cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1476
Views
10
Helpful
26
Replies

IP Phone Mac Authentication on Cisco Switches

Hello, 

i recently joined company and i found point that i want to clear out , our setup is like Cisco Switches enabled with Dot1x, MAB,  Clear pass being used as AAA Server, my Question is that whenever i check any interface i don't see any authentication session for IP-phones and they are working very fine even though ports are enabled with dot1x and MAB Authentication.

another point is that i always see the IP phones mac address learned as Static which is something would be fine if they being authenticated but i dont see any authentication sessions for them, please if someone can help on explaining this behavior.

Note: 

below is the MAC address output for single Interface:

#sh mac address-table  int g 2/0/18 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  76    6879.092c.3d58    STATIC      Gi2/0/18 

 

Below is the Interface Configuration:-

switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end

1 Accepted Solution

Accepted Solutions

Hello @aliwadmedaniadclick ,

>> Oper host mode: multi-host

This is the key point with multi host only host on the Port performs the authentication and all other devices will use this session.

>> authentication host-mode multi-host

Hope to help

Giuseppe

 

View solution in original post

26 Replies 26

Show authentication session interface x/x detail  <<- share this 

MHM

Hello @HMHMHM , 

Please find below 

sh authentication sessions int g 1/0/32 de
Interface: GigabitEthernet1/0/32
IIF-ID: 0x1D2CD5BE
MAC Address: f48e.387c.9e28
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: domain\XYZ
Status: Authorized
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Session timeout: 3600s (local), Remaining: 2991s
Timeout action: Reauthenticate
Common Session ID: F7C8A8C0000014C40861AD6E
Acct Session ID: 0x000003c0
Handle: 0x6e00039b
Current Policy: POLICY_Gi1/0/32


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Vlan Group: Vlan: 9


Method status list:
Method State
dot1x Authc Success

 

 

Method status list:
       Method           State
        dot1x           Authc Success

 

 

sh mac address-table int gi 1/0/32
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
76 00af.1fc0.aa49 STATIC Gi1/0/32
9 f48e.387c.9e28 STATIC Gi1/0/32

 

 

sh authentication  sessions method mab int g 1/0/32 
No sessions match supplied criteria.

 

 

Hello @aliwadmedaniadclick ,

>> Oper host mode: multi-host

This is the key point with multi host only host on the Port performs the authentication and all other devices will use this session.

>> authentication host-mode multi-host

Hope to help

Giuseppe

 

Hello @Giuseppe Larosa ,

thanks for your valuable feedback, then if this is the case that means if no Host (Data) Supplicant  attached to the IP-phone, then the IP-phone should not be able to communicate through the port as the port will be un-authorized, i have done one test where i have plugged in only IP-phone without any PCs connected to that IP-phone and the result was also the same, the IP-phone was able to register and worked fine as well as no any Auth session recorded on the switch level, please can share your though on this.

Appreciated

Hello @aliwadmedaniadclick ,

you have made a meaningful test. 

At this point  there is probably  a dedicated policy in the AAA server ClearPass to deal with the Phones.

Or the interaction of switchport voice vlan xx with other commands allow the phones. The phone is identified via CDP or LLDP MED.

Hope to help

Giuseppe

hello @Giuseppe Larosa , 

if there is any policy to deal with the Phones then at least a authentication session should be there as the phone will be profiled, i have also checked the Clearpass, nothing related to the IP-phones.

 

for Command interaction, this what i do believe but am not sure which commands set has achieved this requirements. 

OK, since we dont know how ip phone authc let start look about the VLAN 
there is VLAN (15) data VLAN (76) voice and VLAN (9)?
the SW assign to VLAN to device according to 
1- dyanmic vlan assign by server <<- need to check in server 
2-critical VLAN 
3-guest VLAN
4-restricted VLAN 

so two Q 
1- phone get which VLAN (do show mac address)
2- can you see the global AAA config in SW 

MHM

hello @MHM Cisco World , 

Please find below regarding the Vlans, Mac-address and AAA Config.

VLANS:

vlan 15 : this Quarantine Vlan, if the PC didn't authenticate.

Vlan 9 : this Dynamic Vlan will be assigned to PC if PC fully authenticate.

Vlan 76 : this is the voice vlan.

 MAC-address on the Interface

sh mac address-table int gi 1/0/32 
          Mac Address Table
-------------------------------------------

 

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  76    00af.1fc0.aa49    STATIC      Gi1/0/32       >>>> this IP Phone Mac-address
   9    f48e.387c.9e28    STATIC      Gi1/0/32      >>>>  this PC Mac-address

AAA Config:-

sh run | sec aaa|radius
aaa new-model
aaa group server tacacs+ CPPM
server name CPPM
aaa authentication login default group CPPM local
aaa authentication login VTY group tacacs+ local
aaa authentication login NOLO none
aaa authentication dot1x default group radius
aaa authorization exec VTY group radius local 
aaa authorization network default group radius 
aaa authorization auth-proxy default group radius 
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group CPPM
aaa accounting commands 15 default start-stop group CPPM
aaa server radius dynamic-author
client XYZ server-key XYZ
port 3799
auth-type all
aaa session-id common
radius server CPPM
address ipv4 XYZ auth-port 1812 acct-port 1813
key XYZ

 

Appreciated, 

 

Case 1,

ip phone is connect without PC 
the AAA config to send back VLAN 15, domain is DATA or Voice in show authc session 
and the phone can work 
confirm above please 

Case2, phone connect and then PC, the PC success auth via 802.1x and get vlan 9 and then ip phone use CDP to get correct vlan which is 76
domain show data in show authc session (only ONE device which is auth is appear and it must be PC)

MHM

Hello @MHM Cisco World 

Case 1,

ip phone is connect without PC 
the AAA config to send back VLAN 15, domain is DATA or Voice in show authc session 
and the phone can work 
confirm above please 

Answer :

in this case even though port is configured with 15 vlan but it’s not relevant as no pc would be connected so the port will only show the clan 76 of the IP phone and no authentication session will be recorded and this is the main clarification am seeking, how it’s the IP phone authorized to get 76 vlan and no authentication session showing on the switch level.


Case2, phone connect and then PC, the PC success auth via 802.1x and get vlan 9 and then ip phone use CDP to get correct vlan which is 76
domain show data in show authc session (only ONE device which is auth is appear and it must be PC)

 

Answer:

yes completely right as you described it.

appreciated,

for case1 when you connect only IP phone can use share 
show authentication session interface x/x detail 
again please 
thanks 

MHM

show authentication session interface Gi1/0/32 <<- share this without add detail in end 

MHM

hello @MHM Cisco World , 

 

please find below requested output.

 

#sh authentication  sessions int g 1/0/32
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/32                 f48e.387c.9e28 dot1x   DATA    Auth        F7C8A8C0000014C40861AD6E

 

Key to Session Events Blocked Status Flags:

 

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

 

Runnable methods list:
  Handle  Priority  Name
       9         5  dot1xSup
       8         5  dot1x
      14        10  webauth
      10        15  mab

sh authentication sessions int g 1/0/32 de
Interface: GigabitEthernet1/0/32
IIF-ID: 0x1D2CD5BE
MAC Address: f48e.387c.9e28
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: domain\XYZ
Status: Authorized
Domain: DATA <<- this domain is DATA not Voice 
Oper host mode: multi-host <<- this first point multi-host use to connect multi data device into one port, first device connect is authc and later any device connect will auto authz using same VLAN
Oper control dir: both
Session timeout: 3600s (local), Remaining: 2991s
Timeout action: Reauthenticate
Common Session ID: F7C8A8C0000014C40861AD6E
Acct Session ID: 0x000003c0
Handle: 0x6e00039b
Current Policy: POLICY_Gi1/0/32


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Vlan Group: Vlan: 9


Method status list:
Method State
dot1x Authc Success <<- the MAB mathod is missing from this config ?

 

#sh authentication  sessions int g 1/0/32
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/32                 f48e.387c.9e28 dot1x   DATA    Auth        F7C8A8C0000014C40861AD6E <<- this MAC is for VoIP or for PC connec to phone ?

 

Review Cisco Networking for a $25 gift card