Cisco CBS 350 - Dot1x, MAB and Guest VLAN (ISE)

at2885 · ‎10-03-2023

I have an existing catalyst environment running 802.1x for PCs, MAB for IP phones (PCs daisy chained) and a guest VLAN for unauthenticated devices, this has been in and working for may years. I now have a new requirement to add in a Cisco CBS350-48P to a remote location.

I have tried many permutations of configurations, when it does work it appears flakey and other times it just does not work at all. I have tried with smart ports on and smart ports off. I wondered if anyone else has a similar deployment that could shed any light on their CBS config.

For reference, this is the cat config:

description 802.1x Voice and Data
switchport mode access
switchport voice vlan 100
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event fail action authorize vlan 112
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 112
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication timer inactivity 3600
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
auto qos trust
spanning-tree portfast

On other key thing that we have noted on the ISE server when a phone is daisy chained off of a Phone is that we only get the auth session on the ISE, and the second one, just seems to "hitch a ride" as such on that authentication, and gets full access to the network

This is a sample of the CBS port

voice vlan id 100
voice vlan state auto-triggered
int gY

dot1x guest-vlan enable
dot1x reauthentication
dot1x authentication 802.1x mac
dot1x port-control auto
description 802.1x_Voice_and_Data

Thank you

KJK99 · ‎10-04-2023

If I were you, I would make the phones work without any port security first. The smart port feature is not related to the port security.

As for the port security on the CBS350, you can say goodbye to these CLIs from your listing.

authentication event fail action authorize vlan 112
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 112
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication timer inactivity 3600
mab
dot1x pae authenticator

They are not supported. I don’t know if or how you can substitute them.

These CLIs are just fine.

dot1x guest-vlan enable
dot1x reauthentication
dot1x authentication 802.1x mac
dot1x port-control auto

I haven’t run into any issues with the 802.1x authentication. The mac authentication is a little tricky. You can do it with the EAP encapsulation or without. My Radius server has the EAP-MD5 disabled so I use the latter. The format of MAC addresses sent to the Radius server can be customized. The default format worked for me so I didn’t have to do that. I also set up a password for the mac authentication.

Here are the relevant CLIs from my CBS350 configuration.

encrypted radius-server host a.b.c.d key yyyyyyyyy

dot1x mac-auth radius

encrypted dot1x mac-auth password xxxxxx

….

interface GigabitEthernet1

dot1x guest-vlan enable

dot1x reauthentication

dot1x authentication 802.1x mac

dot1x port-control auto

….

Good luck!

Kris K

at2885 · ‎10-04-2023

Thank you for getting back to me, very much appreciated.

I stripped back the configuration and removed all 802.1x bits and the phone and device work perfectly. To be clear, 802.1x works perfectly when devices are plugged into separate ports, both MAB and dot1x, the issue comes when daisy chaining from the phone comes into play.

Good call on the EAP authentication on/off, I will have a look into that and see if it works.