Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1967
Views
10
Helpful
5
Replies

Dot1x Issue: Intermittent connectivity in multidomain mode - Avaya phone/Workstation

Go to solution
jon_panes24
Level 1
Level 1

‎03-27-2018 08:03 PM - edited ‎03-08-2019 02:25 PM

Hi,

 

We currently have a port configured for dot1x authentication ( dynamic VLAN assignment and multidomain mode )

 

interface GigabitEthernet2/0/4

switchport access vlan 168
switchport mode access
switchport voice vlan 600
no logging event link-status
srr-queue bandwidth share 1 30 30 30
priority-queue out
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
end

 

Our setup is that there are 2 devices connected to the port ( 1 avaya IP phone and a windows laptop ).

This means that both the avaya phone and the windows laptop should authenticate towards using dot1x, but if they fail the authentication the switch will still pass the traffic due to the command "authentication port-control auto".  

 

We are getting reports from the end user that their network connectivity is being intermittent and i would just want to verify whether if if it would be related to our dot1x port configurations. Ive attached a log file on the switch where both clients are connected

 

24d9.214b.0418 --> AVAYA DEVICE

ecb1.d733.8742 --> LAPTOP DEVICE

 

Im suspecting that its the avaya device failing to authenticate and removes the MAC address entry for the laptop on the device. Im seeing on the "show dot1x interface GigabitEthernet2/0/4 details", its flaps between AUTHENTICATED (for the laptop)/AUTHENTICATING ( for the avaya) going to no output in the Dot1x Authenticator client list.

 

Checking the MAC address table on the g2/0/4, im seeing that sometimes the both the STATIC MAC ADDRESS of the laptop  ( due to the dynamic VLAN assignment ) and the DYNAMIC MAC of the Avaya is there, but once I get the AUTHMGR-5-SECURITY_VIOLATION and AUTHMGR-5-MACREPLACE, the MAC addresse are removed and re-added making the connection intermittent.

 

Any inputs regarding this? 

 

 

regards,

Jon

 

 

 

 

Labels:
Preview file
31 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jon_panes24

‎03-27-2018 09:36 PM

Yes because avaya is doing a request in the data domain.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-27-2018 09:01 PM

Hi

 

The command authentication port-control auto isn't for fall authentication bypass. It basically starts authentication when the port guess from down to up.

You have the command authentication event fail actionauthorize vlan xx to assign a vlan if your authentication fails.

 

Anyway, based on your logs, a mac address is already authenticated and when the second one come, you have a violation because it allows only 1 mac port domain.

 

To solve this issue, you need to make sure that you're replying with your authorization this device belongs to voice domain. You can also activate lldp and make sure this device authenticates in the voice domain.

 

Hope this is clear otherwise let me know.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
jon_panes24
Level 1
Level 1
In response to Francesco Molino

‎03-27-2018 09:21 PM

"

The command authentication port-control auto isn't for fall authentication bypass. It basically starts authentication when the port guess from down to up.

You have the command authentication event fail actionauthorize vlan xx to assign a vlan if your authentication fails."

 

Pardon for the error in my query, its the "authentication open" command i was referring to as the fallback.

 

Is it because the Avaya phone doesnt negotiate the voice vlan that is why its seen as a security violation and is seen as part of the access vlan?

 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jon_panes24

‎03-27-2018 09:36 PM

Yes because avaya is doing a request in the data domain.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
jon_panes24
Level 1
Level 1
In response to Francesco Molino

‎03-27-2018 10:04 PM

Thanks for that info Francesco.

 

I was just wondering how does 802.1x distinguish whether im making the request in the data domain vs. the voice domain?

 

regards,

Jon

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jon_panes24

‎03-28-2018 06:48 AM

Usually this is achieved leveraging cdp or lldp or even returning the cisco-av-pair attribute value {cisco-avpair="device-traffic-class=voice"} to force this device being pushed in voice domain.

You can see it with show authen sess int on the switch and it will show data domain or by using tcpdump, you can see this going to data domain.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card