07-31-2024 12:46 PM
Hello,
i recently joined company and i found point that i want to clear out , our setup is like Cisco Switches enabled with Dot1x, MAB, Clear pass being used as AAA Server, my Question is that whenever i check any interface i don't see any authentication session for IP-phones and they are working very fine even though ports are enabled with dot1x and MAB Authentication.
another point is that i always see the IP phones mac address learned as Static which is something would be fine if they being authenticated but i dont see any authentication sessions for them, please if someone can help on explaining this behavior.
Note:
below is the MAC address output for single Interface:
#sh mac address-table int g 2/0/18
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
76 6879.092c.3d58 STATIC Gi2/0/18
Below is the Interface Configuration:-
switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end
Solved! Go to Solution.
08-01-2024 02:35 PM
Hello @MHM Cisco World ,
from wireshark OUI search tool we find
F4:8E:38 Dell Inc
So my guess is that this is the MAC address of a PC.
@aliwadmedaniadclick can you confirm this ?
Hope to help
Giuseppe
08-02-2024 06:08 AM - edited 08-02-2024 06:09 AM
hello @MHM Cisco World ,
the shared authentication output was for the interface where both PC and IP Phone are connected, PC >> IP phone >> Cisco C9200-48P
the mentioned f48e.387c.9e28 MAC Address belong to the PC and below is the interface configuration.
interface GigabitEthernet1/0/32
switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end
Appreciated,
08-02-2024 08:24 AM - edited 08-02-2024 08:25 AM
Hello Cisco Community,
please if someone can help to clarify this deployed solution as i have done many things to know how the IP phones are granted Access to ports deployed with dot1x and MAB but where i dont see any Authentication sessions on the switches level, by knowing this it can help me optimize the Existing setup and for issues isolation in future.
Thanks in Advance.
08-04-2024 04:57 AM
Dear @aliwadmedaniadclick ,
Just want to share something in the organization I am currently at, which uses a different method for allowing port connectivity. In the Network Access Control, there is a manual definition of mac addresses that belongs to IP Phones which are exempted in applying policies on the port interface. If that definition is not there, the IP phone is subjected to an isolated/restricted VLAN even though there is a switchport voice VLAN configured.
Sample configuration below:
switch01#sh run int g1/0/1
Building configuration...
Current configuration : 255 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 20 --> isolated/restricted vlan
switchport mode access
switchport voice vlan 30
snmp trap mac-notification change added -->snmp mac notification sent to Network Access Control
snmp trap mac-notification change removed -->snmp mac notification sent to Network Access Control
spanning-tree portfast
spanning-tree bpduguard enable
end
switch01#
other links that you may want to look at
https://community.arubanetworks.com/discussion/ip-phone-repository-for-clearpass
https://community.arubanetworks.com/discussion/clearpass-profile-cisco-ip-phone-with-generic
Happy to help
Best regards,
08-07-2024 12:20 PM
Hello @bbb bbb ,
apologize for the late reply, i think the solution you are running for NAC with SNMP traps, we are running complete dot1x and MAB under the interface and we don't relay on SNMP trap to authenticate and Authorize the endpoints, your feedback is highly appreciated.
Many thnx bro.
08-08-2024 12:05 AM
Dear @aliwadmedaniadclick ,
Welcome brother. Yup the solution on my side is NAC with SNMP.
I am learning through your post. Thank you for sharing and grateful for the experts answer here.
: ]
Best regards,
08-06-2024 02:06 AM - edited 08-06-2024 02:07 AM
thank you for the thumbs up @Giuseppe Larosa. It helps a lot. : ]
08-06-2024 03:34 AM
08-07-2024 12:31 PM
Sorry' for case1 when you connect only phone can you share
Show auth session interface x/x detail
Thanks
MHM
08-07-2024 03:20 PM - edited 08-07-2024 03:40 PM
Hello @Giuseppe Larosa & @MHM Cisco World ,
appreciating your valuable feedback on this flow, so i believe @Giuseppe Larosa was right about host mode: multi-host this is the key point.
two Action i have done:-
A) i have replicate the same scenario on other environment where they are using host mode: multi-auth, the result was IP-phone and PC has to be authenticated as long as using multi-auth mode and one authentication session for each endpoint recorded on the switch side, then when i changed the port configuration to be multi-host and disconnect PC, the ip Phone was able to go online and no Authentication session recoded on the switch level.
B) then on my environment connected one IP phone without PC behind him and then captured the entire communication on the port, no EAP or EAPOL recorded there and the IP phone was able to get DHCP IP, then communicate to its TFTP server and download the config file and registration completed smoothly.
Conclusion:-
as @Giuseppe Larosa mentioned the secret is the host mode:multi-host and it seems that its only authenticating the host connected to the port but not the voice (IP-phone) and if only one machine authenticated then all others will follow and they dont required to be authenticated and this is usefull in Host with multiple VMs connected to this port then if only one VM authneticated others dont need to.
once again thanx to everyone helped to clarify this communication flow.
08-07-2024 03:26 PM - edited 08-07-2024 03:26 PM
Friend' I can easy say Yes but sorry NO that not explain behave here
On two PC and phone connect here PC have capability of 802.1x and make port authc and SW open if for both devices since we use multi-host
Connect only phone and dont have capability of 802.1x the authc failed and SW not open port for any device' here come why I ask show auth session interface details when you connect only phone' it can aaa server push vlan when authc fialed (restricted vlan) or SW use guest vlan.
Note:- some phone have capability of 802.1x
Goodluck
MHM
08-07-2024 03:33 PM
hello @MHM Cisco World ,
please find below output as requested where only IP phone connected without PC.
#sh authentication sessions int g 2/0/18 de
No sessions match supplied criteria.
#sh mac address-table int gigabitEthernet 2/0/18
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
76 6879.092c.3d58 STATIC Gi2/0/18 >> this the IP phone mac address.
interface GigabitEthernet2/0/18
description ** Connected to MY Primary LAN **
switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end
Appreciated,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide