03-27-2021 07:53 AM
I am working on a small project to implement 802.1x authentication on the wired network.
In the environment there are:
The whole network is built with Cisco Catalsyt 9300, 2960X, 2960S, 3850 switches. Each office has an IP phone and a computer that is plugged into the phone.
Each port is configured with a Voice VLAN and an Access VLAN Data for corporate computers.
The goal is to authenticate phones in MAB or 802.1x and to authenticate corporate computers in 802.1x.
If a non-company computer plugs in network port or behind the phone, it is sent into a guest VLAN.
A corporate computer will be sent to his dynamic VLAN returned by the radius server.
I have configured MAB authentication for phones and other equipment such as printers. I have configured CA and autoenroll for corporate computers.
Here's what works:
If I plug a phone into a port it is authenticated MAB with radius and takes its voice VLAN
If I plug in a corporate computer it is 802.1x authenticated and is sent in the VLAN according to the radius policy.
If I plug in an unauthorized device or computer, it is sent in a guest VLAN.
Here is what it does not work and this is the most important of the whole project:
I plug a corporate computer into a phone, I automatically get an authentication error and the port is disabled. Same thing with non corporate Computer.
In the radius I realize that the corporate computer is authenticated in MAB and not in 802.1x The authentication event fail action next-method command does not seem to work.
My question: can anyone help me with this or can I shed some light on the subject? Next step is to open a TAC.
Thank you
Here is the configuration of a Catalyst 9300.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius server NPS SERVER XXXX
address ipv4 172.20.8.36 auth-port 1645 acct-port 1646
key 7 xxxxxxxxxxxxxxxxxxxxxxx
interface GigabitEthernet1/0/21
switchport access vlan 172
switchport mode access
switchport voice vlan 88
switchport port-security
power inline port 2x-mode
authentication event fail action authorize vlan 172
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end
*Mar 27 2021 10:33:26.392 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state
*Mar 27 2021 10:33:26.394 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c85b.766a.02f4 on port GigabitEthernet1/0/21.
*Mar 27 2021 10:33:27.392 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/21, changed state to down
*Mar 27 2021 10:33:28.393 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/21, changed state to down
Log on radius :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: c85b766a02f4
Account Domain: jimboom
Fully Qualified Account Name: jimboom\c85b766a02f4
Solved! Go to Solution.
03-27-2021 08:12 AM
Hi @Jimboom
Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.
interface GigabitEthernet1/0/21
no switchport port-security
HTH
03-27-2021 09:55 AM
port-security is incompatible with 802.1X so good that you removed that.
Change the host-mode to multi-auth and see if that works.
authentication host-mode multi-auth
Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.
You can check the ISE LiveLogs to see if there is any error but it's switch issue.
03-27-2021 08:12 AM
Hi @Jimboom
Port security and 802.1x configured on an interface at the sametime is not supported. Remove port security from all interfaces configured with 802.1x.
interface GigabitEthernet1/0/21
no switchport port-security
HTH
03-27-2021 09:00 AM
Thanks @Rob Ingram.
It's a step in the right direction. I removed that on the port .
no switchport port-security
Now, when i connect à corporate computer, it's fail on MAB and successuly authenticate on 802.1x. But the port is deactivated anyway.
*Mar 27 2021 11:51:51.364 EDT: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/21, putting Gi1/0/21 in err-disable state *Mar 27 2021 11:51:51.365 EDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet1/0/21, new MAC address (c85b.766a.02f4) is seen.AuditSessionID
Here is the port configuration
interface GigabitEthernet1/0/21 switchport access vlan 172 switchport mode access switchport voice vlan 88 power inline port 2x-mode authentication event fail retry 3 action next-method authentication host-mode multi-domain authentication open authentication order mab dot1x authentication port-control auto mab dot1x pae authenticator spanning-tree portfast end
Radius log:
First try dinied with MAB
Second try granted in 802.1x
03-27-2021 09:55 AM
port-security is incompatible with 802.1X so good that you removed that.
Change the host-mode to multi-auth and see if that works.
authentication host-mode multi-auth
Most likely the switch is error-disabling the port because it thinks there are 2 MACs in the data VLAN.
You can check the ISE LiveLogs to see if there is any error but it's switch issue.
03-27-2021 02:15 PM
It's working! Thanks for your help.
Regards,
03-30-2023 01:01 PM
Good afternoon,
I am having virtually the same issue, however I have tried multi-domain, multi-auth, and multi-host respectively.
In each scenario, the phone will authenticate if it is the only device connected to the port. Once a pc is connected, the pc will authenticate, but the phone will not. Have you seen this issue before? Thank you for your time.
03-30-2023 01:08 PM
What is your EAP type? Is EAP pass through enabled on the phone? What is the phone? Some phones have issues passing the larger EAP-TLS or TEAP packets through them and require firmware updates.
03-27-2021 02:16 PM
Thanks for your help.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: