Solved: Re: IP Phone Mac Authentication on Cisco Switches - Page 2

aliwadmedaniadclick · ‎07-31-2024

Hello,

i recently joined company and i found point that i want to clear out , our setup is like Cisco Switches enabled with Dot1x, MAB, Clear pass being used as AAA Server, my Question is that whenever i check any interface i don't see any authentication session for IP-phones and they are working very fine even though ports are enabled with dot1x and MAB Authentication.

another point is that i always see the IP phones mac address learned as Static which is something would be fine if they being authenticated but i dont see any authentication sessions for them, please if someone can help on explaining this behavior.

Note:

below is the MAC address output for single Interface:

#sh mac address-table int g 2/0/18
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
76    6879.092c.3d58    STATIC      Gi2/0/18

Below is the Interface Configuration:-

switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Giuseppe Larosa · ‎08-01-2024

Hello @MHM Cisco World ,

from wireshark OUI search tool we find

F4:8E:38 Dell Inc

So my guess is that this is the MAC address of a PC.

@aliwadmedaniadclick can you confirm this ?

Hope to help

Giuseppe

aliwadmedaniadclick · ‎08-02-2024

hello @MHM Cisco World ,

the shared authentication output was for the interface where both PC and IP Phone are connected, PC >> IP phone >> Cisco C9200-48P

the mentioned f48e.387c.9e28 MAC Address belong to the PC and below is the interface configuration.

interface GigabitEthernet1/0/32
switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Appreciated,

aliwadmedaniadclick · ‎08-02-2024

Hello Cisco Community,

please if someone can help to clarify this deployed solution as i have done many things to know how the IP phones are granted Access to ports deployed with dot1x and MAB but where i dont see any Authentication sessions on the switches level, by knowing this it can help me optimize the Existing setup and for issues isolation in future.

Thanks in Advance.

bbb bbb · ‎08-04-2024

Dear @aliwadmedaniadclick ,

Just want to share something in the organization I am currently at, which uses a different method for allowing port connectivity. In the Network Access Control, there is a manual definition of mac addresses that belongs to IP Phones which are exempted in applying policies on the port interface. If that definition is not there, the IP phone is subjected to an isolated/restricted VLAN even though there is a switchport voice VLAN configured.

Sample configuration below:

switch01#sh run int g1/0/1
Building configuration...

Current configuration : 255 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 20 --> isolated/restricted vlan
switchport mode access
switchport voice vlan 30
snmp trap mac-notification change added -->snmp mac notification sent to Network Access Control
snmp trap mac-notification change removed -->snmp mac notification sent to Network Access Control
spanning-tree portfast
spanning-tree bpduguard enable
end

switch01#

other links that you may want to look at

https://community.arubanetworks.com/discussion/ip-phone-repository-for-clearpass

https://community.arubanetworks.com/discussion/clearpass-profile-cisco-ip-phone-with-generic

Happy to help

Best regards,

aliwadmedaniadclick · ‎08-07-2024

Hello @bbb bbb ,

apologize for the late reply, i think the solution you are running for NAC with SNMP traps, we are running complete dot1x and MAB under the interface and we don't relay on SNMP trap to authenticate and Authorize the endpoints, your feedback is highly appreciated.

Many thnx bro.

bbb bbb · ‎08-08-2024

Dear @aliwadmedaniadclick ,

Welcome brother. Yup the solution on my side is NAC with SNMP.

I am learning through your post. Thank you for sharing and grateful for the experts answer here.

: ]

Best regards,

bbb bbb · ‎08-06-2024

thank you for the thumbs up @Giuseppe Larosa. It helps a lot. : ]

Giuseppe Larosa · ‎08-06-2024

Hello @bbb bbb ,

you are welcome in the forums.

Best Regards

Giuseppe

MHM Cisco World · ‎08-07-2024

Sorry' for case1 when you connect only phone can you share

Show auth session interface x/x detail

Thanks

MHM

aliwadmedaniadclick · ‎08-07-2024

Hello @Giuseppe Larosa & @MHM Cisco World ,

appreciating your valuable feedback on this flow, so i believe @Giuseppe Larosa was right about host mode: multi-host this is the key point.

two Action i have done:-

A) i have replicate the same scenario on other environment where they are using host mode: multi-auth, the result was IP-phone and PC has to be authenticated as long as using multi-auth mode and one authentication session for each endpoint recorded on the switch side, then when i changed the port configuration to be multi-host and disconnect PC, the ip Phone was able to go online and no Authentication session recoded on the switch level.

B) then on my environment connected one IP phone without PC behind him and then captured the entire communication on the port, no EAP or EAPOL recorded there and the IP phone was able to get DHCP IP, then communicate to its TFTP server and download the config file and registration completed smoothly.

Conclusion:-

as @Giuseppe Larosa mentioned the secret is the host mode:multi-host and it seems that its only authenticating the host connected to the port but not the voice (IP-phone) and if only one machine authenticated then all others will follow and they dont required to be authenticated and this is usefull in Host with multiple VMs connected to this port then if only one VM authneticated others dont need to.

once again thanx to everyone helped to clarify this communication flow.

MHM Cisco World · ‎08-07-2024

Friend' I can easy say Yes but sorry NO that not explain behave here

On two PC and phone connect here PC have capability of 802.1x and make port authc and SW open if for both devices since we use multi-host

Connect only phone and dont have capability of 802.1x the authc failed and SW not open port for any device' here come why I ask show auth session interface details when you connect only phone' it can aaa server push vlan when authc fialed (restricted vlan) or SW use guest vlan.

Note:- some phone have capability of 802.1x

Goodluck

MHM

aliwadmedaniadclick · ‎08-07-2024

hello @MHM Cisco World ,

please find below output as requested where only IP phone connected without PC.

#sh authentication sessions int g 2/0/18 de
No sessions match supplied criteria.

#sh mac address-table int gigabitEthernet 2/0/18
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
76    6879.092c.3d58    STATIC      Gi2/0/18 >> this the IP phone mac address.

interface GigabitEthernet2/0/18
description ** Connected to MY Primary LAN **
switchport access vlan 15
switchport mode access
switchport voice vlan 76
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 60
dot1x max-reauth-req 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Appreciated,