802.1x Authentication Failed

Unanswered Question

Hello,


I am trying to configure 802.1x on our network. I am running into an issue. When the PC without a certificate is connected to the IP Phone, upon the authentication failure the switch does not assign the port to Guest or auth-failed vlan. so I never get the IP.

This happens when i connect the PC to the IP Phone. It works fine if i connect the PC directly to the switchport.

Here's my configuration on the switch port.


interface FastEthernet0/5

switchport access vlan 8

switchport mode access

switchport voice vlan 3030

speed 100

duplex full

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 999

dot1x auth-fail vlan 999

dot1x auth-fail max-attempts 2

no mdix auto

spanning-tree portfast

end


thanks

Anand

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jafrazie Thu, 07/10/2008 - 10:03
User Badges:
  • Cisco Employee,

What supplicant are we talking about here?

Are EAPOL-Starts enabled?

Hi jafrazie,


Thanks for your reply. I am using Windows XP SP2. I have configured the EAPOL-Start as below.

Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode and set it to 3.

When i look at the switch it looks like it's tries the authentication again and again and never really assigns the guest vlan to the port.

After enabling the debugs I repeatedly see the following log msgs in the switch


05:46:07: dot1x-sm:Posting AUTH_FAIL on Client=2F58670

05:46:07: dot1x_auth Fa0/5: during state auth_fallback, got event 16(authFail)

05:46:07: @@@ dot1x_auth Fa0/5: auth_fallback -> auth_authc_result

05:46:07: dot1x-sm:Fa0/5:0000.0000.0000:auth_authc_result_enter called

05:46:07: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/5.

05:46:07: dot1x-sm:Posting AUTHC_FAIL on Client=2F58670

05:46:07: dot1x_auth Fa0/5: during state auth_authc_result, got event 24(authcFail)

05:46:07: @@@ dot1x_auth Fa0/5: auth_authc_result -> auth_held

05:46:07: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/5.

05:46:07: dot1x-sm:Posting RESTART on Client=2F58670

05:46:07: dot1x_auth Fa0/5: during state auth_held, got event 14(restart)

05:46:07: @@@ dot1x_auth Fa0/5: auth_held -> auth_restart


Again this only happens when the PC is connected behind the Phone.


Anand

jafrazie Thu, 07/10/2008 - 21:45
User Badges:
  • Cisco Employee,

Right, so what's happening here is that the supplicant is sending an EAPOL-Start at link up. This immediately means it won't get in the Guest-VLAN.


Also, the switch replies back with EAPOL-Id-Request frames. However, now .. the supplicant doesn't have a cert, so it doesn't bother replying back with anything!


So this means it won't get in the Auth-Fail-VLAN either, since it's not actually failing.


You need to configure a global knob called "dot1x guest-vlan supplicant". This should allow you to get the port into the Guest-VLAN .. even though it has technically seen EAPOL on the port before .. it'll place it into the guest-VLAN since it won't answer EAPOL-Id-Request frames.


Hope this helps,


Nice. So looks like that command helped. Thanks.

However, Now when i disconnect the PC without a cert and connect a PC with a cert i have to issue the "dot1x re-authenticate int" command for the switch to start the re-authentication for the new computer. Without issuing this command the switch port remains in the Guest Vlan. Does this have anything to do with the timers? my re-authentication timer is default 3600.


thanks

Anand

scadora Fri, 07/11/2008 - 07:52
User Badges:
  • Cisco Employee,

To take the port out of Guest VLAN, the switch either needs to see a link state change (impossible in this case since you have a phone in the middle) or receive an EAPoL-Start. Can you confirm that the new PC with the cert is configured to send EAPoL starts?

Yes, the PC is configured with EAPoL-Start. Surprising thing is when I disconnect the PC with the Certificate the port goes in Un-authorized status however when i disconnect the PC without the Cert the port stays in Guest VLAN until i actually issue re-authenticate cmd. I also tried waiting for the Re-auth period (3600) which might force re-auth but it didn't happen. I thought the phone sends a log-off msg on behalf of the PC may be i am wrong. we have 7960 Running 8.0(7.0)

jafrazie Fri, 07/11/2008 - 08:13
User Badges:
  • Cisco Employee,

OK, yes. The reason for this is b/c only an EPAOL-Start comes from the PC. Else, more than a single EAPOL message would always come from the PC. There was a problem on the phone where it needed more than one EAPOL message to send an EAPOL-Logoff frame to the switch. If you can see it online, it's CSCsl48111.


This is why when you disco the PC with a cert, and EAPOL-Logoff got sent from the phone, and why when you disco without a cert, no EAPOL-Logoff got sent, hence the Guest-VLAN, etc. couldn't get subsequently deployed either.


Hope this helps,



thank jafrazie. Yes after reading the BUG description it makes sense. The description says the BUG was fixed in 8.0(8.1). So if i upgrade my phones to that version this should be solved?

Is there any other way to resolve this issue?

If it helps, this is what i see in the Switch when the PC with Cert is connected. Not sure what the last line means here.


02:24:05: dot1x-ev:Dot1x Querying CDP for 0013.1aa6.8103 Mac

02:24:05: dot1x-ev:dot1x_switch_addr_add: Host access entry already exists for 0013.1aa6.8103 3030

02:24:05: dot1x-ev:dot1x_switch_addr_add: Added MAC 0013.1aa6.8103 to vlan 3030 on interface FastEthernet0/5

02:24:05: dot1x-ev:dot1x_switch_secure_vvid_pkt:Secured Phone MAC = 0013.1aa6.8103 on Vlan = 3030

02:24:05: dot1x-ev:dot1x_switch_mac_address_notify: Ignoring MAC 0013.1aa6.8103 discovered on FastEthernet0/5(999). Nobody is interested.

jafrazie Sun, 07/13/2008 - 21:08
User Badges:
  • Cisco Employee,

Yes, upgrading to that phone firmware rev should fix you up. I've tested it myself and it works as advertised.


Hope this helps,

Actions

This Discussion