cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
721
Views
2
Helpful
6
Replies

DHCP not working after 802.1x authentication

clukongo
Level 1
Level 1

 

Hello,

I have a stratix 1783-MMS10EA switch with the IOS s5800-universalk9.17.09.01.SPA.bin. I would like users to authenticate in 802.1x. However, when I apply 802.1x, the IP phone authenticates well and is placed in the right vlan but does not retrieve an IP address, on the other hand the PC retrieves an IP address without problem. Below is my interface configuration :

switchport mode access
switchport nonegotiate
switchport voice vlan 211
no logging event link-status
no logging event power-inline-status
authentication event fail action authorize vlan 999
authentication event no-response action authorize vlan 999
authentication host-mode multi-domain
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
ip verify source

 

When I add the 'authentication open' command the phone retrieves an IP address. However this command can cause security issues. Can you tell me if there is another way to fix this DHCP problem?

Thank you in advance,

Regards,

Chris

 

 

 

6 Replies 6

@clukongo 

You mab config is connected to ISE and you can check logs from ISE side ..
Also please check #ip dhcp snooping trust 
---If your DHCP server expects Option 82 (relay agent information), verify that it's correctly handling requests from the phone.

By default, all traffic is blocked (including DHCP) when authentication is in progress. The authentication control-direction in the command allows outbound DHCP requests from the phone while authentication is still being done.
Test it also
#interface GigabitEthernetX/X
#authentication control-direction in

Thanks!

Hi Joshqun,
I have already checked option 82 and I had also tested the authentication control-direction command in but it did not change anything. And for information DHCP works well on PCs, it is just on phones that it does not work for this switch model (stratix 1783-MMS10EA). But on the other switches everything works well.

Regards,
Chris

Can I see 

Show authentication session interface x/x 

MHM

Hi MHM,

Below is the requested result.

Regards,

Chris

 

sh authentication sessions int Gi1/8 det
Interface: GigabitEthernet1/8
IIF-ID: 0x1E605D82
MAC Address: 487a.551e.929f
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: ALCIPT
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 00000000000000D104EEDFD7
Acct Session ID: Unknown
Handle: 0x7b0000c7
Current Policy: POLICY_Gi1/8


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
Vlan Group: Vlan: 211


Method status list:
Method State
dot1x Authc Success

---------------

Feb 14 15:48:38.618 WCA: %SESSION_MGR-5-START: R0/0: sessmgrd: Starting 'dot1x' for client (487a.551e.929f) on Interface GigabitEthernet1/8 AuditSessionID 00000000000000D104EEDFD7
Feb 14 15:48:38.641 WCA: %DOT1X-5-SUCCESS: R0/0: sessmgrd: Authentication successful for client (487a.551e.929f) on Interface Gi1/8 AuditSessionID 00000000000000D104EEDFD7
Feb 14 15:48:38.719 WCA: %SESSION_MGR-5-SUCCESS: R0/0: sessmgrd: Authorization succeeded for client (487a.551e.929f) on Interface GigabitEthernet1/8 AuditSessionID 00000000000000D104EEDFD7

--

sh authentication sessions int Gi1/10 det
Interface: GigabitEthernet1/10
IIF-ID: 0x168BB159
MAC Address: 18db.f259.16d1
IPv6 Address: fe80::551c:a454:5dff:9e4f
IPv4 Address: 10.241.190.90
User-Name: host/POGL18009.perenco.org
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 000000000000000CFB01A9EF
Acct Session ID: Unknown
Handle: 0xf7000002
Current Policy: POLICY_Gi1/10


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Vlan Group: Vlan: 202


Method status list:
Method State
dot1x Authc Success

 

 

 

PC is authc/authz with vlan 202 and domain data using 802.1x 

Phone is authc/authz with vlan 211 and domain voice using also 802.1x

Now PC ask IP later after it authc' it seem phone not do same.

Let me check solution

.... sorry for some delay in reply I am busy.... 
MHM

Hi MHM,

Any news?

Regards,

Chris