cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1328
Views
5
Helpful
7
Replies

IP Phone 802.1x mab authenticaon

tim.zhao
Beginner
Beginner

Hi everyone,

 

We have configured 802.1x wired authentication with NPS server.

We enable mab for ip-phone authentication. 

 

Here is our interface configuration:

interface GigabitEthernet0/9
switchport access vlan 21
switchport mode access
switchport voice vlan 2
authentication event fail action next-method
authentication event server dead action authorize vlan 31
authentication event no-response action authorize vlan 31
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast edge

!

Here is my question:

When the NPS server down,or PC fail to authenticate, PC would assign to vlan 31,that's fine.

But when IP-Phone fail to authenticate ,it support to assign to vlan 2 not vlan 31.

 

How to deal with this scenarios?

 

Thank for any answers.

 

Best Regards,

Tim

 

1 Accepted Solution

Accepted Solutions

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

Add this line to your interface config:

!
authentication event fail action authorize vlan 2
!

cheers,

Seb.

 

View solution in original post

7 Replies 7

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

Add this line to your interface config:

!
authentication event fail action authorize vlan 2
!

cheers,

Seb.

 

Thank you so much..

Hi there,

I have added authentication event fail action authorize vlan 2, but it didn't work...
here is my configuration:
interface GigabitEthernet0/9
switchport access vlan 21
switchport mode access
switchport voice vlan 2
ip device tracking maximum 5
authentication event fail action authorize vlan 2
authentication event server dead action authorize vlan 31
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 31
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast edge
!
sho cdp neighbors gigabitEthernet 0/9
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
SEP204C9EB3820C Gig 0/9 126 H P M IP Phone Port 1
!
sho mac add int gi 0/9
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
31 204c.9eb3.820c STATIC Gi0/9
Total Mac Addresses for this criterion: 1

IP-phone was assigned to vlan 31

Thanks

What switch model and IOS version are you using?

Hi there,
WS-C2960X-24PS-L 15.2(7)E0a

Thank you

Can you share a full AAA debug of when a client connects to this part and you believe an authentication failure occurs?

 

Can you confirm from the NPS that an Access-Reject message is actually sent for the client?

 

cheers,

Seb.

Having just read through the prerequisites, your switchport needs to be in single-host mode for this feature to work:

!
authentication host-mode single-host
!

cheers,

Seb.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers