN Failure.
Switch-C9300-001#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Tw1/0/1 001b.4xxx.9xxx dot1x DATA Unauth 1410D10A0000001C25C446DF
if I made a span session and capture the traffic during the authentication, I can see a "EAP" Failure in Wireshark.
if I do not use 802.1x config on a switchport my phone working well.
could it be that the new c9300 does not support EAP-MD5 challenges or does anyone has an idea what i can try or what my problem is ?
many many thanks for your support
08-25-2020 08:18 PM
08-25-2020 10:37 PM
Hi Francesco,
when dot1x ise is disabled I can see all lldp neighbours.
I activate lldp globally and on interface level.
This is my LLDP output, if I have dot1x disabled:
Switch-C9300-001#sh lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
AVB3097E3 Tw1/0/1 120 B,T 001b.4f30.97e3
This is the output if I have dot1x enabled on interface
Switch-C9300-001#sh lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Total entries displayed: 0
Switch-C9300-001#sh lldp int tw 1/0/1
TwoGigabitEthernet1/0/1:
Tx: enabled
Rx: enabled
Tx state: IDLE
Rx state: WAIT FOR FRAME
thanks
regards
steve
08-26-2020 07:42 PM
08-27-2020 02:16 AM
Hi Francesco,
I attached a file with my actual running-all config.
I have no knowledge about sifs. so far, we don't enable it.
We use Microsoft NPS as a RADIUS.
this is the answer from our radius for a request from a phone:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 25.08.2020 16:15:56
Event ID: 6272
Task Category: Network Policy Server
Level: Information
Keywords: Audit Success
User: N/A
Computer: xxxxxxxxxxx
Description:
Network Policy Server granted access to a user.
User:
Security ID: xxxxxxxxxxx
Account Name: xxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxx
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-77-xxxxxxxxxxx
Calling Station Identifier: 00-1B-xxxxxxxxxxx
NAS:
NAS IPv4 Address: xx.xxx.16.20
NAS IPv6 Address: -
NAS Identifier: Switch-C9300-001
NAS Port-Type: Ethernet
NAS Port: 50101
RADIUS Client:
Client Friendly Name: Switch_MGMT
Client IP Address: xx.xxx..16.20
Authentication Details:
Connection Request Policy Name: CRP_Wired
Network Policy Name: NP_MD5_IP-Phone
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxx
Authentication Type: EAP
EAP Type: MD5-Challenge
Account Session Identifier: -
Logging Results: Accounting information was written to the SQL data store and the local log file.
Quarantine Information:
Result: Full Access
Session Identifier: -
with the old 3560x switches I could still turn on radius and aaa debug to check what's goning-on on my switch.
with the same command on the c9300 I don't see any intressting output. do the change RADIUS debbuging ?
thanks in advanced
08-28-2020 03:46 PM
You must enable device-tracking, check the link below:
For debuggging:
set platform software trace smd switch active R0 aaa-authen debug
set platform software trace smd switch active R0 aaa debug
set platform software trace smd switch active R0 radius debug
You can then check the logs using the command:
show platform software trace message smd switch active R0
08-31-2020 05:12 AM
Hi,
device-tracking is new for me.
I try to configure device-tracking with helping myself form these two links with default DT policies on my "ip phone" Interface.
without success.... LLDP Table is still empty .. dot1x for my phone is not working.
do I need layer 3 from my voice vlan on this switch ? because this switch is only layer 2 for voice and data vlans.
09-01-2020 08:10 PM
No you don't need layer 3. I'll recheck your config and come back tomorrow. Sorry these last days were busy.
09-01-2020 08:25 PM
I forgot to mention. Have you ran debugs and then applied commands i sent (set platform)?
If yes, can you share the log using the show command i gave in a text file please?
09-02-2020 07:18 AM
09-03-2020 04:08 PM
Can you share the policy you're pushing from ISE towards the client? and also share the authentication/authorization log from live log?
In your log file, it appears, the device is authenticated and authorized but when applying the authorization to the interface, you're getting a vlan failure.
2020/09/02 13:45:43.898 {smd_R0-0}{1}: [errmsg] [21664]: UUID: 0, ra: 0, TID: 0 (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (001b.4f30.97e3) on Interface TwoGigabitEthernet1/0/1 AuditSessionID 1410D10A0000000D4F1002AC. Failure Reason: VLAN Failure
2020/09/02 13:45:43.897 {smd_R0-0}{1}: [epm] [21664]: UUID: 0, ra: 0, TID: 0 (ERR): EPM_PLUGIN_VLAN_ERR: [HDL = 0x0] vlan attributes is missing 3
09-04-2020 05:37 AM
Hi,
we use NPS as Radius and not ISE :-)
I have attached a print screen with our NPS Policie for Avaya IP-Phones for our c3560x Switches. (left on printscreen)
on this policie the NPS is only send the "cisco-av-pair" back to the switch and this is working for C3560x switches but not for C9300.
you gave me a hint with "vlan failure". I add the "tunnel-pvt-group-id" with my voice-vlan-name on my actual Radius-IP-Phone Policy (right on printscreen) and it looks like that this is my solution. My IP-Phone is authenticated on the voice domain.
I'm supprised that my old Radius Policies (without "tunnel-pvt-group-id") is working for C3560x and is not working for C9300 switches.
you helped me a lot and showed me the right way to come to the solution
thank you
09-07-2020 11:39 AM
I'm glad your issue is solved.
I don't see the screenshot but if you just send back an access-accept, it should take the vlan setup on the interface and no need of tunnel-pvt-group-id attribute.
09-07-2020 11:12 PM - edited 09-08-2020 10:13 PM
sorry, I forgot the screenshot.
somethings is wrong, I can't upload it
09-08-2020 03:06 PM
If your issue isn't solved, PM me so I can give you an email where to send your screenshots
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide