Home > cisco > 802.1x on Access VLAN only, not on Voice VLAN

802.1x on Access VLAN only, not on Voice VLAN

October 14Hits:1
Advertisement

I've successfully configured a Cisco 3750G to perform the authenticator function of the 802.1x process. I have a test Win7 machine as a supplicant and a Windows 2008 server running NPS as the Authentication Server. The Win7 machine is able to successfully authenticate.

I've now hooked up a Cisco 7941 IP Phone in front of the Win7 machine, configured the switch with the swtichport voice vlan command, I plug it in and it is granted power, but the port quickly moves to a down state. After looking through the debug logs I believe the issue to be something with 802.1x trying to authentication on both the Access VLAN and the Voice VLAN. Is there a way to only perform 802.1x on the Access VLAN? and not the Voice?

Scenario:

{RADIUS}  <---->   {3750G} <-----> {Cisco 7941 Phone} <----->  {Win7 802.1x client} 

I am currently testing on interface gi1/0/3, here is the interface config line:

interface GigabitEthernet1/0/3   description TestPort   switchport access vlan 100   switchport voice vlan 110   switchport mode access   authentication port-control auto   authentication periodic   authentication timer reauthenticate server   dot1x pae authenticator   spanning-tree portfast   auto qos voip cisco-phone 

Some of the debugs from the 3750G

*Apr 21 13:44:04.045: %ILPOWER-7-DETECT: Interface Gi1/0/3: Power Device detected: IEEE PD *Apr 21 13:44:04.322: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/3: Power granted *Apr 21 13:44:07.811: dot1x-ev(Gi1/0/3): Interface state changed to UP *Apr 21 13:44:07.811:     dot1x_auth Gi1/0/3: initial state auth_initialize has enter *Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_initialize_enter called *Apr 21 13:44:07.811:     dot1x_auth Gi1/0/3: during state auth_initialize, got event 0(cfg_auto) *Apr 21 13:44:07.811: @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_disconnected *Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_disconnected_enter called *Apr 21 13:44:07.811:     dot1x_auth Gi1/0/3: idle during state auth_disconnected *Apr 21 13:44:07.811: @@@ dot1x_auth Gi1/0/3: auth_disconnected -> auth_restart *Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_restart_enter called *Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x0000003B (0000.0000.0000) *Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_initialize_enter called *Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle *Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle) *Apr 21 13:44:07.820: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_idle_enter called *Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Created a client entry (0x0000003B) *Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Dot1x authentication started for 0x0000003B (0000.0000.0000) *Apr 21 13:44:07.820: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3 *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x0000003B *Apr 21 13:44:07.820:     dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart) *Apr 21 13:44:07.820: @@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_connecting_enter called *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_restart_connecting_action called *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x0000003B *Apr 21 13:44:07.820:     dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax) *Apr 21 13:44:07.820: @@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_authenticating_enter called *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_connecting_authenticating_action called *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x0000003B *Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart) *Apr 21 13:44:07.820: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_request_enter called *Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address *Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Role determination not required *Apr 21 13:44:07.820: dot1x-registry:registry:dot1x_ether_macaddr called *Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending out EAPOL packet *Apr 21 13:44:07.820: EAPOL pak dump Tx *Apr 21 13:44:07.820: EAPOL Version: 0x3  type: 0x0  length: 0x0005 *Apr 21 13:44:07.820: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1 *Apr 21 13:44:07.820: dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x0000003B (0000.0000.0000) *Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_idle_request_action called *Apr 21 13:44:09.791: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up *Apr 21 13:44:10.798: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up *Apr 21 13:44:36.844: dot1x-ev(Gi1/0/3): Interface state changed to DOWN *Apr 21 13:44:36.844: dot1x-ev(Gi1/0/3): Deleting client 0x0000003B (0000.0000.0000) *Apr 21 13:44:36.844: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet1/0/3 *Apr 21 13:44:36.844: dot1x-ev:Delete auth client (0x0000003B) message *Apr 21 13:44:36.844: dot1x-ev:Auth client ctx destroyed *Apr 21 13:44:37.842: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down *Apr 21 13:44:38.841: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down 


Latest Interface Config: interface GigabitEthernet1/0/3 switchport access vlan 105 switchport mode access switchport voice vlan 110 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication control-direction in authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority mab dot1x mab mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone dot1x pae authenticator spanning-tree portfast service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

Global configs dad

Debugs:

show version Switch Ports Model              SW Version            SW Image ------ ----- -----              ----------            ---------- *    1 28    WS-C3750G-24PS     15.0(2)SE6            C3750-IPSERVICESK9-M  #show authentication sessions interface gi1/0/3             Interface:  GigabitEthernet1/0/3           MAC Address:  Unknown            IP Address:  Unknown                Status:  Authz Success                Domain:  DATA       Security Policy:  Should Secure       Security Status:  Unsecure        Oper host mode:  multi-auth      Oper control dir:  in         Authorized By:  Authentication Server           Vlan Policy:  N/A       Session timeout:  N/A          Idle timeout:  N/A     Common Session ID:  0A6363FE0000001900347F3C       Acct Session ID:  0x00000020                Handle:  0x7A00001A  Runnable methods list:        Method   State        dot1x    Authc Success        mab      Not run  #show dot1x all details Sysauthcontrol              Enabled Dot1x Protocol Version            3  Dot1x Info for GigabitEthernet1/0/3 ----------------------------------- PAE                       = AUTHENTICATOR QuietPeriod               = 60 ServerTimeout             = 0 SuppTimeout               = 30 ReAuthMax                 = 2 MaxReq                    = 2 TxPeriod                  = 30  Dot1x Authenticator Client List Empty  show run | in dot1x aaa authentication dot1x default group RADIUS dot1x system-auth-control 

Console

Oct 15 20:16:41.392: dot1x-ev(Gi1/0/3): Interface state changed to DOWN Oct 15 20:16:41.400: dot1x-ev(Gi1/0/3): Deleting client 0x74000003 (0000.0000.0000) Oct 15 20:16:41.400: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet1/0/3 Oct 15 20:16:41.400: dot1x-ev:Delete auth client (0x74000003) message Oct 15 20:16:41.400: dot1x-ev:Auth client ctx destroyedshut Oct 15 20:16:42.180: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi1/0/3, operational port trust state is now untrusted Oct 15 20:16:43.363: %LINK-5-CHANGED: Interface GigabitEthernet1/0/3, changed state to administratively down Oct 15 20:16:44.370: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state tno shut SW1(config-if)# Oct 15 20:16:47.801: %ILPOWER-7-DETECT: Interface Gi1/0/3: Power Device detected: IEEE PD Oct 15 20:16:48.807: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/3: Power granted Oct 15 20:16:48.916: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down Oct 15 20:16:50.124: dot1x-ev(Gi1/0/3): Interface state changed to UP Oct 15 20:16:50.133:     dot1x_auth Gi1/0/3: initial state auth_initialize has enter Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_initialize_enter called Oct 15 20:16:50.133:     dot1x_auth Gi1/0/3: during state auth_initialize, got event 1(cfg_force_auth) Oct 15 20:16:50.133: @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_force_auth Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_force_auth_enter called Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Role determination not required Oct 15 20:16:50.133: dot1x-registry:registry:dot1x_ether_macaddr called Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Sending out EAPOL packet Oct 15 20:16:50.133: EAPOL pak dump Tx Oct 15 20:16:50.133: EAPOL Version: 0x3  type: 0x0  length: 0x0004 Oct 15 20:16:50.133: EAP code: 0x3  id: 0x1  length: 0x0004 Oct 15 20:16:50.133: dot1x-packet(Gi1/0/3): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xD8000004 (0000.0000.0000) Oct 15 20:16:50.133:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_bend_initialize_enter called Oct 15 20:16:50.133:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle Oct 15 20:16:50.133:     dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle) Oct 15 20:16:50.133: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_bend_idle_enter called Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Created a client entry (0xD8000004) Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Dot1x authentication started for 0xD8000004 (0000.0000.0000) Oct 15 20:16:50.133: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3 Oct 15 20:16:50.141: dot1x-ev(Gi1/0/3): Sending event (2) to Auth Mgr for 0000.0000.0000 Oct 15 20:16:50.141: dot1x-redundancy: State for client  0000.0000.0000 successfully retrieved Oct 15 20:16:52.113: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up Oct 15 20:16:53.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up Oct 15 20:17:34.542: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/3, port's configured trust state is now operational. 

Port still ends up in a shutdown state, but supplies power to Phone...

Answers

You would need to configure MAB (Mac Auth Bypass) authentication for the ip phone in the multi-vlan interface. You also need multi-auth so the switch knows to look for more than one MAC address.

-authentication host-mode multi-auth

-authentication order mab dot1x

802.1x is port based. So, in simplest form, the port is either authorized or not; once authorized -- MAC limits aside -- traffic from anything will be allowed. Modern 802.1x systems are much smarter ("more complicated") and can independently police multiple hosts on a single port. This is where multi-auth and multi-domain come in. (consult Cisco here)

As Jaxxs points out, the only compromise is to allow the phone access without authentication (i.e. by MAC.) Because the 7941 won't do 802.1x itself, but will pass EAPOL through, and "fake" a logoff when the PC port is disconnected.

(Ignoring that it's in terms of NX-OS, this is how MAB works.)

CDP should actually take care of the port authentication for an Cisco IP phone. There is a little-known feature called "CDP bypass" which allows a Cisco switch to detect a specific TLV in the CDP message which allows immediate authentication. Be aware however, that newer version of Cisco IOS no longer include this CDP bypass feature.

Related Articles

  • 802.1x on Access VLAN only, not on Voice VLANOctober 14

    I've successfully configured a Cisco 3750G to perform the authenticator function of the 802.1x process. I have a test Win7 machine as a supplicant and a Windows 2008 server running NPS as the Authentication Server. The Win7 machine is able to success

  • Does native vlan tagging work with voice vlan?December 27

    we hard-code native vlan tagging: vlan dot1q tag native then we configure a port like this: interface FastEthernet0/1 switchport access vlan 20 switchport mode access switchport voice vlan 500 mls qos trust cos spanning-tree portfast Does this cause

  • Cisco Voice VLAN with 802.1X Authentication

    Cisco Voice VLAN with 802.1X AuthenticationMarch 26

    I've got a Cisco Catalyst 2960 that I'm trying to configure for a remote office with 802.1X wired authentication. The setup I'm going for is Switch -> VoIP Phone via Internal Switch -> PC/Laptop (Domain Joined Win 7/8). Our authentication server is

  • What network/device info can be obtained from an iOS device connected to an 802.11u-enabled access point?February 5

    In order to perform some device security validations, I need canonical references to what device/hardware/network information can be obtained from an iOS device connected to an 802.11u-enabled access point. There are of course your typical network de

  • SSH to Access Switch Management Console from other VLANsSeptember 6

    The infrastructure I currently work on has 3 switches: One 3560X which is acting as a core switch and as a VTP Server with below characteristics: no aaa new-model system mtu routing 1500 ip routing interface FastEthernet0 ip address 10.0.0.11 255.255

  • Route Subnet to only access 1 IP address on different VLAN HP ProcurveDecember 17

    I'm trying to route VLAN 300 which has a subnet 192.168.100.0/26 to only access 10.220.1.10 on VLAN 220 but struggling with the config. HP's documentation from what I can tell just wants me to enable IP RIP but that gives access to the entire 220 VLA

  • Cisco Phone (7961) won't find voice vlanJanuary 16

    We have a cisco phone system setup successfully. I am setting up a bunch of phones, of which, one keeps getting an data vlan ip address from the DHCP server. Any suggestions? I have factory reset the phone a number of times. --------------Solutions--

  • Voice VLAN informationDecember 28

    I am aware of the ability to show the access VLAN assigned to an interface on a cisco switch. How about showing specifically the voice VLAN an interface is assigned? #show run int fa1/47 interface FastEthernet1/47 description Data&Voice switchport ac

  • VLAN can reach all other VLANs but nothing can reach it

    VLAN can reach all other VLANs but nothing can reach itFebruary 10

    I'm using Meraki and I've created a VLAN (111) that broadcasts over its own SSID wirelessly. I've added the VLAN ID (111) to the HP hardware switches involved and added all ports as tagged to the VLAN in the configuration. I can get internet and intr

  • VLAN ID 4095 for guest VLAN taggingJune 18

    Just want to know if it's true that if you use the VLAN ID 4095 for guest VLAN tagging, then vMotion will not work correctly as there is nowhere to pass back the reverse arp to? So, the problem we have noticed is when we have vmotioned VM's that are

  • Can a Private VLAN trunk also trunk normal VLANSOctober 24

    Imagine a topology with Switch A and Switch B trunked together. Also imagine a router on a stick attached to Switch A that routes for these VLANs. The VLANs are as follows: VLAN 1 = 10.1.1.0/24 VLAN 2 = 10.1.2.0/24 VLAN 3 = 10.1.3.0/24 (private-vlan

  • Dell powerconnect 6248 voice vlan next to dot1xJune 14

    We are testing currently dot1x auth against FreeRADIUS/AD in the network. The vlans are dynamically assigned by FreeRADIUS on AD-group base. This works, but now the problem comes: We wanted to add our ip-telephones which doesn't speak dot1x to the ne

  • Voice VLAN Configuration on Cisco SG300June 4

    We currently have a single Cisco SG300 switch on our data network. We are introducing a hosted VoIP system. As such we will be installing a second Cisco SG300 (to account for growth and new phones) and the hosted VoIP provider will provide an Edgemar

  • HP Procurve - Configure Voice VLANFebruary 9

    I have a HP 2810-48G that I would like to configure for a voice vlan. On our other HP switches (2800, 2610, 2530, etc.) I would navigate to the correct vlan and then type "voice". On the 2810 when I do this I get "invalid input: voice"

  • Internet access for a number of diffirent VLAN'sSeptember 26

    There is about 60 UTP cables coming from some different offices into a server room. Every cable could be lead to a single computer or the unmanaged network switch. I need to give them all an Internet-access, but the one thing I don't need is some of

  • I need access control within the same network/VLANOctober 1

    I have a single network/VLAN and I want to block some traffic and allow some traffic in my network, is this possible using a L2 or L3 switch? If so which switches support this feature and what would be the commands to configure this? I have already t

  • How to access an AP on a separate VLAN?

    How to access an AP on a separate VLAN?November 9

    I have several Linksys routers and I use one as DHCP server running Tomato and the rest as access points running stock firmware and DDWRT spread around my home office. To control bandwidth on certain APs I set a certain port on main router into a sep

  • Accessing PXE server from a different vlan using Cisco switchFebruary 11

    We are having a cisco layer 3 switch and a layer 2 switch. We don't have access to the cisco layer 3 switch(Its access is with higher authorities). I am having a PXE server configured which is connected to layer 3 switch. Layer 2 switch is cisco 2960

  • Problem Accessing PXE server from a different vlan using Cisco switch [on hold]February 11

    We are having a cisco layer 3 switch and a layer 2 switch. We don't have access to the cisco layer 3 switch(Its access is with higher authorities). I am having a PXE server configured which is connected to layer 3 switch. Layer 2 switch is cisco 2960

  • Cisco SG200-50, accessing a network printer from 2 VLANsJanuary 19

    The requirement is to create an additional (guest) VLAN (a Cisco SG200-series smart switch is used) so that the devices on the guest VLAN could not see those on the internal network (the default VLAN), however they should still be able to print on th

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 1.555 s.