Re: 802.1x - Voice VLAN conflict when port-security enabled

ballydbob · ‎10-30-2024

I am having an issue with Cisco IP Phones on the VOICE vlan when port-security is enabled on the interface. The DATA vlan is fine with or without port-security. With port-security, the phone re-auths every couple of minutes. The switches are Cisco 9300s. My RADIUS server is ClearPass 6.11. This is my port config:

interface TwoGigabitEthernet2/0/5
description =Wallport h01=
switchport access vlan 10
switchport mode access
switchport voice vlan 52
switchport port-security maximum 10
switchport port-security violation restrict
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100
speed auto 100 1000
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 14400
authentication violation restrict
mab
trust device cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 120
dot1x max-reauth-req 3
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip verify source mac-check

My requirement is that no more than 5 MACs can be authenticated to a single interface (by plugging in a dumb switch). If that can be accomplished with dot1x/MAB, please share the config required.

The uptime will count up to around 2 minutes, then drop and re-auth.

sh auth hist
Interface MAC Address Method Domain Status Uptime
----------------------------------------------------------------------
Tw2/0/5 4cec.0f94.xxxx mab VOICE Auth 36

Dot1x Info for TwoGigabitEthernet2/0/5
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 120

Thanks for any advice.

Bob Lee

Cristian Matei · ‎10-30-2024

Hi,

I assume that Phone is functional, other than constant authentication, right? Can you provide the output of command "show authentication sessions interface TwoGigabitEthernet2/0/5 details" when the phone is authenticated? What RADIUS attributes are you sending over to the switch as authorization for the phone? Can you enable "mab logging" and "epm logging" and provide the logs after phone re-authenticates?

Best,

Cristian.

ballydbob · ‎10-30-2024

Thanks for the tips, Cristian. Here's the output of sh auth session...

H01-389-1#show authentication sessions interface TwoGigabitEthernet2/0/5 details
Interface: TwoGigabitEthernet2/0/5
IIF-ID: 0x1651CEFD
MAC Address: 4cec.0f94.441d
IPv6 Address: Unknown
IPv4 Address: 10.200.32.163
User-Name: 4cec0f94441d
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 14400s (local), Remaining: 14368s
Timeout action: Reauthenticate
Common Session ID: 000000000000E87AE03CAC72
Acct Session ID: 0x00006496
Handle: 0xb400067e
Current Policy: POLICY_Tw2/0/5

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
Session-Timeout: 10800 sec
Vlan Group: Vlan: 52

Method status list:
Method State
mab Authc Success

I haven't run the debugs yet, but I will.

Cristian Matei · ‎10-31-2024

Hi,

Let's see the logging outputs, however keep in mind that port-security and port-control(authentication enabled) are not always working great together. Either, what I suspect is that the phone becomes silent for 5 minutes (port-security aging time of type inactivity), and afterwards switch restarts authentication process (reason why I asked for the logs with ideally timestamps); try to increase aging time to the maximum via "switch port port-security aging time 1440".

Best,

Cristian.

ballydbob · ‎11-01-2024

Unfortunately, changing switch port port-security aging time 1440 did not solve the issue. It still re-auths every minute or so.

Arne Bier · ‎10-30-2024

@ballydbob do you have CDP enabled?

Do the phones behave when port security is removed from the interface config?

One issue I have seen with phones is that if they are not very chatty, then their sessions timeout, and then the next frame that is sent by the phone causes another round of Authentication. You want to ensure the sessions stay alive - regular CDP messages help. I don't deal with IBNS 1.0 much these days, but is there an inactivity timer?

Is device-tracking enabled? Device tracking will send an ARP at regular configurable intervals to illicit a response from the device - that also tends to keep non-chatty sessions alive.

Do you have 802.1X enabled on the phones? Looks like they were authd using MAB - if that's what you want to have happen, then you must ensure that the phone has 802.1X disabled, or it will try sending EAPOL messages all day long,.

ballydbob · ‎10-30-2024

Hi Arne,

Yes, CDP is on. Here is the partial output. Only this phone interface has both dot1x/mab AND port-security. When I remove port-security, it all behaves as expected. And port-security only affects the VOICE vlan. The client laptop on the DATA vlan is fine either with or without port-security.

We are using MAB and dot1x is NOT enabled on the phone.

sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
axis-b8a44fb23da1
Two 2/0/28 106 H Linux eth0
axis-b8a44faf6d79
Two 2/0/27 95 H Linux eth0
H01-389-100.uchicago.net
Ten 1/1/5 138 R S I C9500-40X Ten 1/0/6
H01-389-100.uchicago.net
Ten 1/1/1 121 R S I C9500-40X Ten 1/0/5
Turner_Woodlawn.tcco.org
Two 1/0/12 165 R B S C891F-K9 Gig 8
SEP00258416BA9E Two 2/0/22 177 H P M IP Phone Port 1
SEPE8D322EA39F2 Two 1/0/29 143 H P M IP Phone Port 1
SEP4CEC0F94441D Two 2/0/5 139 H P M IP Phone Port 1
SEPCC36CF98D866 Two 2/0/7 128 H P M IP Phone Port 1

MHM Cisco World · ‎10-31-2024

from cisco doc.

""Whenever port security ages out a 802.1X client’s MAC address, 802.1X attempts to reauthenticate
the client. Only if the reauthentication succeeds will the client’s MAC address be retained in the port
security table.""

MHM

Aref Alsouqi · ‎10-31-2024

Why 5 MAC addresses? if you will have a single endpoint and a phone connected to the switch port then you can use "authentication host-mode multi-domain". This will only allow a single endpoint and a voice device (phone) to be connected to the port. Another option would be to restrict the phone accesses to the port via configuring an group on the RADIUS server where you add only the allowed MAC addresses. Both these options would work without switch port security enabled.