cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3070
Views
5
Helpful
10
Replies

802.1x Authentication Failed

ak7246
Level 1
Level 1

Hello,

I am trying to configure 802.1x on our network. I am running into an issue. When the PC without a certificate is connected to the IP Phone, upon the authentication failure the switch does not assign the port to Guest or auth-failed vlan. so I never get the IP.

This happens when i connect the PC to the IP Phone. It works fine if i connect the PC directly to the switchport.

Here's my configuration on the switch port.

interface FastEthernet0/5

switchport access vlan 8

switchport mode access

switchport voice vlan 3030

speed 100

duplex full

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 999

dot1x auth-fail vlan 999

dot1x auth-fail max-attempts 2

no mdix auto

spanning-tree portfast

end

thanks

Anand

10 Replies 10

jafrazie
Cisco Employee
Cisco Employee

What supplicant are we talking about here?

Are EAPOL-Starts enabled?

Hi jafrazie,

Thanks for your reply. I am using Windows XP SP2. I have configured the EAPOL-Start as below.

Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode and set it to 3.

When i look at the switch it looks like it's tries the authentication again and again and never really assigns the guest vlan to the port.

After enabling the debugs I repeatedly see the following log msgs in the switch

05:46:07: dot1x-sm:Posting AUTH_FAIL on Client=2F58670

05:46:07: dot1x_auth Fa0/5: during state auth_fallback, got event 16(authFail)

05:46:07: @@@ dot1x_auth Fa0/5: auth_fallback -> auth_authc_result

05:46:07: dot1x-sm:Fa0/5:0000.0000.0000:auth_authc_result_enter called

05:46:07: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/5.

05:46:07: dot1x-sm:Posting AUTHC_FAIL on Client=2F58670

05:46:07: dot1x_auth Fa0/5: during state auth_authc_result, got event 24(authcFail)

05:46:07: @@@ dot1x_auth Fa0/5: auth_authc_result -> auth_held

05:46:07: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/5.

05:46:07: dot1x-sm:Posting RESTART on Client=2F58670

05:46:07: dot1x_auth Fa0/5: during state auth_held, got event 14(restart)

05:46:07: @@@ dot1x_auth Fa0/5: auth_held -> auth_restart

Again this only happens when the PC is connected behind the Phone.

Anand

Right, so what's happening here is that the supplicant is sending an EAPOL-Start at link up. This immediately means it won't get in the Guest-VLAN.

Also, the switch replies back with EAPOL-Id-Request frames. However, now .. the supplicant doesn't have a cert, so it doesn't bother replying back with anything!

So this means it won't get in the Auth-Fail-VLAN either, since it's not actually failing.

You need to configure a global knob called "dot1x guest-vlan supplicant". This should allow you to get the port into the Guest-VLAN .. even though it has technically seen EAPOL on the port before .. it'll place it into the guest-VLAN since it won't answer EAPOL-Id-Request frames.

Hope this helps,

Nice. So looks like that command helped. Thanks.

However, Now when i disconnect the PC without a cert and connect a PC with a cert i have to issue the "dot1x re-authenticate int" command for the switch to start the re-authentication for the new computer. Without issuing this command the switch port remains in the Guest Vlan. Does this have anything to do with the timers? my re-authentication timer is default 3600.

thanks

Anand

To take the port out of Guest VLAN, the switch either needs to see a link state change (impossible in this case since you have a phone in the middle) or receive an EAPoL-Start. Can you confirm that the new PC with the cert is configured to send EAPoL starts?

Yes, the PC is configured with EAPoL-Start. Surprising thing is when I disconnect the PC with the Certificate the port goes in Un-authorized status however when i disconnect the PC without the Cert the port stays in Guest VLAN until i actually issue re-authenticate cmd. I also tried waiting for the Re-auth period (3600) which might force re-auth but it didn't happen. I thought the phone sends a log-off msg on behalf of the PC may be i am wrong. we have 7960 Running 8.0(7.0)

OK, yes. The reason for this is b/c only an EPAOL-Start comes from the PC. Else, more than a single EAPOL message would always come from the PC. There was a problem on the phone where it needed more than one EAPOL message to send an EAPOL-Logoff frame to the switch. If you can see it online, it's CSCsl48111.

This is why when you disco the PC with a cert, and EAPOL-Logoff got sent from the phone, and why when you disco without a cert, no EAPOL-Logoff got sent, hence the Guest-VLAN, etc. couldn't get subsequently deployed either.

Hope this helps,

thank jafrazie. Yes after reading the BUG description it makes sense. The description says the BUG was fixed in 8.0(8.1). So if i upgrade my phones to that version this should be solved?

Is there any other way to resolve this issue?

If it helps, this is what i see in the Switch when the PC with Cert is connected. Not sure what the last line means here.

02:24:05: dot1x-ev:Dot1x Querying CDP for 0013.1aa6.8103 Mac

02:24:05: dot1x-ev:dot1x_switch_addr_add: Host access entry already exists for 0013.1aa6.8103 3030

02:24:05: dot1x-ev:dot1x_switch_addr_add: Added MAC 0013.1aa6.8103 to vlan 3030 on interface FastEthernet0/5

02:24:05: dot1x-ev:dot1x_switch_secure_vvid_pkt:Secured Phone MAC = 0013.1aa6.8103 on Vlan = 3030

02:24:05: dot1x-ev:dot1x_switch_mac_address_notify: Ignoring MAC 0013.1aa6.8103 discovered on FastEthernet0/5(999). Nobody is interested.

Yes, upgrading to that phone firmware rev should fix you up. I've tested it myself and it works as advertised.

Hope this helps,

The Phone Firmware Upgrade seems to fix the issue. Now i just have to assign IPs using to the Guest VLAN.

Thanks for ur help jafrazie and everyone else.

Anand

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: