Solved: IP Phone 802.1x mab authenticaon

tim.zhao · ‎07-14-2019

Hi everyone,

We have configured 802.1x wired authentication with NPS server.

We enable mab for ip-phone authentication.

Here is our interface configuration:

interface GigabitEthernet0/9
switchport access vlan 21
switchport mode access
switchport voice vlan 2
authentication event fail action next-method
authentication event server dead action authorize vlan 31
authentication event no-response action authorize vlan 31
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast edge

!

Here is my question:

When the NPS server down,or PC fail to authenticate, PC would assign to vlan 31,that's fine.

But when IP-Phone fail to authenticate ,it support to assign to vlan 2 not vlan 31.

How to deal with this scenarios?

Thank for any answers.

Best Regards,

Tim

Seb Rupik · ‎07-14-2019

Hi there,

Add this line to your interface config:

!
authentication event fail action authorize vlan 2
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎07-14-2019

Hi there,

Add this line to your interface config:

!
authentication event fail action authorize vlan 2
!

cheers,

Seb.

tim.zhao · ‎07-14-2019

Thank you so much..

tim.zhao · ‎07-14-2019

Hi there,

I have added authentication event fail action authorize vlan 2, but it didn't work...
here is my configuration:
interface GigabitEthernet0/9
switchport access vlan 21
switchport mode access
switchport voice vlan 2
ip device tracking maximum 5
authentication event fail action authorize vlan 2
authentication event server dead action authorize vlan 31
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 31
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast edge
!
sho cdp neighbors gigabitEthernet 0/9
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
SEP204C9EB3820C Gig 0/9 126 H P M IP Phone Port 1
!
sho mac add int gi 0/9
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
31 204c.9eb3.820c STATIC Gi0/9
Total Mac Addresses for this criterion: 1

IP-phone was assigned to vlan 31

Thanks

Seb Rupik · ‎07-15-2019

What switch model and IOS version are you using?

tim.zhao · ‎07-15-2019

Hi there,
WS-C2960X-24PS-L 15.2(7)E0a

Thank you

Seb Rupik · ‎07-15-2019

Can you share a full AAA debug of when a client connects to this part and you believe an authentication failure occurs?

Can you confirm from the NPS that an Access-Reject message is actually sent for the client?

cheers,

Seb.

Seb Rupik · ‎07-15-2019

Having just read through the prerequisites, your switchport needs to be in single-host mode for this feature to work:

!
authentication host-mode single-host
!

cheers,

Seb.