cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1469
Views
10
Helpful
5
Replies

Dot1x Issue: Intermittent connectivity in multidomain mode - Avaya phone/Workstation

jon_panes24
Beginner
Beginner

Hi,

 

We currently have a port configured for dot1x authentication ( dynamic VLAN assignment and multidomain mode )

 

interface GigabitEthernet2/0/4

switchport access vlan 168
switchport mode access
switchport voice vlan 600
no logging event link-status
srr-queue bandwidth share 1 30 30 30
priority-queue out
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
end

 

Our setup is that there are 2 devices connected to the port ( 1 avaya IP phone and a windows laptop ).

This means that both the avaya phone and the windows laptop should authenticate towards using dot1x, but if they fail the authentication the switch will still pass the traffic due to the command "authentication port-control auto".  

 

We are getting reports from the end user that their network connectivity is being intermittent and i would just want to verify whether if if it would be related to our dot1x port configurations. Ive attached a log file on the switch where both clients are connected

 

24d9.214b.0418 --> AVAYA DEVICE

ecb1.d733.8742 --> LAPTOP DEVICE

 

Im suspecting that its the avaya device failing to authenticate and removes the MAC address entry for the laptop on the device. Im seeing on the "show dot1x interface GigabitEthernet2/0/4 details", its flaps between AUTHENTICATED (for the laptop)/AUTHENTICATING ( for the avaya) going to no output in the Dot1x Authenticator client list.

 

Checking the MAC address table on the g2/0/4, im seeing that sometimes the both the STATIC MAC ADDRESS of the laptop  ( due to the dynamic VLAN assignment ) and the DYNAMIC MAC of the Avaya is there, but once I get the AUTHMGR-5-SECURITY_VIOLATION and AUTHMGR-5-MACREPLACE, the MAC addresse are removed and re-added making the connection intermittent.

 

Any inputs regarding this? 

 

 

regards,

Jon

 

 

 

 

1 Accepted Solution

Accepted Solutions

Yes because avaya is doing a request in the data domain.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor

Hi

 

The command authentication port-control auto isn't for fall authentication bypass. It basically starts authentication when the port guess from down to up.

You have the command authentication event fail actionauthorize vlan xx to assign a vlan if your authentication fails.

 

Anyway, based on your logs, a mac address is already authenticated and when the second one come, you have a violation because it allows only 1 mac port domain.

 

To solve this issue, you need to make sure that you're replying with your authorization this device belongs to voice domain. You can also activate lldp and make sure this device authenticates in the voice domain.

 

Hope this is clear otherwise let me know.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

"

The command authentication port-control auto isn't for fall authentication bypass. It basically starts authentication when the port guess from down to up.

You have the command authentication event fail actionauthorize vlan xx to assign a vlan if your authentication fails."

 

Pardon for the error in my query, its the "authentication open" command i was referring to as the fallback.

 

Is it because the Avaya phone doesnt negotiate the voice vlan that is why its seen as a security violation and is seen as part of the access vlan?

 

 

Yes because avaya is doing a request in the data domain.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for that info Francesco.

 

I was just wondering how does 802.1x distinguish whether im making the request in the data domain vs. the voice domain?

 

regards,

Jon

Usually this is achieved leveraging cdp or lldp or even returning the cisco-av-pair attribute value {cisco-avpair="device-traffic-class=voice"} to force this device being pushed in voice domain.

You can see it with show authen sess int on the switch and it will show data domain or by using tcpdump, you can see this going to data domain.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers